diff options
Diffstat (limited to 'CRT')
| -rwxr-xr-x | CRT/gen_wrapper.sh | 54 | ||||
| -rw-r--r-- | CRT/ntdll_zw_functions.c | 90 | ||||
| -rw-r--r-- | CRT/ntdll_zw_functions.txt | 9 |
3 files changed, 138 insertions, 15 deletions
diff --git a/CRT/gen_wrapper.sh b/CRT/gen_wrapper.sh index 4e26162..35e0d43 100755 --- a/CRT/gen_wrapper.sh +++ b/CRT/gen_wrapper.sh @@ -9,6 +9,14 @@ CURLINE=0 while read -r line; do CURLINE=$(expr ${CURLINE} + 1) VALID=1 + SYMBOL_EXISTS=0 + + if [ -z "${line}" ]; then + continue + fi + if [ $(printf '%s\n' "${line}" | grep -oE '^#*') ]; then + continue + fi rtype=$(printf '%s\n' "${line}" | grep -oE '(NTSTATUS NTAPI|VOID NTAPI|PVOID NTAPI)') if [ -z "${rtype}" ]; then @@ -16,11 +24,18 @@ while read -r line; do VALID=0 fi - fnname=$(printf '%s\n' "${line}" | grep -oE '(Zw|Rtl|Ob|Mm|Io)[^ (]*') + fnname=$(printf '%s\n' "${line}" | grep -oE '(_|)(Zw|Rtl|Ob[^j]|Mm|Io)[^ (]*') if [ -z "${fnname}" ]; then printf '%s\n' "Line ${CURLINE}: Missing function name." >&2 VALID=0 fi + if [ $(printf '%s\n' "${fnname}" | wc -l) -ne 1 ]; then + printf '%s\n' "Invalid function name '${fnname}'." >&2 + VALID=0 + fi + if [ $(printf '%s\n' "${fnname}" | grep -oE '^_*') ]; then + SYMBOL_EXISTS=1 + fi fnsig=$(printf '%s\n' "${line}" | grep -oE '\([^;]*') if [ -z "${fnsig}" ]; then @@ -53,22 +68,29 @@ while read -r line; do fi if [ ${VALID} -eq 1 ]; then - TYPEDEFS="${TYPEDEFS}\ntypedef ${rtype} (*${fnname}_t) ${fnsig};" - STATICS="${STATICS}\nstatic ${fnname}_t _${fnname} = NULL;" + TYPE="${fnname}_t" + VAR="_${fnname}" + TYPEDEFS="${TYPEDEFS}\ntypedef ${rtype} (*${TYPE}) ${fnsig};" + STATICS="${STATICS}\nstatic ${TYPE} ${VAR} = NULL;" + if [ ${SYMBOL_EXISTS} -eq 1 ]; then + fnname_str=$(printf '%s\n' "${fnname}" | sed 's/^\(.\)\{1\}//g') + else + fnname_str="${fnname}" + fi INITS=$(cat <<EOF ${INITS} #ifdef __cplusplus - RtlInitUnicodeString(&fnName, skCrypt(L"${fnname}")); + RtlInitUnicodeString(&fnName, skCrypt(L"${fnname_str}")); #else - RtlInitUnicodeString(&fnName, L"${fnname}"); + RtlInitUnicodeString(&fnName, L"${fnname_str}"); #endif - _${fnname} = (${fnname}_t)MmGetSystemRoutineAddress(&fnName); - if (_${fnname} == NULL) + ${VAR} = (${TYPE})MmGetSystemRoutineAddress(&fnName); + if (${VAR} == NULL) { #ifdef __cplusplus - DbgPrint(skCrypt("%s\\\n"), skCrypt("System routine ${fnname} not found.")); + DbgPrint(skCrypt("%s\\\n"), skCrypt("System routine ${fnname_str} not found.")); #else - DbgPrint("%s\\\n", "System routine ${fnname} not found."); + DbgPrint("%s\\\n", "System routine ${fnname_str} not found."); #endif retval++; } @@ -85,15 +107,15 @@ EOF NTSTATUS*) WRAPPERS=$(cat <<EOF ${WRAPPERS} - if (_${fnname} == NULL) + if (${VAR} == NULL) return STATUS_PROCEDURE_NOT_FOUND; - return _${fnname} (${params}); + return ${VAR} (${params}); } -${rtype} Wrapper${fnname} ${fnsig} +${rtype} Wrapper${fnname_str} ${fnsig} { - return _${fnname} (${params}); + return ${VAR} (${params}); } EOF ) @@ -101,12 +123,12 @@ EOF PVOID*) WRAPPERS=$(cat <<EOF ${WRAPPERS} - return _${fnname} (${params}); + return ${VAR} (${params}); } ${rtype} Wrapper${fnname} ${fnsig} { - return _${fnname} (${params}); + return ${VAR} (${params}); } EOF ) @@ -148,3 +170,5 @@ cat <<EOF }; #endif EOF + +printf '%s lines parsed\n' "${CURLINE}" >&2 diff --git a/CRT/ntdll_zw_functions.c b/CRT/ntdll_zw_functions.c index 7fac930..312440c 100644 --- a/CRT/ntdll_zw_functions.c +++ b/CRT/ntdll_zw_functions.c @@ -18,6 +18,9 @@ typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Fl typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection); typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); +typedef NTSTATUS NTAPI (*_ZwCreateFile_t) (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength); +typedef NTSTATUS NTAPI (*_ZwClose_t) (_In_ HANDLE Handle); +typedef NTSTATUS NTAPI (*_ZwWriteFile_t) (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key); static MmMapIoSpaceEx_t _MmMapIoSpaceEx = NULL; static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL; @@ -29,6 +32,9 @@ static ZwTraceEvent_t _ZwTraceEvent = NULL; static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL; static ZwProtectVirtualMemory_t _ZwProtectVirtualMemory = NULL; static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL; +static _ZwCreateFile_t __ZwCreateFile = NULL; +static _ZwClose_t __ZwClose = NULL; +static _ZwWriteFile_t __ZwWriteFile = NULL; int __cdecl ntdll_zw_functions (void) { @@ -185,6 +191,51 @@ int __cdecl ntdll_zw_functions (void) #endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwCreateFile")); +#else + RtlInitUnicodeString(&fnName, L"ZwCreateFile"); +#endif + __ZwCreateFile = (_ZwCreateFile_t)MmGetSystemRoutineAddress(&fnName); + if (__ZwCreateFile == NULL) + { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwCreateFile not found.")); +#else + DbgPrint("%s\n", "System routine ZwCreateFile not found."); +#endif + retval++; + } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwClose")); +#else + RtlInitUnicodeString(&fnName, L"ZwClose"); +#endif + __ZwClose = (_ZwClose_t)MmGetSystemRoutineAddress(&fnName); + if (__ZwClose == NULL) + { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwClose not found.")); +#else + DbgPrint("%s\n", "System routine ZwClose not found."); +#endif + retval++; + } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwWriteFile")); +#else + RtlInitUnicodeString(&fnName, L"ZwWriteFile"); +#endif + __ZwWriteFile = (_ZwWriteFile_t)MmGetSystemRoutineAddress(&fnName); + if (__ZwWriteFile == NULL) + { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwWriteFile not found.")); +#else + DbgPrint("%s\n", "System routine ZwWriteFile not found."); +#endif + retval++; + } return retval; } @@ -314,6 +365,45 @@ NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } +NTSTATUS NTAPI _ZwCreateFile (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength) +{ + if (__ZwCreateFile == NULL) + return STATUS_PROCEDURE_NOT_FOUND; + + return __ZwCreateFile (FileHandle, DesiredAccess, ObjectAttributes, StatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); +} + +NTSTATUS NTAPI WrapperZwCreateFile (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength) +{ + return __ZwCreateFile (FileHandle, DesiredAccess, ObjectAttributes, StatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); +} + +NTSTATUS NTAPI _ZwClose (_In_ HANDLE Handle) +{ + if (__ZwClose == NULL) + return STATUS_PROCEDURE_NOT_FOUND; + + return __ZwClose (Handle); +} + +NTSTATUS NTAPI WrapperZwClose (_In_ HANDLE Handle) +{ + return __ZwClose (Handle); +} + +NTSTATUS NTAPI _ZwWriteFile (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key) +{ + if (__ZwWriteFile == NULL) + return STATUS_PROCEDURE_NOT_FOUND; + + return __ZwWriteFile (FileHandle, Event, ApcRoutine, ApcContext, StatusBlock, Buffer, Length, ByteOffset, Key); +} + +NTSTATUS NTAPI WrapperZwWriteFile (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key) +{ + return __ZwWriteFile (FileHandle, Event, ApcRoutine, ApcContext, StatusBlock, Buffer, Length, ByteOffset, Key); +} + #ifdef __cplusplus }; #endif diff --git a/CRT/ntdll_zw_functions.txt b/CRT/ntdll_zw_functions.txt index 76a9106..2cb1964 100644 --- a/CRT/ntdll_zw_functions.txt +++ b/CRT/ntdll_zw_functions.txt @@ -1,3 +1,7 @@ +# Some functions that get resolved at runtime +# They can always be called prefixed with "Wrapper" i.e. MmCopyMemory(...) becomes WrapperMmCopyMemory(...) +# If not prefixed with '_', MmCopyMemory(...) should also work + PVOID NTAPI MmMapIoSpaceEx(_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect); NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); @@ -8,3 +12,8 @@ NTSYSCALLAPI NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Fl NTSYSCALLAPI NTSTATUS NTAPI ZwQueryVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); NTSYSAPI NTSTATUS NTAPI ZwProtectVirtualMemory(_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection); NTSYSCALLAPI NTSTATUS NTAPI ZwQuerySystemInformation(_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); + +# Prefixed with a '_', the resulting function should only get called as "Wrapper" i.e. _ZwClose(...) will become WrapperZwClose(...) +NTSYSAPI NTSTATUS NTAPI _ZwCreateFile(_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength); +NTSYSAPI NTSTATUS NTAPI _ZwClose(_In_ HANDLE Handle); +NTSYSAPI NTSTATUS NTAPI _ZwWriteFile(_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key); |