/* This file was auto generated by gen_wrapper.sh */ #include #ifdef __cplusplus #define _KERNEL_MODE 1 #include "obfuscate.hpp" extern "C" { #endif typedef PVOID NTAPI (*MmMapIoSpaceEx_t) (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect); typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); typedef NTSTATUS NTAPI (*MmCopyVirtualMemory_t) (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize); typedef PVOID NTAPI (*RtlLookupFunctionEntry_t) (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable); typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength); typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields); typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength); typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection); typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength); static MmMapIoSpaceEx_t _MmMapIoSpaceEx = NULL; static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL; static MmCopyMemory_t _MmCopyMemory = NULL; static MmCopyVirtualMemory_t _MmCopyVirtualMemory = NULL; static RtlLookupFunctionEntry_t _RtlLookupFunctionEntry = NULL; static ZwTraceControl_t _ZwTraceControl = NULL; static ZwTraceEvent_t _ZwTraceEvent = NULL; static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL; static ZwProtectVirtualMemory_t _ZwProtectVirtualMemory = NULL; static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL; int __cdecl ntdll_zw_functions (void) { int retval = 0; UNICODE_STRING fnName; #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmMapIoSpaceEx")); #else RtlInitUnicodeString(&fnName, L"MmMapIoSpaceEx"); #endif _MmMapIoSpaceEx = (MmMapIoSpaceEx_t)MmGetSystemRoutineAddress(&fnName); if (_MmMapIoSpaceEx == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmMapIoSpaceEx not found.")); #else DbgPrint("%s\n", "System routine MmMapIoSpaceEx not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ObOpenObjectByPointer")); #else RtlInitUnicodeString(&fnName, L"ObOpenObjectByPointer"); #endif _ObOpenObjectByPointer = (ObOpenObjectByPointer_t)MmGetSystemRoutineAddress(&fnName); if (_ObOpenObjectByPointer == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ObOpenObjectByPointer not found.")); #else DbgPrint("%s\n", "System routine ObOpenObjectByPointer not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyMemory")); #else RtlInitUnicodeString(&fnName, L"MmCopyMemory"); #endif _MmCopyMemory = (MmCopyMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyMemory not found.")); #else DbgPrint("%s\n", "System routine MmCopyMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"MmCopyVirtualMemory"); #endif _MmCopyVirtualMemory = (MmCopyVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine MmCopyVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"RtlLookupFunctionEntry")); #else RtlInitUnicodeString(&fnName, L"RtlLookupFunctionEntry"); #endif _RtlLookupFunctionEntry = (RtlLookupFunctionEntry_t)MmGetSystemRoutineAddress(&fnName); if (_RtlLookupFunctionEntry == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine RtlLookupFunctionEntry not found.")); #else DbgPrint("%s\n", "System routine RtlLookupFunctionEntry not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceControl")); #else RtlInitUnicodeString(&fnName, L"ZwTraceControl"); #endif _ZwTraceControl = (ZwTraceControl_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceControl == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceControl not found.")); #else DbgPrint("%s\n", "System routine ZwTraceControl not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceEvent")); #else RtlInitUnicodeString(&fnName, L"ZwTraceEvent"); #endif _ZwTraceEvent = (ZwTraceEvent_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceEvent == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceEvent not found.")); #else DbgPrint("%s\n", "System routine ZwTraceEvent not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwQueryVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory"); #endif _ZwQueryVirtualMemory = (ZwQueryVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQueryVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQueryVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwProtectVirtualMemory")); #else RtlInitUnicodeString(&fnName, L"ZwProtectVirtualMemory"); #endif _ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwProtectVirtualMemory == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwProtectVirtualMemory not found.")); #else DbgPrint("%s\n", "System routine ZwProtectVirtualMemory not found."); #endif retval++; } #ifdef __cplusplus RtlInitUnicodeString(&fnName, skCrypt(L"ZwQuerySystemInformation")); #else RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation"); #endif _ZwQuerySystemInformation = (ZwQuerySystemInformation_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQuerySystemInformation == NULL) { #ifdef __cplusplus DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQuerySystemInformation not found.")); #else DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found."); #endif retval++; } return retval; } PVOID NTAPI MmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) { return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); } PVOID NTAPI WrapperMmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect) { return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect); } NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle) { if (_ObOpenObjectByPointer == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle); } NTSTATUS NTAPI WrapperObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle) { return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle); } NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred) { if (_MmCopyMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred); } NTSTATUS NTAPI WrapperMmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred) { return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred); } NTSTATUS NTAPI MmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize) { if (_MmCopyVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize); } NTSTATUS NTAPI WrapperMmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize) { return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize); } PVOID NTAPI RtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable) { return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable); } PVOID NTAPI WrapperRtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable) { return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable); } NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength) { if (_ZwTraceControl == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength); } NTSTATUS NTAPI WrapperZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength) { return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength); } NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields) { if (_ZwTraceEvent == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields); } NTSTATUS NTAPI WrapperZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields) { return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields); } NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength) { if (_ZwQueryVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); } NTSTATUS NTAPI WrapperZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength) { return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength); } NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection) { if (_ZwProtectVirtualMemory == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection); } NTSTATUS NTAPI WrapperZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection) { return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection); } NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength) { if (_ZwQuerySystemInformation == NULL) return STATUS_PROCEDURE_NOT_FOUND; return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength) { return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } #ifdef __cplusplus }; #endif