Hide your P/Invoke signatures through other people's signed assemblies!
[PARAMETER MANDATORY]
"--path <PATH>", "The start directory to list .NET assemblies from."
[OPTIONAL PARAMS]
"-r|--recurse", "Recursively discover assemblies"
"--method <METHOD>", "Name of the PInvoke method to find"The tool accepts one mandatory parameter, it is path. If you simply specify a --path (For ex, --path C:\), the tool will find all .NET assemblies on that path and output the P/Invoke signatures used in them, which you can use in your code to hide the use of P/Invoke (see Example below). To perform a recursive search for assemblies, add the -r parameter.
.\ParasiteInvoke.exe --path C:\ -r
But most likely you will be interested in hiding a particular PInvoke method. That's why I created the --method argument. You can use it to find .NET builds that have this method signature.
.\ParasiteInvoke.exe --path C:\ -r --method VirtualAlloc
Let's go to an example
Suppose you want to hide the use of the VirtualAlloc() function. You run my tool and receive the following output:
.\ParasiteInvoke.exe --path C:\ -r --method VirtualAlloc
You should just copy the signature into your code, then add arguments to call the method and quietly PARASITE on the PInvoke signature from someone else's (often signed) .NET assembly.
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Template
{
class Program
{
static void Main()
{
Assembly asm = Assembly.LoadFrom(@"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClientsideProviders.dll");
Type t = asm.GetType("MS.Win32.UnsafeNativeMethods", true);
var methodInfo = t.GetMethod("VirtualAlloc", System.Reflection.BindingFlags.NonPublic | System.Reflection.BindingFlags.Static);
IntPtr result = (System.IntPtr)methodInfo.Invoke(null, new object[] { IntPtr.Zero, new UIntPtr(10), 0x3000, 0x40 } );
Marshal.Copy(new byte[] { 1, 2, 3 }, 0, result, 3);
Console.WriteLine(result);
return;
}
}
}
Successfully invoke the function:
