Kara-4search/NewNtdllBypassInlineHook_CSharp

Trying to make it work with 32bit

surajpkhetani opened this issue · 1 comments

I am trying to make this work on 32bit. Since you have mentioned that some modifications are required to be done on MainFunctions.cs, could you kindly guide me on what are those changes?

I am primarily looking to change the filename_path to be c:\windows\SYSWOW64\ntdll.dll and looking to change the native structs to be aligned with 32bit architecture which I can get from Pinvoke. Would be great if you can let me know if I am in the right direction.

If you already have the 32bit working, it would be awesome if you can share the code.

I added the below structs from Pinvoke and then utilized them in Locate_Image_Export_Directory function.

[StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_NT_HEADERS32
        {
            [FieldOffset(0)]
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
            public char[] Signature;

            [FieldOffset(24)]
            public IMAGE_OPTIONAL_HEADER32 OptionalHeader;
        }

        [StructLayout(LayoutKind.Explicit)]
        public struct IMAGE_OPTIONAL_HEADER32
        {
            [FieldOffset(96)]
            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
            public IMAGE_DATA_DIRECTORY[] DataDirectory; //public IMAGE_DATA_DIRECTORY ExportTable; in pinvoke.net
        }

Further, while defining NtAllocateVirtualMemory in DelegateFunctions changed data type ulong to int for Allocationtype and Protect as long represent 64 bit unsigned integers. I believe it will also work with uint

        [UnmanagedFunctionPointer(CallingConvention.StdCall)]
        public delegate uint DFNtAllocateVirtualMemory(
            IntPtr ProcessHandle,
            ref IntPtr BaseAddress,
            IntPtr ZeroBits,
            ref IntPtr RegionSize,
            int AllocationType,
            int Protect);