search

TheWover / DInvoke

Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
MIT License
668 stars 107 forks source link

FileNotFoundException in RewriteModuleIAT #12

Open rasta-mouse opened 3 years ago

rasta-mouse commented 3 years ago

I think this is meant to work?

using DInvoke.DynamicInvoke;
using DInvoke.ManualMap;
using Data = DInvoke.Data;

using System;

namespace DInvokeTest
{
    class Program
    {
        static void Main(string[] args)
        {
            var pid = int.Parse(args[0]);

            var map = Overload.OverloadModule(@"C:\Windows\System32\kernel32.dll");

            var paramaters = new object[]
            {
                Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS,
                false,
                pid
            };

            var hProcess = (IntPtr)Generic.CallMappedDLLModuleExport(map.PEINFO, map.ModuleBase, "OpenProcess",
                typeof(Win32.Delegates.OpenProcess), paramaters);

            Console.WriteLine("Handle => 0x" + string.Format("{0:X}", hProcess.ToInt64()));
        }
    }
}
Unhandled Exception: System.IO.FileNotFoundException: api-ms-win-core-processthreads-l1-1-0.dll, unable to find the specified file.
   at DInvoke.ManualMap.Map.RewriteModuleIAT(PE_META_DATA PEINFO, IntPtr ModuleMemoryBase)
   at DInvoke.ManualMap.Map.MapModuleToMemory(IntPtr pModule, IntPtr pImage, PE_META_DATA PEINFO)
   at DInvoke.ManualMap.Overload.OverloadModule(Byte[] Payload, String DecoyModulePath, Boolean LegitSigned)
   at DInvokeTest.Program.Main(String[] args)

Probably a duplicate of https://github.com/cobbr/SharpSploit/issues/58

TheWover commented 3 years ago

I think you're right. It works on my machine, but if it is actually a flaw with API Set resolution, then that could happen if you and I have different versions of Windows / APIs.

Thanks for finally finding a test case for this bug! I've marked this as a bug to fix for the next minor version.

rasta-mouse commented 3 years ago

Let me know if there's any more information from my end that would be useful.

TheWover commented 3 years ago

I think I know what the issue is. If I can't reproduce the error (or simulate it) on my end, I'll ping you later to see if you can test a fix.

TheWover commented 3 years ago

Fixed in https://github.com/TheWover/DInvoke/commit/af9f86984a2ce329cb44a97459592f0b191fe252 Will be merged with v1.1.