InvalidArgument4 Error in NtFreeVirtualMemory Routine

[xenoscr]

When calling SharpSploit.Execution.DynamicInvoke.Generic.GetSyscallStub() the call to NtFreeVirtualMemory returns an NTSTATUS = STATUS_INVALID_PARAMETER_4 (0xC00000F2).

I was attempting to call "NtAllocateVirtualMemory" this way:

IntPtr pSyscall = SharpSploit.Execution.DynamicInvoke.Generic.GetSyscallStub("NtAllocateVirtualMemory");

This eventually causes this function to be called:

Native.NtFreeVirtualMemory((IntPtr)(-1), ref pImage, ref RegionSize, Execute.Win32.Kernel32.AllocationType.Reserve);

The error that was being returned was the catch-all error in Native.cs:

if (retValue != Execute.Native.NTSTATUS.Success) { // STATUS_OBJECT_TYPE_MISMATCH == 0xC0000024 throw new InvalidOperationException("There is a mismatch between the type of object that is required by the requested operation and the type of object that is specified in the request."); }

Calling this code path, there is nothing that I can do to influence the variable type being used for the call to NtFreeVirtualMemory. I was able to add in an extra condition to get it to ignore the error as a work-around. It seems to not like the "Execute.Win32.Kernel32.AllocationType" being passed?

[xenoscr]

I changed the call to:

Native.NtFreeVirtualMemory((IntPtr)(-1), ref pImage, ref RegionSize, Execute.Win32.Kernel32.AllocationType.Release);

After reviewing the documentation for NtFreeVirtualMemory, it seems like the incorrect value was entered here. Valid values are MEM_RELEASE, MEM_DECOMMIT.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntfreevirtualmemory