1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
|
/* This file was auto generated by gen_wrapper.sh */
#include <ntddk.h>
#ifdef __cplusplus
#define _KERNEL_MODE 1
#include "obfuscate.hpp"
extern "C" {
#endif
typedef PVOID NTAPI (*MmMapIoSpaceEx_t) (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect);
typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle);
typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred);
typedef NTSTATUS NTAPI (*MmCopyVirtualMemory_t) (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize);
typedef PVOID NTAPI (*RtlLookupFunctionEntry_t) (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable);
typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength);
typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields);
typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength);
typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection);
typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);
static MmMapIoSpaceEx_t _MmMapIoSpaceEx = NULL;
static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL;
static MmCopyMemory_t _MmCopyMemory = NULL;
static MmCopyVirtualMemory_t _MmCopyVirtualMemory = NULL;
static RtlLookupFunctionEntry_t _RtlLookupFunctionEntry = NULL;
static ZwTraceControl_t _ZwTraceControl = NULL;
static ZwTraceEvent_t _ZwTraceEvent = NULL;
static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL;
static ZwProtectVirtualMemory_t _ZwProtectVirtualMemory = NULL;
static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL;
int __cdecl ntdll_zw_functions (void)
{
int retval = 0;
UNICODE_STRING fnName;
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"MmMapIoSpaceEx"));
#else
RtlInitUnicodeString(&fnName, L"MmMapIoSpaceEx");
#endif
_MmMapIoSpaceEx = (MmMapIoSpaceEx_t)MmGetSystemRoutineAddress(&fnName);
if (_MmMapIoSpaceEx == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmMapIoSpaceEx not found."));
#else
DbgPrint("%s\n", "System routine MmMapIoSpaceEx not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ObOpenObjectByPointer"));
#else
RtlInitUnicodeString(&fnName, L"ObOpenObjectByPointer");
#endif
_ObOpenObjectByPointer = (ObOpenObjectByPointer_t)MmGetSystemRoutineAddress(&fnName);
if (_ObOpenObjectByPointer == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ObOpenObjectByPointer not found."));
#else
DbgPrint("%s\n", "System routine ObOpenObjectByPointer not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyMemory"));
#else
RtlInitUnicodeString(&fnName, L"MmCopyMemory");
#endif
_MmCopyMemory = (MmCopyMemory_t)MmGetSystemRoutineAddress(&fnName);
if (_MmCopyMemory == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyMemory not found."));
#else
DbgPrint("%s\n", "System routine MmCopyMemory not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyVirtualMemory"));
#else
RtlInitUnicodeString(&fnName, L"MmCopyVirtualMemory");
#endif
_MmCopyVirtualMemory = (MmCopyVirtualMemory_t)MmGetSystemRoutineAddress(&fnName);
if (_MmCopyVirtualMemory == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyVirtualMemory not found."));
#else
DbgPrint("%s\n", "System routine MmCopyVirtualMemory not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"RtlLookupFunctionEntry"));
#else
RtlInitUnicodeString(&fnName, L"RtlLookupFunctionEntry");
#endif
_RtlLookupFunctionEntry = (RtlLookupFunctionEntry_t)MmGetSystemRoutineAddress(&fnName);
if (_RtlLookupFunctionEntry == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine RtlLookupFunctionEntry not found."));
#else
DbgPrint("%s\n", "System routine RtlLookupFunctionEntry not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceControl"));
#else
RtlInitUnicodeString(&fnName, L"ZwTraceControl");
#endif
_ZwTraceControl = (ZwTraceControl_t)MmGetSystemRoutineAddress(&fnName);
if (_ZwTraceControl == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceControl not found."));
#else
DbgPrint("%s\n", "System routine ZwTraceControl not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceEvent"));
#else
RtlInitUnicodeString(&fnName, L"ZwTraceEvent");
#endif
_ZwTraceEvent = (ZwTraceEvent_t)MmGetSystemRoutineAddress(&fnName);
if (_ZwTraceEvent == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceEvent not found."));
#else
DbgPrint("%s\n", "System routine ZwTraceEvent not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ZwQueryVirtualMemory"));
#else
RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory");
#endif
_ZwQueryVirtualMemory = (ZwQueryVirtualMemory_t)MmGetSystemRoutineAddress(&fnName);
if (_ZwQueryVirtualMemory == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQueryVirtualMemory not found."));
#else
DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ZwProtectVirtualMemory"));
#else
RtlInitUnicodeString(&fnName, L"ZwProtectVirtualMemory");
#endif
_ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)MmGetSystemRoutineAddress(&fnName);
if (_ZwProtectVirtualMemory == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwProtectVirtualMemory not found."));
#else
DbgPrint("%s\n", "System routine ZwProtectVirtualMemory not found.");
#endif
retval++;
}
#ifdef __cplusplus
RtlInitUnicodeString(&fnName, skCrypt(L"ZwQuerySystemInformation"));
#else
RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation");
#endif
_ZwQuerySystemInformation = (ZwQuerySystemInformation_t)MmGetSystemRoutineAddress(&fnName);
if (_ZwQuerySystemInformation == NULL)
{
#ifdef __cplusplus
DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQuerySystemInformation not found."));
#else
DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found.");
#endif
retval++;
}
return retval;
}
PVOID NTAPI MmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect)
{
return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect);
}
PVOID NTAPI WrapperMmMapIoSpaceEx (_In_ PHYSICAL_ADDRESS PhysicalAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Protect)
{
return _MmMapIoSpaceEx (PhysicalAddress, NumberOfBytes, Protect);
}
NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle)
{
if (_ObOpenObjectByPointer == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle);
}
NTSTATUS NTAPI WrapperObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle)
{
return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle);
}
NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred)
{
if (_MmCopyMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred);
}
NTSTATUS NTAPI WrapperMmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred)
{
return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred);
}
NTSTATUS NTAPI MmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize)
{
if (_MmCopyVirtualMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize);
}
NTSTATUS NTAPI WrapperMmCopyVirtualMemory (_In_ PEPROCESS SourceProcess, _In_ PVOID SourceAddress, _In_ PEPROCESS TargetProcess, _In_ PVOID TargetAddress, _In_ SIZE_T BufferSize, _In_ KPROCESSOR_MODE PreviousMode, _Out_ PSIZE_T ReturnSize)
{
return _MmCopyVirtualMemory (SourceProcess, SourceAddress, TargetProcess, TargetAddress, BufferSize, PreviousMode, ReturnSize);
}
PVOID NTAPI RtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable)
{
return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable);
}
PVOID NTAPI WrapperRtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable)
{
return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable);
}
NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength)
{
if (_ZwTraceControl == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength);
}
NTSTATUS NTAPI WrapperZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength)
{
return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength);
}
NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields)
{
if (_ZwTraceEvent == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields);
}
NTSTATUS NTAPI WrapperZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields)
{
return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields);
}
NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength)
{
if (_ZwQueryVirtualMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
}
NTSTATUS NTAPI WrapperZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength)
{
return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
}
NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
{
if (_ZwProtectVirtualMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
}
NTSTATUS NTAPI WrapperZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PSIZE_T NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
{
return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
}
NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength)
{
if (_ZwQuerySystemInformation == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
}
NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength)
{
return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
}
#ifdef __cplusplus
};
#endif
|