Skip to content

Latest commit

 

History

History
75 lines (58 loc) · 3.18 KB

README.md

File metadata and controls

75 lines (58 loc) · 3.18 KB

Parasite-Invoke

Hide your P/Invoke signatures through other people's signed assemblies!

Usage

изображение

[PARAMETER MANDATORY]
 "--path <PATH>", "The start directory to list .NET assemblies from."

[OPTIONAL PARAMS]
 "-r|--recurse", "Recursively discover assemblies"
"--method <METHOD>", "Name of the PInvoke method to find"

The tool accepts one mandatory parameter, it is path. If you simply specify a --path (For ex, --path C:\), the tool will find all .NET assemblies on that path and output the P/Invoke signatures used in them, which you can use in your code to hide the use of P/Invoke (see Example below). To perform a recursive search for assemblies, add the -r parameter.

.\ParasiteInvoke.exe --path C:\ -r

изображение

But most likely you will be interested in hiding a particular PInvoke method. That's why I created the --method argument. You can use it to find .NET builds that have this method signature.

.\ParasiteInvoke.exe --path C:\ -r --method VirtualAlloc

изображение

Let's go to an example

Example (u should go here)

Suppose you want to hide the use of the VirtualAlloc() function. You run my tool and receive the following output:

.\ParasiteInvoke.exe --path C:\ -r --method VirtualAlloc

изображение

You should just copy the signature into your code, then add arguments to call the method and quietly PARASITE on the PInvoke signature from someone else's (often signed) .NET assembly.

using System;
using System.Reflection;
using System.Runtime.InteropServices;

namespace Template
{
    class Program
    {
        static void Main()
        {
            Assembly asm = Assembly.LoadFrom(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClientsideProviders.dll");
            Type t = asm.GetType("MS.Win32.UnsafeNativeMethods", true);
            var methodInfo = t.GetMethod("VirtualAlloc", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
            IntPtr result = (System.IntPtr)methodInfo.Invoke(null, new object[] { IntPtr.Zero, new UIntPtr(10), 0x3000, 0x40 } );
            Marshal.Copy(new byte[] { 1, 2, 3 }, 0, result, 3);
            Console.WriteLine(result);
            return;
        }

    }
}

изображение

Successfully invoke the function: изображение

Example output

Discover all .NET assemblies from C:\Windows\System32 directory with PInvoke Signatures

https://pastebin.com/9JyjcMAH

Discover all .NET assemblies from C:\ with PInvoke signature of VirtualAlloc Method

https://pastebin.com/iBeTbXCw