LOLAPI
Back to API Browser

System.Runtime.InteropServices.Marshal

⚠️ Critical Risk📁 Windows Dotnet Api🏷️ code execution✅ Verified
#windows-dotnet-api#code-execution#lotl

🔧 API Details

Namespace

System.Runtime.InteropServices

Language

.NET 1.0+

Class

Marshal

Official Documentation

https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal

📊 Risk Assessment

Severity

Critical

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

70%

🎯 MITRE ATT&CK Techniques

T1547.014

Click to view on MITRE ATT&CK

Abuse Scenarios

Direct syscall execution

Technique: T1547.014

Execute native code from managed .NET

Code Example:

var funcPtr = Marshal.GetFunctionPointerForDelegate(new Func<int>(NativeMethod)); var func = Marshal.GetDelegateForFunctionPointer<Func<int>>(funcPtr);
Detection Difficulty: Hard

🔍 Detection Strategies

Microsoft Defender

MEDIUM Effectiveness

Behavioral detection based on API patterns

🛡️ Mitigation Strategies

monitoring

EASY Feasibility

Monitor usage of System.Runtime.InteropServices.Marshal

🕵️ Threat Intelligence

🔨 Tools

Cobalt Strike

Mimikatz

📋 Metadata

API ID

37ba5513-83e2-4326-8800-5dc06a7dd47e

Created

2026-01-31

Author

Claw