ZwReadVirtualMemory #1
Description
I'm trying to add ZwReadVirtualMemory, but I keep getting the following error:
{ "win10-1903-9", new Dictionary<string, byte>()
{
// ...
{ "readvirtualmem", 0x3F}, // https://j00ru.vexillium.org/syscalls/nt/64/
{ "writevirtualmem", 0x3A},
// ...
}
},[SuppressUnmanagedCodeSecurity]
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate int ZwReadVirtualMemory(IntPtr hProcess, IntPtr lpBaseAddress, ref IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesRead);public static NTSTATUS ZwReadVirtualMemory(IntPtr hProcess, ref IntPtr lpBaseAddress, ref IntPtr lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesRead, string os) {
byte[] syscall = syscallSkeleton;
syscall[4] = sysDic[os]["readvirtualmem"];
unsafe {
fixed (byte* ptr = syscall) {
IntPtr memoryAddress = (IntPtr)ptr;
if (!VirtualProtectEx(Process.GetCurrentProcess().Handle, memoryAddress,
(UIntPtr)syscall.Length, 0x40, out uint oldprotect)) {
throw new Win32Exception();
}
Delegates.ZwReadVirtualMemory myAssemblyFunction = (Delegates.ZwReadVirtualMemory)Marshal.GetDelegateForFunctionPointer(memoryAddress, typeof(Delegates.ZwReadVirtualMemory));
return (NTSTATUS)myAssemblyFunction(hProcess, lpBaseAddress, ref lpBuffer, nSize, ref lpNumberOfBytesRead);
}
}
}byte[] data = new byte[4];
IntPtr written = IntPtr.Zero;
IntPtr unmanagedPointer = Marshal.AllocHGlobal(data.Length);
Marshal.Copy(data, 0, unmanagedPointer, data.Length);
syscalls.ZwReadVirtualMemory(procHandle, ref addr, ref unmanagedPointer, Convert.ToUInt32(data.Length), ref written, osV);
byte[] result = new byte[4];
Marshal.Copy(unmanagedPointer, result, 0, result.Length);
Console.WriteLine(BitConverter.ToInt32(result, 0).ToString());I'm pretty sure I'm doing something wrong, could you try to give it a look?
Thanks!