-
Notifications
You must be signed in to change notification settings - Fork 72
/
Copy pathsyscall.h
104 lines (86 loc) · 2.43 KB
/
syscall.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#pragma once
#include <windows.h>
#include <inttypes.h>
#include <stdio.h>
#pragma region Defines
#define DBG_MODE 1 // 0 disable, 1 enable
#define UP -32
#define DN 32
#define ARG_LEN 8
#define ARG_RSP_OFF 0x28
#define X64_PEB_OFF 0x60
#pragma endregion
#pragma region Macros
#if DBG_MODE == 0
#define DPNT(...) do {} while (0)
#else
#define DPNT(...) do { printf(__VA_ARGS__); } while (0)
#endif
#pragma endregion
#pragma region Type Definitions
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY {
PVOID Reserved1[2];
LIST_ENTRY InMemoryOrderLinks;
PVOID Reserved2[2];
PVOID DllBase;
PVOID EntryPoint;
PVOID Reserved3;
UNICODE_STRING FullDllName;
BYTE Reserved4[8];
PVOID Reserved5[3];
union {
ULONG CheckSum;
PVOID Reserved6;
};
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[21];
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved3[520];
PVOID PostProcessInitRoutine;
BYTE Reserved4[136];
ULONG SessionId;
} PEB, *PPEB;
typedef BOOL(WINAPI* GtThrdCtxt_t)(
_In_ HANDLE hThread,
_Inout_ LPCONTEXT lpContext
);
typedef BOOL(WINAPI* StThrdCtxt_t)(
_In_ HANDLE hThread,
_In_ CONST CONTEXT* lpContext
);
#pragma endregion
#pragma region Function Declarations
BOOL CmprMsk(const BYTE* dt, const BYTE* msk, const char* szMsk);
DWORD_PTR FndPtrn(DWORD_PTR dAddr, DWORD dLen, PBYTE msk, PCHAR szMsk);
DWORD_PTR FndInMdl(LPCSTR mdlName, PBYTE msk, PCHAR szMsk);
UINT64 GtMdlAddr(LPWSTR sModuleName);
UINT64 GtSymbAddr(UINT64 mdlBase, const char* fncName);
UINT64 PrprSyscl(char* fncName);
bool StMainBP();
DWORD64 FndSysclNum(DWORD64 fncAddr);
DWORD64 FndSysclRtnAddr(DWORD64 fncAddr, WORD sysclNum);
LONG HWScExHndlr(EXCEPTION_POINTERS* ExInfo);
bool OpnRICls();
bool ClsRICls();
#pragma endregion