Updated KnownDllsResolver

daem0nc0re · Feb 16, 2024 · c12e5ae · c12e5ae
1 parent 13abd5b
commit c12e5ae
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/SyscallResolvers/KnownDllsResolver/Interop/NativeMethods.cs b/SyscallResolvers/KnownDllsResolver/Interop/NativeMethods.cs
@@ -26,9 +26,9 @@ public static extern NTSTATUS NtMapViewOfSection(
 
         [DllImport("ntdll.dll")]
         public static extern NTSTATUS NtOpenSection(
-            ref IntPtr SectionHandle,
+            out IntPtr SectionHandle,
             ACCESS_MASK DesiredAccess,
-            ref OBJECT_ATTRIBUTES ObjectAttributes);
+            in OBJECT_ATTRIBUTES ObjectAttributes);
 
         [DllImport("ntdll.dll")]
         public static extern NTSTATUS NtUnmapViewOfSection(

diff --git a/SyscallResolvers/KnownDllsResolver/Library/Modules.cs b/SyscallResolvers/KnownDllsResolver/Library/Modules.cs
@@ -15,9 +15,6 @@ public static int ResolveSyscallNumber(string syscallName)
             int nSyscallNumber = -1;
             var hSection = IntPtr.Zero;
             var objectPath = @"\KnownDlls\ntdll.dll";
-            var objectAttributes = new OBJECT_ATTRIBUTES(
-                objectPath,
-                OBJECT_ATTRIBUTES_FLAGS.OBJ_CASE_INSENSITIVE);
 
             if (Environment.Is64BitOperatingSystem && !Environment.Is64BitProcess)
             {
@@ -33,10 +30,15 @@ public static int ResolveSyscallNumber(string syscallName)
 
             Console.WriteLine("[>] Trying to get section handle to {0}.", objectPath);
 
-            ntstatus = NativeMethods.NtOpenSection(
-                ref hSection,
-                ACCESS_MASK.SECTION_MAP_READ,
-                ref objectAttributes);
+            using (var objectAttributes = new OBJECT_ATTRIBUTES(
+                objectPath,
+                OBJECT_ATTRIBUTES_FLAGS.OBJ_CASE_INSENSITIVE))
+            {
+                ntstatus = NativeMethods.NtOpenSection(
+                    out hSection,
+                    ACCESS_MASK.SECTION_MAP_READ,
+                    in objectAttributes);
+            }
 
             if (ntstatus != Win32Consts.STATUS_SUCCESS)
             {
@@ -78,7 +80,7 @@ public static int ResolveSyscallNumber(string syscallName)
 
                 foreach (var entry in syscallTable)
                 {
-                    if (entry.Key.IndexOf(syscallName, StringComparison.OrdinalIgnoreCase) >= 0)
+                    if (entry.Key.IndexOf(syscallName, StringComparison.OrdinalIgnoreCase) == 0)
                     {
                         syscallName = entry.Key;
                         nSyscallNumber = entry.Value;