From a6d87015eb69fbdb18266cc5c59309140d942667 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Tue, 26 Sep 2023 23:08:51 +0200
Subject: Added ZwQueryVirtualMemory / ZwQuerySystemInformation to Zw wrapper.

 * ExAllocatePoolWithTag allocates paged memory if size is greater than page size

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 CRT/kcrt.c                 |  2 +-
 CRT/ntdll_zw_functions.c   | 34 ++++++++++++++++++++++++++++++++++
 CRT/ntdll_zw_functions.txt |  2 ++
 3 files changed, 37 insertions(+), 1 deletion(-)

(limited to 'CRT')

diff --git a/CRT/kcrt.c b/CRT/kcrt.c
index 7bc2637..c534ae3 100644
--- a/CRT/kcrt.c
+++ b/CRT/kcrt.c
@@ -100,7 +100,7 @@ void * __cdecl malloc(size_t size)
     PMALLOC_HEADER mhdr = NULL;
     const size_t new_size = size + sizeof(MALLOC_HEADER);
 
-    mhdr = (PMALLOC_HEADER)ExAllocatePoolWithTag(NonPagedPool, new_size, KCRT_POOL_DEFAULT_TAG);
+    mhdr = (PMALLOC_HEADER)ExAllocatePoolWithTag(new_size > PAGE_SIZE ? PagedPool : NonPagedPool, new_size, KCRT_POOL_DEFAULT_TAG);
     if (mhdr)
     {
         RtlZeroMemory(mhdr, new_size);
diff --git a/CRT/ntdll_zw_functions.c b/CRT/ntdll_zw_functions.c
index d2df299..bdad460 100644
--- a/CRT/ntdll_zw_functions.c
+++ b/CRT/ntdll_zw_functions.c
@@ -4,9 +4,13 @@
 
 typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength);
 typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields);
+typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength);
+typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);
 
 static ZwTraceControl_t _ZwTraceControl = NULL;
 static ZwTraceEvent_t _ZwTraceEvent = NULL;
+static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL;
+static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL;
 
 int __cdecl ntdll_zw_functions (void)
 {
@@ -27,6 +31,20 @@ int __cdecl ntdll_zw_functions (void)
         DbgPrint("%s\n", "System routine ZwTraceEvent not found.");
         retval++;
     }
+    RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory");
+    _ZwQueryVirtualMemory = MmGetSystemRoutineAddress(&fnName);
+    if (_ZwQueryVirtualMemory == NULL)
+    {
+        DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found.");
+        retval++;
+    }
+    RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation");
+    _ZwQuerySystemInformation = MmGetSystemRoutineAddress(&fnName);
+    if (_ZwQuerySystemInformation == NULL)
+    {
+        DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found.");
+        retval++;
+    }
 
     return retval;
 }
@@ -47,3 +65,19 @@ NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULO
 
     return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields);
 }
+
+NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength)
+{
+    if (_ZwQueryVirtualMemory == NULL)
+        return STATUS_PROCEDURE_NOT_FOUND;
+
+    return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
+}
+
+NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength)
+{
+    if (_ZwQuerySystemInformation == NULL)
+        return STATUS_PROCEDURE_NOT_FOUND;
+
+    return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
+}
diff --git a/CRT/ntdll_zw_functions.txt b/CRT/ntdll_zw_functions.txt
index 2581487..e5f96d1 100644
--- a/CRT/ntdll_zw_functions.txt
+++ b/CRT/ntdll_zw_functions.txt
@@ -1,2 +1,4 @@
 NTSYSCALLAPI NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength)
 NTSYSCALLAPI NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields)
+NTSYSCALLAPI NTSTATUS NTAPI ZwQueryVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength);
+NTSYSCALLAPI NTSTATUS NTAPI ZwQuerySystemInformation(_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);
-- 
cgit v1.2.3