none
Seeking advice about DllImport parameters RRS feed

  • Question

  •     public class privilege
        {
            public privilege(string privilegeName) //"SeLoadDriverPrivilege"
            { 
                IntPtr tokenHandle = IntPtr.Zero;
                try
                {
                    if (!OpenProcessToken(Process.GetCurrentProcess().Handle,TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,out tokenHandle))throw new Win32Exception(Marshal.GetLastWin32Error(),"Failed to open process token handle");
                    TOKEN_PRIVILEGES tokenPrivs = new TOKEN_PRIVILEGES();
                    tokenPrivs.PrivilegeCount = 1;
                    tokenPrivs.Privileges = new LUID_AND_ATTRIBUTES[1];
                    tokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
                    if (!LookupPrivilegeValue(null,privilegeName,out tokenPrivs.Privileges[0].Luid))throw new Win32Exception(Marshal.GetLastWin32Error(),"Failed to open lookup shutdown privilege");
                    if (!AdjustTokenPrivileges(tokenHandle,false,ref tokenPrivs,0,IntPtr.Zero,IntPtr.Zero))throw new Win32Exception(Marshal.GetLastWin32Error(),"Failed to adjust process token privileges");
                }
                finally
                {
                    if (tokenHandle != IntPtr.Zero)CloseHandle(tokenHandle);
                }
            }
            [StructLayout(LayoutKind.Sequential)]
            private struct LUID
            {
                public uint LowPart;
                public int HighPart;
            }
            [StructLayout(LayoutKind.Sequential)]
            private struct LUID_AND_ATTRIBUTES
            {
                public LUID Luid;
                public UInt32 Attributes;
            }
            private struct TOKEN_PRIVILEGES
            {
                public UInt32 PrivilegeCount;
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
                public LUID_AND_ATTRIBUTES[] Privileges;
            }
            private const UInt32 TOKEN_QUERY = 0x0008;
            private const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
            private const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
            [DllImport("advapi32.dll", SetLastError = true)]
            [return: MarshalAs(UnmanagedType.Bool)]
            private static extern bool OpenProcessToken(IntPtr ProcessHandle,UInt32 DesiredAccess,out IntPtr TokenHandle);
            [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
            [return: MarshalAs(UnmanagedType.Bool)]
            private static extern bool LookupPrivilegeValue(string lpSystemName,string lpName,out LUID lpLuid);
            [DllImport("kernel32.dll", SetLastError = true)]
            [return: MarshalAs(UnmanagedType.Bool)]
            private static extern bool CloseHandle(IntPtr hObject);
            [DllImport("advapi32.dll", SetLastError = true)]
            [return: MarshalAs(UnmanagedType.Bool)]
            private static extern bool AdjustTokenPrivileges(IntPtr TokenHandle,[MarshalAs(UnmanagedType.Bool)]bool DisableAllPrivileges,ref TOKEN_PRIVILEGES NewState,UInt32 Zero,IntPtr Null1,IntPtr Null2);
         }

    above code sets me SeLoadDriverPrivilege but below code says that i still do not have one

            [StructLayout(LayoutKind.Sequential, Pack = 0)]
            public struct UNICODE_STRING
            {
                public ushort Length;
                public ushort MaximumLength;
                public IntPtr Buffer;
            }
            [DllImport("ntdll.dll")]
            public static extern void RtlInitUnicodeString(out UNICODE_STRING DestinationString,[MarshalAs(UnmanagedType.LPWStr)] string SourceString);
            [DllImport("ntdll.dll")]
            //public static extern int ZwLoadDriver(UNICODE_STRING DestinationString);
            public static extern int ZwLoadDriver(IntPtr ff);
            private void dataGridView2_DoubleClick(object sender, EventArgs e)
            {
                UNICODE_STRING unicodeString;
                RtlInitUnicodeString(out unicodeString, "Registry\\Machine\\System\\CurrentControlSet\\Services\\" + (string)dataGridView2.SelectedRows[0].Cells["BaseName"].Value);
                byte[] bytes = new byte[unicodeString.Length];
                Marshal.Copy(unicodeString.Buffer,bytes, 0, bytes.Length);
                textBox1.Text = "";
                foreach (byte bt in bytes)
                {
                    textBox1.Text += bt.ToString("X2");
                }
                privilege driverPrivilege = new privilege("SeLoadDriverPrivilege");
                //int wynik = ZwLoadDriver(0);
                int wynik=ZwLoadDriver(unicodeString);
                textBox2.Text = wynik.ToString("X8");
            }

    how to make [DllImport("ntdll.dll")]ZwLoadDriver import and what parameters give to function call??


    Sunday, May 19, 2019 10:47 AM

All replies

  • For example (must be Admin (with Manifest) to get the privilege) =>

     (tested on Windows 10)

    bool bEnabled = false;
    int nStatus = RtlAdjustPrivilege(SeLoadDriverPrivilege, true, false, ref bEnabled);
    if (nStatus != 0)
    {
        throw new Win32Exception(RtlNtStatusToDosError(nStatus));
    }
    else
    {
        string sDriverName = "MEmuDrv";
        string sKey = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + sDriverName;
        UNICODE_STRING usDriverName = new UNICODE_STRING();
        RtlInitUnicodeString(ref usDriverName, sKey);
        nStatus = NtLoadDriver(ref usDriverName);
        if (nStatus != 0)
        {
            throw new Win32Exception(RtlNtStatusToDosError(nStatus));
        }
    }

    with declarations :

    [DllImport("NtDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    public static extern int NtLoadDriver(ref UNICODE_STRING DriverServiceName);
    
    [DllImport("NtDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    public static extern int NtUnloadDriver(ref UNICODE_STRING DriverServiceName);
    
    [DllImport("NtDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    public static extern void RtlInitUnicodeString(ref UNICODE_STRING DestinationString, [MarshalAs(UnmanagedType.LPWStr)] string SourceString);
    
    [DllImport("NtDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    public static extern int RtlAdjustPrivilege(uint Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    
    [DllImport("NtDll.dll", SetLastError = true, CharSet = CharSet.Unicode)]
    public static extern int RtlNtStatusToDosError(int Status);
    
    [StructLayout(LayoutKind.Sequential)]
    public struct UNICODE_STRING
    {
        internal UNICODE_STRING(IntPtr pBuffer, ushort length)
        {
            Length = length;
            MaximumLength = length;
            Buffer = pBuffer;
        }
    
        /// <summary>
        /// Specifies the length, in bytes, of the string in Buffer. This value does not include the terminating null character, if any.
        /// </summary>
        internal ushort Length;
    
        /// <summary>
        /// Specifies the total size, in bytes, of Buffer. Up to MaximumLength bytes may be written into the buffer without trampling memory.
        /// </summary>
        internal ushort MaximumLength;
    
        /// <summary>
        /// Pointer to a wide character string. Note that strings returned by the LSA may not be null-terminated.
        /// </summary>
        internal IntPtr Buffer;
    }
    
    public const string SE_LOAD_DRIVER_NAME = "SeLoadDriverPrivilege";
    public const int SeLoadDriverPrivilege = 10;

    Sunday, May 19, 2019 4:06 PM
  • what is paypal microsoft account to pay money for help?
    Wednesday, June 5, 2019 10:37 AM
  • a) No Microsoft does not use Paypal.

    b) No, this forum does not allow any payment for help. This forum provides peer-to-peer support, delivered by other users like you who do not get paid for giving help.

    Please do not ask again about Paypal here.

    Wednesday, June 5, 2019 2:34 PM
    Moderator