Usage

I have created an modification that is a bit easier to extend for direct syscall usage, in my opinion. I found it hard to figure out a simple way to note out the original repo here, so I made a smaller implementation that would be easier to explain how to extend. https://github.com/susMdT/SharpAndSimpleHellsGate

Key difference is that I am not using the hashing technique; the nt functions are called in plaintext name (for simplicity).

Create a delegate for the syscall we want to make
Grab its ID and call the directSyscall Method, passing in an object array of our arguments
- If any of the arguments are passed by reference and we need to obtain their updated values, make sure to reassign the variable with the respective index from the array
- if we do not need to update any args, then we can just instantiate a new array within the function call

Example of updating Args

//Initialize variables and an object array beforehand so we can capture updated args
IntPtr baseAddr = IntPtr.Zero;
IntPtr regionSize = (IntPtr)3000;
object[] allocArgs = new object[] { 
	(IntPtr)(-1), 
	baseAddr, 
	IntPtr.Zero, 
	regionSize, 
	Macros.MEM_COMMIT , 
	Macros.PAGE_EXECUTE_READWRITE
};

directSyscall<Delegates.NtAllocateVirtualMemory>(
ntdll.GetSyscallId("NtAllocateVirtualMemory"), 
	freeRWX, 
	allocArgs
);

//Updating our vars
baseAddr = (IntPtr)allocArgs[1];
regionSize = (IntPtr)allocArgs[3];

Example of not updating args

directSyscall<Delegates.NtProtectVirtualMemory>(
	ntdll.GetSyscallId("NtProtectVirtualMemory"), 
	freeRWX, 
	new object[] { 
		(IntPtr)(-1), 
		baseAddr, 
		regionSize, 
		Macros.PAGE_EXECUTE_READ, 
		(uint)0}
)

Pros

Execute syscalls directly = no hooks
Reading ntdll from disk = no hooks to screw up the syscall id offset from the base of the function (hooks add extra bytes that can screw up the 18 byte offset)

Cons

Direct syscalls can be detected by callback address; rather than returning to ntdll, it returns to the JIT space.