daniel/VXUG-Papers
1
0
Fork 0
mirror of https://github.com/vxunderground/VXUG-Papers.git synced 2026-06-17 00:09:29 +00:00
Code Issues Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground
2020-10-11 00:53:07 -05:00
committed by GitHub
parent ad3ed5a13f
commit a6dbe47b59
24 changed files with 3744 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Hells Gate/C# Implementation/SharpHellsGate/Win32/DFunctions.cs
+93
View File
@@ -0,0 +1,93 @@
using System;
using System.Runtime.InteropServices;
namespace SharpHellsGate.Win32 {
/// <summary>
/// Contains all the delegates used to execute the system calls.
/// </summary>
public class DFunctions {
/// <summary>
/// Managed wrapper around the NtAllocateVirtualMemory native Windows function
/// </summary>
/// <param name="ProcessHandle">A handle for the process for which the mapping should be done.</param>
/// <param name="BaseAddress">A pointer to a variable that will receive the base address of the allocated region of pages.</param>
/// <param name="ZeroBits">The number of high-order address bits that must be zero in the base address of the section view.</param>
/// <param name="RegionSize">A pointer to a variable that will receive the actual size, in bytes, of the allocated region of pages.</param>
/// <param name="AllocationType">A bitmask containing flags that specify the type of allocation to be performed for the specified region of pages.</param>
/// <param name="Protect">A bitmask containing page protection flags that specify the protection desired for the committed region of pages.</param>
/// <returns>NtAllocateVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate uint NtAllocateVirtualMemory(
IntPtr ProcessHandle,
ref IntPtr BaseAddress,
IntPtr ZeroBits,
ref IntPtr RegionSize,
UInt32 AllocationType,
UInt32 Protect
);
/// <summary>
/// Managed wrapper around the NtProtectVirtualMemory native Windows function.
/// </summary>
/// <param name="ProcessHandle">Handle to Process Object opened with PROCESS_VM_OPERATION access.</param>
/// <param name="BaseAddress">Pointer to base address to protect. Protection will change on all page containing specified address. On output, BaseAddress will point to page start address.</param>
/// <param name="NumberOfBytesToProtect">Pointer to size of region to protect. On output will be round to page size (4KB).</param>
/// <param name="NewAccessProtection">One or some of PAGE_... attributes.</param>
/// <param name="OldAccessProtection">Receive previous protection.</param>
/// <returns>NtProtectVirtualMemory returns either STATUS_SUCCESS or an error status code.</returns>
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate uint NtProtectVirtualMemory(
IntPtr ProcessHandle,
ref IntPtr BaseAddress,
ref IntPtr RegionSize,
UInt32 NewProtect,
out UInt32 OldProtect
);
/// <summary>
/// Managed wrapper around the NtCreateThreadEx native Windows function.
/// </summary>
/// <param name="hThread">Caller supplied storage for the resulting handle.</param>
/// <param name="DesiredAccess">Specifies the allowed or desired access to the thread.</param>
/// <param name="ObjectAttributes">Initialized attributes for the object.</param>
/// <param name="ProcessHandle">Handle to the threads parent process.</param>
/// <param name="lpStartAddress">Address of the function to execute.</param>
/// <param name="lpParameter">Parameters to pass to the function.</param>
/// <param name="CreateSuspended">Whether the thread will be in suspended mode and has to be resumed later.</param>
/// <param name="StackZeroBits"></param>
/// <param name="SizeOfStackCommit">Initial stack memory to commit.</param>
/// <param name="SizeOfStackReserve">Initial stack memory to reserve.</param>
/// <param name="lpBytesBuffer"></param>
/// <returns>NtCreateThreadEx returns either STATUS_SUCCESS or an error status code.</returns>
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate uint NtCreateThreadEx(
ref IntPtr hThread,
uint DesiredAccess,
IntPtr ObjectAttributes,
IntPtr ProcessHandle,
IntPtr lpStartAddress,
IntPtr lpParameter,
bool CreateSuspended,
uint StackZeroBits,
uint SizeOfStackCommit,
uint SizeOfStackReserve,
IntPtr lpBytesBuffer
);
/// <summary>
/// Managed wrapper around the NtWaitForSingleObject native Windows function.
/// </summary>
/// <param name="ObjectHandle">Open handle to a alertable executive object.</param>
/// <param name="Alertable">If set, calling thread is signaled, so all queued APC routines are executed.</param>
/// <param name="TimeOuts">Time-out interval, in microseconds. NULL means infinite.</param>
/// <returns>NtWaitForSingleObject returns either STATUS_SUCCESS or an error status code.</returns>
[UnmanagedFunctionPointer(CallingConvention.StdCall)]
public delegate uint NtWaitForSingleObject(
IntPtr ObjectHandle,
bool Alertable,
ref Structures.LARGE_INTEGER TimeOut
);
}
}
Hells Gate/C# Implementation/SharpHellsGate/Win32/Macros.cs
+78
View File
@@ -0,0 +1,78 @@
using System;
namespace SharpHellsGate.Win32 {
/// <summary>
/// Windows Macros used for error and success codes and bitmasks.
/// </summary>
public static class Macros {
// NTSTATUS
public static bool NT_SUCCESS(UInt32 ntstatus) => ntstatus <= 0x3FFFFFFF;
public static bool NT_INFORMATION(UInt32 ntstatus) => ntstatus >= 0x40000000 && ntstatus <= 0x7FFFFFFF;
public static bool NT_WARNING(UInt32 ntstatus) => ntstatus >= 0x80000000 && ntstatus <= 0xBFFFFFFF;
public static bool NT_ERROR(UInt32 ntstatus) => ntstatus >= 0xC0000000 && ntstatus <= 0xFFFFFFFF;
// Common NTSTATUS
public static UInt32 STATUS_SUCCESS { get; } = 0x00000000;
public static UInt32 STATUS_UNSUCCESSFUL { get; } = 0xC0000001;
public static UInt32 STATUS_NOT_IMPLEMENTED { get; } = 0xC0000002;
// Portable Executable
public static Int16 IMAGE_DOS_SIGNATURE { get; } = 0x5a00 | 0x4D; // MZ
public static Int32 IMAGE_NT_SIGNATURE { get; } = 0x00004500 | 0x00000050; // PE00
// Pseudo-Handles
public static IntPtr GetCurrentProcess() => new IntPtr(-1);
public static IntPtr GetCurrentThread() => new IntPtr(-2);
public static IntPtr GetCurrentProcessToken() => new IntPtr(-4);
public static IntPtr GetCurrentThreadToken() => new IntPtr(-5);
public static IntPtr GetCurrentThreadEffectiveToken() => new IntPtr(-6);
// Page and Memory permissions
public static UInt32 PAGE_NOACCESS { get; } = 0x01;
public static UInt32 PAGE_READONLY { get; } = 0x02;
public static UInt32 PAGE_READWRITE { get; } = 0x04;
public static UInt32 PAGE_WRITECOPY { get; } = 0x08;
public static UInt32 PAGE_EXECUTE { get; } = 0x10;
public static UInt32 PAGE_EXECUTE_READ { get; } = 0x20;
public static UInt32 PAGE_EXECUTE_READWRITE { get; } = 0x40;
public static UInt32 PAGE_EXECUTE_WRITECOPY { get; } = 0x80;
public static UInt32 PAGE_GUARD { get; } = 0x100;
public static UInt32 PAGE_NOCACHE { get; } = 0x200;
public static UInt32 PAGE_WRITECOMBINE { get; } = 0x400;
public static UInt32 PAGE_GRAPHICS_NOACCESS { get; } = 0x0800;
public static UInt32 PAGE_GRAPHICS_READONLY { get; } = 0x1000;
public static UInt32 PAGE_GRAPHICS_READWRITE { get; } = 0x2000;
public static UInt32 PAGE_GRAPHICS_EXECUTE { get; } = 0x4000;
public static UInt32 PAGE_GRAPHICS_EXECUTE_READ { get; } = 0x8000;
public static UInt32 PAGE_GRAPHICS_EXECUTE_READWRITE { get; } = 0x10000;
public static UInt32 PAGE_GRAPHICS_COHERENT { get; } = 0x20000;
public static UInt32 PAGE_ENCLAVE_THREAD_CONTROL { get; } = 0x80000000;
public static UInt32 PAGE_REVERT_TO_FILE_MAP { get; } = 0x80000000;
public static UInt32 PAGE_TARGETS_NO_UPDATE { get; } = 0x40000000;
public static UInt32 PAGE_TARGETS_INVALID { get; } = 0x40000000;
public static UInt32 PAGE_ENCLAVE_UNVALIDATED { get; } = 0x20000000;
public static UInt32 PAGE_ENCLAVE_DECOMMIT { get; } = 0x10000000;
public static UInt32 MEM_COMMIT { get; } = 0x00001000;
public static UInt32 MEM_RESERVE { get; } = 0x00002000;
public static UInt32 MEM_REPLACE_PLACEHOLDER { get; } = 0x00004000;
public static UInt32 MEM_RESERVE_PLACEHOLDER { get; } = 0x00040000;
public static UInt32 MEM_RESET { get; } = 0x00080000 ;
public static UInt32 MEM_TOP_DOWN { get; } = 0x00100000;
public static UInt32 MEM_WRITE_WATCH { get; } = 0x00200000;
public static UInt32 MEM_PHYSICAL { get; } = 0x00400000;
public static UInt32 MEM_ROTATE { get; } = 0x00800000;
public static UInt32 MEM_DIFFERENT_IMAGE_BASE_OK { get; } = 0x00800000;
public static UInt32 MEM_RESET_UNDO { get; } = 0x01000000;
public static UInt32 MEM_LARGE_PAGES { get; } = 0x20000000;
public static UInt32 MEM_4MB_PAGES { get; } = 0x80000000;
public static UInt32 MEM_64K_PAGES { get; } = (MEM_LARGE_PAGES | MEM_PHYSICAL);
public static UInt32 MEM_UNMAP_WITH_TRANSIENT_BOOST { get; } = 0x00000001;
public static UInt32 MEM_COALESCE_PLACEHOLDERS { get; } = 0x00000001;
public static UInt32 MEM_PRESERVE_PLACEHOLDER { get; } = 0x00000002;
public static UInt32 MEM_DECOMMIT { get; } = 0x00004000;
public static UInt32 MEM_RELEASE { get; } = 0x00008000;
public static UInt32 MEM_FREE { get; } = 0x00010000;
}
}
Hells Gate/C# Implementation/SharpHellsGate/Win32/Structures.cs
+128
View File
@@ -0,0 +1,128 @@
using System;
using System.Runtime.InteropServices;
namespace SharpHellsGate.Win32 {
public static class Structures {
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_DOS_HEADER {
public UInt16 e_magic; /*+0x000*/
public UInt16 e_cblp; /*+0x002*/
public UInt16 e_cp; /*+0x004*/
public UInt16 e_crlc; /*+0x006*/
public UInt16 e_cparhdr; /*+0x008*/
public UInt16 e_minalloc; /*+0x00a*/
public UInt16 e_maxalloc; /*+0x00c*/
public UInt16 e_ss; /*+0x00e*/
public UInt16 e_sp; /*+0x010*/
public UInt16 e_csum; /*+0x012*/
public UInt16 e_ip; /*+0x014*/
public UInt16 e_cs; /*+0x016*/
public UInt16 e_lfarlc; /*+0x018*/
public UInt16 e_ovno; /*+0x01a*/
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public UInt16[] e_res; /*+0x01c*/
public UInt16 e_oemid; /*+0x024*/
public UInt16 e_oeminfo; /*+0x026*/
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public UInt16[] e_res2; /*+0x028*/
public UInt32 e_lfanew; /*+0x03c*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_FILE_HEADER {
public UInt16 Machine; /*+0x000*/
public UInt16 NumberOfSections; /*+0x002*/
public UInt32 TimeDateStamp; /*+0x004*/
public UInt32 PointerToSymbolTable; /*+0x008*/
public UInt32 NumberOfSymbols; /*+0x00c*/
public UInt16 SizeOfOptionalHeader; /*+0x010*/
public UInt16 Characteristics; /*+0x012*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_DATA_DIRECTORY {
public UInt32 VirtualAddress; /*+0x000*/
public UInt32 Size; /*+0x004*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_OPTIONAL_HEADER64 {
public UInt16 Magic; /*+0x000*/
public Byte MajorLinkerVersion; /*+0x002*/
public Byte MinorLinkerVersion; /*+0x003*/
public UInt32 SizeOfCode; /*+0x004*/
public UInt32 SizeOfInitializedDatal; /*+0x008*/
public UInt32 SizeOfUninitializedData; /*+0x00c*/
public UInt32 AddressOfEntryPoint; /*+0x010*/
public UInt32 BaseOfCode; /*+0x014*/
public UInt64 ImageBasel; /*+0x018*/
public UInt32 SectionAlignment; /*+0x020*/
public UInt32 FileAlignment; /*+0x024*/
public UInt16 MajorOperatingSystemVersion; /*+0x028*/
public UInt16 MinorOperatingSystemVersion; /*+0x02a*/
public UInt16 MajorImageVersion; /*+0x02c*/
public UInt16 MinorImageVersion; /*+0x02e*/
public UInt16 MajorSubsystemVersion; /*+0x030*/
public UInt16 MinorSubsystemVersion; /*+0x032*/
public UInt32 Win32VersionValue; /*+0x034*/
public UInt32 SizeOfImage; /*+0x038*/
public UInt32 SizeOfHeaders; /*+0x03c*/
public UInt32 CheckSum; /*+0x040*/
public UInt16 Subsystem; /*+0x044*/
public UInt16 DllCharacteristics; /*+0x046*/
public UInt64 SizeOfStackReserve; /*+0x048*/
public UInt64 SizeOfStackCommit; /*+0x050*/
public UInt64 SizeOfHeapReserve; /*+0x058*/
public UInt64 SizeOfHeapCommit; /*+0x060*/
public UInt32 LoaderFlags; /*+0x068*/
public UInt32 NumberOfRvaAndSizes; /*+0x06c*/
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public IMAGE_DATA_DIRECTORY[] DataDirectory; /*+0x070*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_NT_HEADERS64 {
public UInt32 Signature; /*+0x000*/
public IMAGE_FILE_HEADER FileHeader; /*+0x004*/
public IMAGE_OPTIONAL_HEADER64 OptionalHeader; /*+0x018*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_EXPORT_DIRECTORY {
public UInt32 Characteristics; /*+0x000*/
public UInt32 TimeDateStamp; /*+0x004*/
public UInt16 MajorVersion; /*+0x008*/
public UInt16 MinorVersion; /*+0x00a*/
public UInt32 Name; /*+0x00c*/
public UInt32 Base; /*+0x010*/
public UInt32 NumberOfFunctions; /*+0x014*/
public UInt32 NumberOfNames; /*+0x018*/
public UInt32 AddressOfFunctions; /*+0x01c*/
public UInt32 AddressOfNames; /*+0x020*/
public UInt32 AddressOfNameOrdinals; /*+0x024*/
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct IMAGE_SECTION_HEADER {
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 8)]
public string Name; /*+0x000*/
public UInt32 Misc; /*+0x008*/
public UInt32 VirtualAddress; /*+0x00c*/
public UInt32 SizeOfRawData; /*+0x010*/
public UInt32 PointerToRawData; /*+0x014*/
public UInt32 PointerToRelocations; /*+0x018*/
public UInt32 PointerToLinenumbers; /*+0x01c*/
public UInt16 NumberOfRelocations; /*+0x020*/
public UInt16 NumberOfLinenumbers; /*+0x022*/
public UInt32 Characteristics; /*+0x024*/
}
[StructLayout(LayoutKind.Explicit, Size = 1)]
public struct LARGE_INTEGER {
[FieldOffset(0)] public Int64 QuadPart; /*+0x000*/
[FieldOffset(0)] public UInt32 LowPart; /*+0x000*/
[FieldOffset(4)] public UInt32 HighPart; /*+0x004*/
}
}
}