From 45c5c880c7be81b186a033253075c951553f9e30 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Sat, 23 Dec 2023 14:38:40 +0100
Subject: Added basic CXX string obfuscation via constexpr.

 * obfuscate functions names retrieved via MmGetSystemRoutineAddress
 * add two new static libs: libcnative (C-only) and libcxxnative (CXX-only)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
---
 examples/dpp-example.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'examples/dpp-example.c')

diff --git a/examples/dpp-example.c b/examples/dpp-example.c
index 625cbde..cc32009 100644
--- a/examples/dpp-example.c
+++ b/examples/dpp-example.c
@@ -10,6 +10,14 @@ extern NTSTATUS NTAPI ZwProtectVirtualMemory(_In_ HANDLE ProcessHandle,
                                              _In_ _Out_ PULONG NumberOfBytesToProtect,
                                              _In_ ULONG NewAccessProtection,
                                              _Out_ PULONG OldAccessProtection);
+extern NTSTATUS NTAPI ZwQuerySystemInformation(_In_ int SystemInformationClass,
+                                               _Inout_ PVOID SystemInformation,
+                                               _In_ ULONG SystemInformationLength,
+                                               _Out_opt_ PULONG ReturnLength);
+extern NTSTATUS NTAPI WrapperZwQuerySystemInformation(_In_ int SystemInformationClass,
+                                                      _Inout_ PVOID SystemInformation,
+                                                      _In_ ULONG SystemInformationLength,
+                                                      _Out_opt_ PULONG ReturnLength);
 
 int example_exception_handler(_In_ EXCEPTION_POINTERS * lpEP)
 {
@@ -32,6 +40,25 @@ static void another_seh_test()
     __dpptryend(anotherseh);
 }
 
+static void zw_test()
+{
+    NTSTATUS ret;
+    ULONG memoryNeeded = 0;
+
+    ret = ZwQuerySystemInformation(0x5, NULL, 0, &memoryNeeded);
+    if (ret != STATUS_INFO_LENGTH_MISMATCH || !memoryNeeded)
+    {
+        DbgPrint("ZwQuerySystemInformation failed with 0x%lX (memory needed: %lu)\n", ret, memoryNeeded);
+    }
+
+    memoryNeeded = 0;
+    ret = WrapperZwQuerySystemInformation(0x5, NULL, 0, &memoryNeeded);
+    if (ret != STATUS_INFO_LENGTH_MISMATCH || !memoryNeeded)
+    {
+        DbgPrint("ZwQuerySystemInformation failed 0x%lX (memory needed: %lu)\n", ret, memoryNeeded);
+    }
+}
+
 NTSTATUS DriverEntry(struct _DRIVER_OBJECT * DriverObject, PUNICODE_STRING RegistryPath)
 {
     (void)DriverObject;
@@ -52,6 +79,7 @@ NTSTATUS DriverEntry(struct _DRIVER_OBJECT * DriverObject, PUNICODE_STRING Regis
     __dpptryend(testseh);
 
     another_seh_test();
+    zw_test();
 
     DbgPrint("%s\n", "Disable/Enable Interrupts!");
     _disable();
-- 
cgit v1.2.3