Erase PE HEADER using c#

Question

I'm trying to delete my PE HEADER using this function:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;


namespace ConsoleApplication9
{
    class Program
    {
        public enum MemoryProtectionConsts : uint
        {
            EXECUTE = 0x10,
            EXECUTE_READ = 0x20,
            EXECUTE_READWRITE = 0x40,
            NOACCESS = 0x01,
            READONLY = 0x02,
            READWRITE = 0x04
        }

        [DllImport("kernel32.dll")]
        public static extern IntPtr GetModuleHandle(string lpModuleName);
        [DllImport("kernel32.dll", SetLastError = true)]
        private static extern bool VirtualProtect(IntPtr lpAddress, int dwSize, MemoryProtectionConsts flNewProtect,
            int lpflOldProtect);
        [DllImport("kernel32.dll", CharSet = CharSet.Auto, EntryPoint = "RtlSecureZeroMemory")]
        private static extern void SecureZeroMemory(IntPtr ptr, IntPtr cnt);
        private static int ErasePEHeader() // hModule = Handle to the module, procName = Process name (eg. "notepad")
        {
            int OldProtect = 0;
            IntPtr pBaseAddr = GetModuleHandle(null);
            VirtualProtect(pBaseAddr, 4096, // Assume x86 page size
             MemoryProtectionConsts.READWRITE, OldProtect);
            SecureZeroMemory(pBaseAddr, (IntPtr)4096);
            return 0;
        }
        static void Main(string[] args)
        {
            ErasePEHeader();
            Console.WriteLine("");
            Console.ReadKey();
        }
    }
}

However, show me all the time unhandled exception:

Launch me exception and never delete my PE HEADER in my minimal example. In this case, my goal it was delete THE PE HEADER, only for study purpose.

Did you read the words in the error message? *Unable to load DLL ': 'SecureZeroMem.dll': The specified module could not be found.* seems very clear. You don't have a 'SecureZeroMem.dll' to load. Where do you expect it to come from? — Ken White, May 27 '17 at 02:51

score 0 · Accepted Answer · answered May 27 '17 at 02:54

0

There's no such thing as SecureZeroMem.dll - which is why your code fails to load it. If you're looking for the function SecureZeroMemory, it's in kernel32.dll.

[DllImport("kernel32.dll", CharSet = CharSet.Auto, EntryPoint "RtlSecureZeroMemory")]
private static extern void SecureZeroMemory(IntPtr ptr, IntPtr cnt);

answered May 27 '17 at 02:54

Asik

21,506
6
72
131

No such function in any system DLL - see https://stackoverflow.com/questions/53232456/why-does-dllimport-fail-with-an-entry-point-of-rtlsecurezeromemory-even-t/53233193#53233193 – David Heffernan Nov 09 '18 at 20:59

drakonia · Answer 2 · 2020-06-23T22:10:21.453

0

The previous answer uses SecureZeroMemory() but since its not an exported function we cannot simply call it.

However you can use Marashal.Copy() to copy a zero filled array to the memory

public static void Copy (byte[] source, int startIndex, IntPtr destination, int length);

see msdn

edited Jun 23 '20 at 22:10

answered Jun 23 '20 at 14:08

drakonia

1
1

Erase PE HEADER using c#

2 Answers2

Linked