diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2023-09-26 23:08:51 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2023-09-26 23:08:51 +0200 |
| commit | a6d87015eb69fbdb18266cc5c59309140d942667 (patch) | |
| tree | 3b6293e7908c099d8aced2200db9d74007b20971 | |
| parent | 5b5de30ac0baf416078cd339af694d0ec70db37a (diff) | |
Added ZwQueryVirtualMemory / ZwQuerySystemInformation to Zw wrapper.
* ExAllocatePoolWithTag allocates paged memory if size is greater than page size
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | CRT/kcrt.c | 2 | ||||
| -rw-r--r-- | CRT/ntdll_zw_functions.c | 34 | ||||
| -rw-r--r-- | CRT/ntdll_zw_functions.txt | 2 | ||||
| -rw-r--r-- | examples/dpp-example-cplusplus.cpp | 3 |
4 files changed, 40 insertions, 1 deletions
@@ -100,7 +100,7 @@ void * __cdecl malloc(size_t size) PMALLOC_HEADER mhdr = NULL; const size_t new_size = size + sizeof(MALLOC_HEADER); - mhdr = (PMALLOC_HEADER)ExAllocatePoolWithTag(NonPagedPool, new_size, KCRT_POOL_DEFAULT_TAG); + mhdr = (PMALLOC_HEADER)ExAllocatePoolWithTag(new_size > PAGE_SIZE ? PagedPool : NonPagedPool, new_size, KCRT_POOL_DEFAULT_TAG); if (mhdr) { RtlZeroMemory(mhdr, new_size); diff --git a/CRT/ntdll_zw_functions.c b/CRT/ntdll_zw_functions.c index d2df299..bdad460 100644 --- a/CRT/ntdll_zw_functions.c +++ b/CRT/ntdll_zw_functions.c @@ -4,9 +4,13 @@ typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength); typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields); +typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); +typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); static ZwTraceControl_t _ZwTraceControl = NULL; static ZwTraceEvent_t _ZwTraceEvent = NULL; +static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL; +static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL; int __cdecl ntdll_zw_functions (void) { @@ -27,6 +31,20 @@ int __cdecl ntdll_zw_functions (void) DbgPrint("%s\n", "System routine ZwTraceEvent not found."); retval++; } + RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory"); + _ZwQueryVirtualMemory = MmGetSystemRoutineAddress(&fnName); + if (_ZwQueryVirtualMemory == NULL) + { + DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found."); + retval++; + } + RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation"); + _ZwQuerySystemInformation = MmGetSystemRoutineAddress(&fnName); + if (_ZwQuerySystemInformation == NULL) + { + DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found."); + retval++; + } return retval; } @@ -47,3 +65,19 @@ NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULO return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields); } + +NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength) +{ + if (_ZwQueryVirtualMemory == NULL) + return STATUS_PROCEDURE_NOT_FOUND; + + return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); +} + +NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength) +{ + if (_ZwQuerySystemInformation == NULL) + return STATUS_PROCEDURE_NOT_FOUND; + + return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); +} diff --git a/CRT/ntdll_zw_functions.txt b/CRT/ntdll_zw_functions.txt index 2581487..e5f96d1 100644 --- a/CRT/ntdll_zw_functions.txt +++ b/CRT/ntdll_zw_functions.txt @@ -1,2 +1,4 @@ NTSYSCALLAPI NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength) NTSYSCALLAPI NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields) +NTSYSCALLAPI NTSTATUS NTAPI ZwQueryVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); +NTSYSCALLAPI NTSTATUS NTAPI ZwQuerySystemInformation(_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); diff --git a/examples/dpp-example-cplusplus.cpp b/examples/dpp-example-cplusplus.cpp index dd4fa8f..fd07133 100644 --- a/examples/dpp-example-cplusplus.cpp +++ b/examples/dpp-example-cplusplus.cpp @@ -22,6 +22,9 @@ public: const auto & eastl_to_string = eastl::to_string(0xDEADC0DE); DbgPrint("Using eastl::to_string should return a warning: %s\n", eastl_to_string.c_str()); + eastl::wstring eastl_unicode = L"test_eastl_unicode_string"; + DbgPrint("eastl::wstring: %S\n", eastl_unicode.c_str()); + wchar_t test_unicode_str[] = L"test_unicode_string"; unsigned short test_unicode_strlen = sizeof(test_unicode_str); const auto & eastl_from_unicode = ::from_unicode(test_unicode_str, test_unicode_strlen); |