1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
/* This file was auto generated by gen_wrapper.sh */
#include <ntddk.h>
typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle);
typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred);
typedef PVOID NTAPI (*RtlLookupFunctionEntry_t) (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable);
typedef NTSTATUS NTAPI (*ZwTraceControl_t) (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength);
typedef NTSTATUS NTAPI (*ZwTraceEvent_t) (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields);
typedef NTSTATUS NTAPI (*ZwQueryVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength);
typedef NTSTATUS NTAPI (*ZwProtectVirtualMemory_t) (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection);
typedef NTSTATUS NTAPI (*ZwQuerySystemInformation_t) (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);
static ObOpenObjectByPointer_t _ObOpenObjectByPointer = NULL;
static MmCopyMemory_t _MmCopyMemory = NULL;
static RtlLookupFunctionEntry_t _RtlLookupFunctionEntry = NULL;
static ZwTraceControl_t _ZwTraceControl = NULL;
static ZwTraceEvent_t _ZwTraceEvent = NULL;
static ZwQueryVirtualMemory_t _ZwQueryVirtualMemory = NULL;
static ZwProtectVirtualMemory_t _ZwProtectVirtualMemory = NULL;
static ZwQuerySystemInformation_t _ZwQuerySystemInformation = NULL;
int __cdecl ntdll_zw_functions (void)
{
int retval = 0;
UNICODE_STRING fnName;
RtlInitUnicodeString(&fnName, L"ObOpenObjectByPointer");
_ObOpenObjectByPointer = MmGetSystemRoutineAddress(&fnName);
if (_ObOpenObjectByPointer == NULL)
{
DbgPrint("%s\n", "System routine ObOpenObjectByPointer not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"MmCopyMemory");
_MmCopyMemory = MmGetSystemRoutineAddress(&fnName);
if (_MmCopyMemory == NULL)
{
DbgPrint("%s\n", "System routine MmCopyMemory not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"RtlLookupFunctionEntry");
_RtlLookupFunctionEntry = MmGetSystemRoutineAddress(&fnName);
if (_RtlLookupFunctionEntry == NULL)
{
DbgPrint("%s\n", "System routine RtlLookupFunctionEntry not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"ZwTraceControl");
_ZwTraceControl = MmGetSystemRoutineAddress(&fnName);
if (_ZwTraceControl == NULL)
{
DbgPrint("%s\n", "System routine ZwTraceControl not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"ZwTraceEvent");
_ZwTraceEvent = MmGetSystemRoutineAddress(&fnName);
if (_ZwTraceEvent == NULL)
{
DbgPrint("%s\n", "System routine ZwTraceEvent not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory");
_ZwQueryVirtualMemory = MmGetSystemRoutineAddress(&fnName);
if (_ZwQueryVirtualMemory == NULL)
{
DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"ZwProtectVirtualMemory");
_ZwProtectVirtualMemory = MmGetSystemRoutineAddress(&fnName);
if (_ZwProtectVirtualMemory == NULL)
{
DbgPrint("%s\n", "System routine ZwProtectVirtualMemory not found.");
retval++;
}
RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation");
_ZwQuerySystemInformation = MmGetSystemRoutineAddress(&fnName);
if (_ZwQuerySystemInformation == NULL)
{
DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found.");
retval++;
}
return retval;
}
NTSTATUS NTAPI ObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle)
{
if (_ObOpenObjectByPointer == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle);
}
NTSTATUS NTAPI WrapperObOpenObjectByPointer (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle)
{
return _ObOpenObjectByPointer (obj, HandleAttributes, PassedAccessState, DesiredAccess, objType, AccessMode, Handle);
}
NTSTATUS NTAPI MmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred)
{
if (_MmCopyMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred);
}
NTSTATUS NTAPI WrapperMmCopyMemory (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred)
{
return _MmCopyMemory (TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred);
}
PVOID NTAPI RtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable)
{
return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable);
}
PVOID NTAPI WrapperRtlLookupFunctionEntry (_In_ DWORD64 ControlPc, _Out_ PDWORD64 ImageBase, _Out_ PVOID HistoryTable)
{
return _RtlLookupFunctionEntry (ControlPc, ImageBase, HistoryTable);
}
NTSTATUS NTAPI ZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength)
{
if (_ZwTraceControl == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength);
}
NTSTATUS NTAPI WrapperZwTraceControl (_In_ ULONG FunctionCode, PVOID InBuffer, _In_ ULONG InBufferLen, PVOID OutBuffer, _In_ ULONG OutBufferLen, _Out_ PULONG ReturnLength)
{
return _ZwTraceControl (FunctionCode, InBuffer, InBufferLen, OutBuffer, OutBufferLen, ReturnLength);
}
NTSTATUS NTAPI ZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields)
{
if (_ZwTraceEvent == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields);
}
NTSTATUS NTAPI WrapperZwTraceEvent (_In_ HANDLE TraceHandle, _In_ ULONG Flags, _In_ ULONG FieldSize, _In_ PVOID Fields)
{
return _ZwTraceEvent (TraceHandle, Flags, FieldSize, Fields);
}
NTSTATUS NTAPI ZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength)
{
if (_ZwQueryVirtualMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
}
NTSTATUS NTAPI WrapperZwQueryVirtualMemory (_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _In_ int MemoryInformationClass, _Out_ PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_ PSIZE_T ReturnLength)
{
return _ZwQueryVirtualMemory (ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength);
}
NTSTATUS NTAPI ZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
{
if (_ZwProtectVirtualMemory == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
}
NTSTATUS NTAPI WrapperZwProtectVirtualMemory (_In_ HANDLE ProcessHandle, _In_ _Out_ PVOID* BaseAddress, _In_ _Out_ PULONG NumberOfBytesToProtect, _In_ ULONG NewAccessProtection, _Out_ PULONG OldAccessProtection)
{
return _ZwProtectVirtualMemory (ProcessHandle, BaseAddress, NumberOfBytesToProtect, NewAccessProtection, OldAccessProtection);
}
NTSTATUS NTAPI ZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength)
{
if (_ZwQuerySystemInformation == NULL)
return STATUS_PROCEDURE_NOT_FOUND;
return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
}
NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength)
{
return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
}
|