/* This file was auto generated by gen_wrapper.sh */ #include #ifdef __cplusplus #define _KERNEL_MODE 1 #include "obfuscate.hpp" extern "C" { #endif typedef PVOID NTAPI (*MmMapIoSpaceEx_t) (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect); typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); typedef NTSTATUS NTAPI (*MmCopyVirtualMemory_t) (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize); typedef PVOID NTAPI (*RtlLookupFunctionEntry_t) (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable); typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength); typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields); typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection); typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); typedef NTSTATUS NTAPI (*_ZwCreateFile_t) (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength); typedef NTSTATUS NTAPI (*_ZwClose_t) (_In_ HANDLE Handle); typedef NTSTATUS NTAPI (*_ZwWriteFile_t) (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key); static MmMapIoSpaceEx_t _MmMapIoSpaceEx = NULL; static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL; static MmCopyMemory_t _MmCopyMemory = NULL; static MmCopyVirtualMemory_t _MmCopyVirtualMemory = NULL; static RtlLookupFunctionEntry_t _RtlLookupFunctionEntry = NULL; static ZwTraceControl_t _ZwTraceControl = NULL; static ZwTraceEvent_t _ZwTraceEvent = NULL; static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL; static ZwProtectVirtualMemory_t _ZwProtectVirtualMemory = NULL; static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL; static _ZwCreateFile_t __ZwCreateFile = NULL; static _ZwClose_t __ZwClose = NULL; static _ZwWriteFile_t __ZwWriteFile = NULL; int __cdecl ntdll_zw_functions (void) { int retval = 0; UNICODE_STRING fnName; #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmMapIoSpaceEx")); #else RtlInitUnicodeString(&fnName, L"MmMapIoSpaceEx"); #endif _MmMapIoSpaceEx = (MmMapIoSpaceEx_t)MmGetSystemRoutineAddress(&fnName); if (_MmMapIoSpaceEx == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmMapIoSpaceEx not found.")); #else DbgPrint("%s\n", "System routine MmMapIoSpaceEx not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ObOpenObjectByPointer")); #else RtlInitUnicodeString(&fnName, L"ObOpenObjectByPointer"); #endif _ObOpenObjectByPointer = (ObOpenObjectByPointer_t)MmGetSystemRoutineAddress(&fnName); if (_ObOpenObjectByPointer == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ObOpenObjectByPointer not found.")); #else DbgPrint("%s\n", "System routine ObOpenObjectByPointer not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyMemory")); #else RtlInitUnicodeString(&fnName, L"MmCopyMemory"); #endif _MmCopyMemory = (MmCopyMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyMemory not found.")); #else DbgPrint("%s\n", "System routine MmCopyMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"MmCopyVirtualMemory"); #endif _MmCopyVirtualMemory = (MmCopyVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine MmCopyVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"RtlLookupFunctionEntry")); #else RtlInitUnicodeString(&fnName, L"RtlLookupFunctionEntry"); #endif _RtlLookupFunctionEntry = (RtlLookupFunctionEntry_t)MmGetSystemRoutineAddress(&fnName); if (_RtlLookupFunctionEntry == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine RtlLookupFunctionEntry not found.")); #else DbgPrint("%s\n", "System routine RtlLookupFunctionEntry not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceControl")); #else RtlInitUnicodeString(&fnName, L"ZwTraceControl"); #endif _ZwTraceControl = (ZwTraceControl_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceControl == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceControl not found.")); #else DbgPrint("%s\n", "System routine ZwTraceControl not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceEvent")); #else RtlInitUnicodeString(&fnName, L"ZwTraceEvent"); #endif _ZwTraceEvent = (ZwTraceEvent_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceEvent == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceEvent not found.")); #else DbgPrint("%s\n", "System routine ZwTraceEvent not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwQueryVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory"); #endif _ZwQueryVirtualMemory = (ZwQueryVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQueryVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQueryVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwProtectVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"ZwProtectVirtualMemory"); #endif _ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwProtectVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwProtectVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine ZwProtectVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwQuerySystemInformation")); #else RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation"); #endif _ZwQuerySystemInformation = (ZwQuerySystemInformation_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQuerySystemInformation == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQuerySystemInformation not found.")); #else DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwCreateFile")); #else RtlInitUnicodeString(&fnName, L"ZwCreateFile"); #endif __ZwCreateFile = (_ZwCreateFile_t)MmGetSystemRoutineAddress(&fnName); if (__ZwCreateFile == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwCreateFile not found.")); #else DbgPrint("%s\n", "System routine ZwCreateFile not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwClose")); #else RtlInitUnicodeString(&fnName, L"ZwClose"); #endif __ZwClose = (_ZwClose_t)MmGetSystemRoutineAddress(&fnName); if (__ZwClose == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwClose not found.")); #else DbgPrint("%s\n", "System routine ZwClose not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwWriteFile")); #else RtlInitUnicodeString(&fnName, L"ZwWriteFile"); #endif __ZwWriteFile = (_ZwWriteFile_t)MmGetSystemRoutineAddress(&fnName); if (__ZwWriteFile == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwWriteFile not found.")); #else DbgPrint("%s\n", "System routine ZwWriteFile not found."); #endif retval++; } return retval; } PVOID NTAPI MmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) { return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); } PVOID NTAPI WrapperMmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) { return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); } NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle) { if (_ObOpenObjectByPointer == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle); } NTSTATUS NTAPI WrapperObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle) { return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle); } NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred) { if (_MmCopyMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred); } NTSTATUS NTAPI WrapperMmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred) { return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred); } NTSTATUS NTAPI MmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize) { if (_MmCopyVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize); } NTSTATUS NTAPI WrapperMmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize) { return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize); } PVOID NTAPI RtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable) { return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable); } PVOID NTAPI WrapperRtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable) { return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable); } NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength) { if (_ZwTraceControl == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength); } NTSTATUS NTAPI WrapperZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength) { return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength); } NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields) { if (_ZwTraceEvent == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields); } NTSTATUS NTAPI WrapperZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields) { return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields); } NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength) { if (_ZwQueryVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); } NTSTATUS NTAPI WrapperZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength) { return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); } NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection) { if (_ZwProtectVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection); } NTSTATUS NTAPI WrapperZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection) { return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection); } NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength) { if (_ZwQuerySystemInformation == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength) { return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } NTSTATUS NTAPI _ZwCreateFile (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength) { if (__ZwCreateFile == NULL) return STATUS_PROCEDURE_NOT_FOUND; return __ZwCreateFile (FileHandle, DesiredAccess, ObjectAttributes, StatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); } NTSTATUS NTAPI WrapperZwCreateFile (_Out_ PHANDLE FileHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PLARGE_INTEGER AllocationSize, _In_ ULONG FileAttributes, _In_ ULONG ShareAccess, _In_ ULONG CreateDisposition, _In_ ULONG CreateOptions, _In_ PVOID EaBuffer, _In_ ULONG EaLength) { return __ZwCreateFile (FileHandle, DesiredAccess, ObjectAttributes, StatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); } NTSTATUS NTAPI _ZwClose (_In_ HANDLE Handle) { if (__ZwClose == NULL) return STATUS_PROCEDURE_NOT_FOUND; return __ZwClose (Handle); } NTSTATUS NTAPI WrapperZwClose (_In_ HANDLE Handle) { return __ZwClose (Handle); } NTSTATUS NTAPI _ZwWriteFile (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key) { if (__ZwWriteFile == NULL) return STATUS_PROCEDURE_NOT_FOUND; return __ZwWriteFile (FileHandle, Event, ApcRoutine, ApcContext, StatusBlock, Buffer, Length, ByteOffset, Key); } NTSTATUS NTAPI WrapperZwWriteFile (_In_ HANDLE FileHandle, _In_ HANDLE Event, _In_ PIO_APC_ROUTINE ApcRoutine, _In_ PVOID ApcContext, _Out_ PIO_STATUS_BLOCK StatusBlock, _In_ PVOID Buffer, _In_ ULONG Length, _In_ PLARGE_INTEGER ByteOffset, _In_ PULONG Key) { return __ZwWriteFile (FileHandle, Event, ApcRoutine, ApcContext, StatusBlock, Buffer, Length, ByteOffset, Key); } #ifdef __cplusplus }; #endif