├── README.md
├── c_syscalls.sln
├── c_syscalls
    ├── apidef.h
    ├── asm
    │   ├── direct.x64.asm
    │   ├── direct.x86.asm
    │   ├── indirect.x64.asm
    │   └── indirect.x86.asm
    ├── c_syscalls.c
    ├── c_syscalls.h
    ├── c_syscalls.vcxproj
    ├── c_syscalls.vcxproj.filters
    ├── c_syscalls.vcxproj.user
    ├── main.c
    └── nt_functions.h
└── direct-syscalls-vs-indirect-syscalls.pdf


/README.md:
--------------------------------------------------------------------------------
 1 | # C_SYSCALLS
 2 | 
 3 | Single stub direct and indirect syscalling with runtime SSN resolving for windows.
 4 | 
 5 | ---
 6 | Included writeup PDF link: [https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls](https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls)
 7 | ---
 8 | 
 9 | ## Features:
10 | * Single stub
11 | * One single line for all your syscalls
12 | * Direct or Indirect sycalls
13 | * x86_64, WOW64 and x86 native support
14 |   
15 | ---
16 | 
17 | ## How to use:
18 | * Call `Syscall(<function>, <args>)`
19 |     > `NTSTATUS status = Syscall(NT_CLOSE, handle);`
20 | 
21 | ---
22 | 
23 | ## Notes:
24 | * Reimplementation of the ssn fetching method used here is recommended, the one showed in this repo is really simple and can present problems with certains AV/EDRs, more complex methods has been showed before, and implementing them is out of scope in this project.
25 | * For doing this, modifications to the GetSsn() function is needed, maintining its definition.
26 | 
27 | ---
28 | 
29 | **Thanks to [SysWhispers3](https://github.com/klezVirus/SysWhispers3) for being a strong pilar on the development of this library, and [Foliage](https://github.com/SecIdiot/FOLIAGE) for the implementation of the dbj2 hash, module/function addr resolving implementation and types definitions**
30 | 


--------------------------------------------------------------------------------
/c_syscalls.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.9.34728.123
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "c_syscalls", "c_syscalls\c_syscalls.vcxproj", "{97A1129C-7625-4E10-B635-15AAA9A0790E}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Debug|x64.Build.0 = Debug|x64
18 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Debug|x86.Build.0 = Debug|Win32
20 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Release|x64.ActiveCfg = Release|x64
21 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Release|x64.Build.0 = Release|x64
22 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Release|x86.ActiveCfg = Release|Win32
23 | 		{97A1129C-7625-4E10-B635-15AAA9A0790E}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {214F51E2-3933-4E2F-A6F2-EC040330F6F8}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/c_syscalls/apidef.h:
--------------------------------------------------------------------------------
  1 | #ifndef _APIDEF_H_
  2 | #define _APIDEF_H_
  3 | 
  4 | #include <windows.h>
  5 | 
  6 | 
  7 | #ifndef InitializeObjectAttributes
  8 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
  9 | 	(p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
 10 | 	(p)->RootDirectory = r;                           \
 11 | 	(p)->Attributes = a;                              \
 12 | 	(p)->ObjectName = n;                              \
 13 | 	(p)->SecurityDescriptor = s;                      \
 14 | 	(p)->SecurityQualityOfService = NULL;             \
 15 | }
 16 | #endif
 17 | 
 18 | 
 19 | typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
 20 | 
 21 | typedef struct _LSA_UNICODE_STRING {
 22 |   USHORT Length;
 23 |   USHORT MaximumLength;
 24 |   PWSTR  Buffer;
 25 | } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
 26 | 
 27 | typedef struct _OBJECT_ATTRIBUTES {
 28 | 	ULONG	Length;
 29 | 	HANDLE	RootDirectory;
 30 | 	PUNICODE_STRING	ObjectName;
 31 | 	ULONG	Attributes;
 32 | 	PVOID	SecurityDescriptor;
 33 | 	PVOID	SecurityQualityOfService;
 34 | } OBJECT_ATTRIBUTES;
 35 | 
 36 | typedef struct _STRING {
 37 |   USHORT Length;
 38 |   USHORT MaximumLength;
 39 |   PCHAR  Buffer;
 40 | } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING;
 41 | 
 42 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
 43 |   BYTE           Reserved1[16];
 44 |   PVOID          Reserved2[10];
 45 |   UNICODE_STRING ImagePathName;
 46 |   UNICODE_STRING CommandLine;
 47 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
 48 | 
 49 | typedef struct _PEB_LDR_DATA {
 50 |   ULONG      Length;
 51 |   BOOL       Initialized;
 52 |   LPVOID     SsHandle;
 53 |   LIST_ENTRY InLoadOrderModuleList;
 54 |   LIST_ENTRY InMemoryOrderModuleList;
 55 |   LIST_ENTRY InInitializationOrderModuleList;
 56 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
 57 | 
 58 | typedef struct _LDR_DATA_TABLE_ENTRY
 59 | {
 60 |   LIST_ENTRY     InLoadOrderLinks;
 61 |   LIST_ENTRY     InMemoryOrderLinks;
 62 |   LIST_ENTRY     InInitializationOrderLinks;
 63 |   LPVOID         DllBase;
 64 |   LPVOID         EntryPoint;
 65 |   ULONG          SizeOfImage;
 66 |   UNICODE_STRING FullDllName;
 67 |   UNICODE_STRING BaseDllName;
 68 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 69 | 
 70 | typedef struct _PEB {
 71 |   BYTE                         InheritedAddressSpace;
 72 |   BYTE                         ReadImageFileExecOptions;
 73 |   BYTE                         BeingDebugged;
 74 |   BYTE                         _SYSTEM_DEPENDENT_01;
 75 | 
 76 |   LPVOID                       Mutant;
 77 |   LPVOID                       ImageBaseAddress;
 78 | 
 79 |   PPEB_LDR_DATA                Ldr;
 80 |   PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
 81 |   LPVOID                       SubSystemData;
 82 |   LPVOID                       ProcessHeap;
 83 |   LPVOID                       FastPebLock;
 84 |   LPVOID                       _SYSTEM_DEPENDENT_02;
 85 |   LPVOID                       _SYSTEM_DEPENDENT_03;
 86 |   LPVOID                       _SYSTEM_DEPENDENT_04;
 87 |   union {
 88 |     LPVOID                     KernelCallbackTable;
 89 |     LPVOID                     UserSharedInfoPtr;
 90 |   };  
 91 |   DWORD                        SystemReserved;
 92 |   DWORD                        _SYSTEM_DEPENDENT_05;
 93 |   LPVOID                       _SYSTEM_DEPENDENT_06;
 94 |   LPVOID                       TlsExpansionCounter;
 95 |   LPVOID                       TlsBitmap;
 96 |   DWORD                        TlsBitmapBits[2];
 97 |   LPVOID                       ReadOnlySharedMemoryBase;
 98 |   LPVOID                       _SYSTEM_DEPENDENT_07;
 99 |   LPVOID                       ReadOnlyStaticServerData;
100 |   LPVOID                       AnsiCodePageData;
101 |   LPVOID                       OemCodePageData;
102 |   LPVOID                       UnicodeCaseTableData;
103 |   DWORD                        NumberOfProcessors;
104 |   union
105 |   {
106 |     DWORD                      NtGlobalFlag;
107 |     LPVOID                     dummy02;
108 |   };
109 |   LARGE_INTEGER                CriticalSectionTimeout;
110 |   LPVOID                       HeapSegmentReserve;
111 |   LPVOID                       HeapSegmentCommit;
112 |   LPVOID                       HeapDeCommitTotalFreeThreshold;
113 |   LPVOID                       HeapDeCommitFreeBlockThreshold;
114 |   DWORD                        NumberOfHeaps;
115 |   DWORD                        MaximumNumberOfHeaps;
116 |   LPVOID                       ProcessHeaps;
117 |   LPVOID                       GdiSharedHandleTable;
118 |   LPVOID                       ProcessStarterHelper;
119 |   LPVOID                       GdiDCAttributeList;
120 |   LPVOID                       LoaderLock;
121 |   DWORD                        OSMajorVersion;
122 |   DWORD                        OSMinorVersion;
123 |   WORD                         OSBuildNumber;
124 |   WORD                         OSCSDVersion;
125 |   DWORD                        OSPlatformId;
126 |   DWORD                        ImageSubsystem;
127 |   DWORD                        ImageSubsystemMajorVersion;
128 |   LPVOID                       ImageSubsystemMinorVersion;
129 |   union
130 |   {
131 |     LPVOID                     ImageProcessAffinityMask;
132 |     LPVOID                     ActiveProcessAffinityMask;
133 |   };
134 |   #ifdef _WIN64
135 |   LPVOID                       GdiHandleBuffer[64];
136 |   #else
137 |   LPVOID                       GdiHandleBuffer[32];
138 |   #endif  
139 |   LPVOID                       PostProcessInitRoutine;
140 |   LPVOID                       TlsExpansionBitmap;
141 |   DWORD                        TlsExpansionBitmapBits[32];
142 |   LPVOID                       SessionId;
143 |   ULARGE_INTEGER               AppCompatFlags;
144 |   ULARGE_INTEGER               AppCompatFlagsUser;
145 |   LPVOID                       pShimData;
146 |   LPVOID                       AppCompatInfo;
147 |   PUNICODE_STRING              CSDVersion;
148 |   LPVOID                       ActivationContextData;
149 |   LPVOID                       ProcessAssemblyStorageMap;
150 |   LPVOID                       SystemDefaultActivationContextData;
151 |   LPVOID                       SystemAssemblyStorageMap;
152 |   LPVOID                       MinimumStackCommit;  
153 | } PEB, *PPEB;
154 | 
155 | 
156 | typedef struct _CLIENT_ID {
157 |     HANDLE UniqueProcess;
158 |     HANDLE UniqueThread;
159 | } CLIENT_ID, *PCLIENT_ID;
160 | 
161 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
162 | typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
163 | typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
164 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
165 | 
166 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
167 |      PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
168 |      PACTIVATION_CONTEXT *ActivationContext;
169 |      ULONG Flags;
170 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
171 | 
172 | typedef struct _ACTIVATION_CONTEXT_STACK
173 | {
174 |      PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
175 |      LIST_ENTRY FrameListCache;
176 |      ULONG Flags;
177 |      ULONG NextCookieSequenceNumber;
178 |      ULONG StackId;
179 | } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
180 | #define GDI_BATCH_BUFFER_SIZE 310
181 | 
182 | typedef struct _GDI_TEB_BATCH
183 | {
184 |     ULONG Offset;
185 |     ULONG_PTR HDC;
186 |     ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
187 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
188 | 
189 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
190 | {
191 |     ULONG Flags;
192 |     PSTR FrameName;
193 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
194 | 
195 | typedef struct _TEB_ACTIVE_FRAME
196 | {
197 |     ULONG Flags;
198 |     struct _TEB_ACTIVE_FRAME *Previous;
199 |     PTEB_ACTIVE_FRAME_CONTEXT Context;
200 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
201 | 
202 | #if !defined(_MSC_VER)
203 | typedef struct _PROCESSOR_NUMBER {
204 |   USHORT Group;
205 |   UCHAR  Number;
206 |   UCHAR  Reserved;
207 | } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
208 | #endif
209 | 
210 | typedef struct _TEB
211 | {
212 |     NT_TIB NtTib;
213 | 
214 |     PVOID EnvironmentPointer;
215 |     CLIENT_ID ClientId;
216 |     PVOID ActiveRpcHandle;
217 |     PVOID ThreadLocalStoragePointer;
218 |     PPEB ProcessEnvironmentBlock;
219 | 
220 |     ULONG LastErrorValue;
221 |     ULONG CountOfOwnedCriticalSections;
222 |     PVOID CsrClientThread;
223 |     PVOID Win32ThreadInfo;
224 |     ULONG User32Reserved[26];
225 |     ULONG UserReserved[5];
226 |     PVOID WOW32Reserved;
227 |     LCID CurrentLocale;
228 |     ULONG FpSoftwareStatusRegister;
229 |     PVOID SystemReserved1[54];
230 |     NTSTATUS ExceptionCode;
231 |     PVOID ActivationContextStackPointer;
232 | #ifdef _M_X64
233 |     UCHAR SpareBytes[24];
234 | #else
235 |     UCHAR SpareBytes[36];
236 | #endif
237 |     ULONG TxFsContext;
238 | 
239 |     GDI_TEB_BATCH GdiTebBatch;
240 |     CLIENT_ID RealClientId;
241 |     HANDLE GdiCachedProcessHandle;
242 |     ULONG GdiClientPID;
243 |     ULONG GdiClientTID;
244 |     PVOID GdiThreadLocalInfo;
245 |     ULONG_PTR Win32ClientInfo[62];
246 |     PVOID glDispatchTable[233];
247 |     ULONG_PTR glReserved1[29];
248 |     PVOID glReserved2;
249 |     PVOID glSectionInfo;
250 |     PVOID glSection;
251 |     PVOID glTable;
252 |     PVOID glCurrentRC;
253 |     PVOID glContext;
254 | 
255 |     NTSTATUS LastStatusValue;
256 |     UNICODE_STRING StaticUnicodeString;
257 |     WCHAR StaticUnicodeBuffer[261];
258 | 
259 |     PVOID DeallocationStack;
260 |     PVOID TlsSlots[64];
261 |     LIST_ENTRY TlsLinks;
262 | 
263 |     PVOID Vdm;
264 |     PVOID ReservedForNtRpc;
265 |     PVOID DbgSsReserved[2];
266 | 
267 |     ULONG HardErrorMode;
268 | #ifdef _M_X64
269 |     PVOID Instrumentation[11];
270 | #else
271 |     PVOID Instrumentation[9];
272 | #endif
273 |     GUID ActivityId;
274 | 
275 |     PVOID SubProcessTag;
276 |     PVOID EtwLocalData;
277 |     PVOID EtwTraceData;
278 |     PVOID WinSockData;
279 |     ULONG GdiBatchCount;
280 | 
281 |     union
282 |     {
283 |         PROCESSOR_NUMBER CurrentIdealProcessor;
284 |         ULONG IdealProcessorValue;
285 |         struct
286 |         {
287 |             UCHAR ReservedPad0;
288 |             UCHAR ReservedPad1;
289 |             UCHAR ReservedPad2;
290 |             UCHAR IdealProcessor;
291 |         };
292 |     };
293 | 
294 |     ULONG GuaranteedStackBytes;
295 |     PVOID ReservedForPerf;
296 |     PVOID ReservedForOle;
297 |     ULONG WaitingOnLoaderLock;
298 |     PVOID SavedPriorityState;
299 |     ULONG_PTR SoftPatchPtr1;
300 |     PVOID ThreadPoolData;
301 |     PVOID *TlsExpansionSlots;
302 | #ifdef _M_X64
303 |     PVOID DeallocationBStore;
304 |     PVOID BStoreLimit;
305 | #endif
306 |     ULONG MuiGeneration;
307 |     ULONG IsImpersonating;
308 |     PVOID NlsCache;
309 |     PVOID pShimData;
310 |     ULONG HeapVirtualAffinity;
311 |     HANDLE CurrentTransactionHandle;
312 |     PTEB_ACTIVE_FRAME ActiveFrame;
313 |     PVOID FlsData;
314 | 
315 |     PVOID PreferredLanguages;
316 |     PVOID UserPrefLanguages;
317 |     PVOID MergedPrefLanguages;
318 |     ULONG MuiImpersonation;
319 | 
320 |     union
321 |     {
322 |         USHORT CrossTebFlags;
323 |         USHORT SpareCrossTebBits : 16;
324 |     };
325 |     union
326 |     {
327 |         USHORT SameTebFlags;
328 |         struct
329 |         {
330 |             USHORT SafeThunkCall : 1;
331 |             USHORT InDebugPrint : 1;
332 |             USHORT HasFiberData : 1;
333 |             USHORT SkipThreadAttach : 1;
334 |             USHORT WerInShipAssertCode : 1;
335 |             USHORT RanProcessInit : 1;
336 |             USHORT ClonedThread : 1;
337 |             USHORT SuppressDebugMsg : 1;
338 |             USHORT DisableUserStackWalk : 1;
339 |             USHORT RtlExceptionAttached : 1;
340 |             USHORT InitialThread : 1;
341 |             USHORT SessionAware : 1;
342 |             USHORT SpareSameTebBits : 4;
343 |         };
344 |     };
345 | 
346 |     PVOID TxnScopeEnterCallback;
347 |     PVOID TxnScopeExitCallback;
348 |     PVOID TxnScopeContext;
349 |     ULONG LockCount;
350 |     ULONG SpareUlong0;
351 |     PVOID ResourceRetValue;
352 |     PVOID ReservedForWdf;
353 | } TEB, *PTEB;
354 | 
355 | #endif


--------------------------------------------------------------------------------
/c_syscalls/asm/direct.x64.asm:
--------------------------------------------------------------------------------
 1 | extern GetSsn:proc
 2 | 
 3 | .code
 4 | 
 5 | GetInfo_Direct proc
 6 |     push rdx
 7 |     mov rdx, 0
 8 |     sub rsp, 28h
 9 |     call GetSsn
10 |     add rsp, 28h
11 |     pop rdx
12 |     ret
13 | GetInfo_Direct endp
14 | 
15 | DoDirectSyscall proc
16 |     call GetInfo_Direct
17 |     mov [rsp - 8], rsi
18 |     mov [rsp - 10h], rdi
19 |     mov rcx, rdx
20 |     mov r10, r8
21 |     mov rdx, r9
22 |     mov  r8, [rsp + 28h]
23 |     mov  r9, [rsp + 30h]
24 |     sub rcx, 4
25 |     jle skip
26 |     lea rsi, [rsp + 38h]
27 |     lea rdi, [rsp + 28h]
28 |     rep movsq
29 | skip:
30 |     syscall
31 |     mov rsi, [rsp - 8]
32 |     mov rdi, [rsp - 10h]
33 |     ret
34 | DoDirectSyscall endp
35 | 
36 | end


--------------------------------------------------------------------------------
/c_syscalls/asm/direct.x86.asm:
--------------------------------------------------------------------------------
 1 | .MODEL FLAT
 2 | assume fs:nothing
 3 | 
 4 | extern _GetSsn:proc
 5 | 
 6 | .code
 7 | 
 8 | _GetInfo_Direct proc
 9 |     push ebp
10 |     mov ebp, esp
11 |     mov eax, [esp + 0Ch]
12 |     push 0
13 |     push eax
14 |     call _GetSsn
15 |     and eax, 0000FFFFh
16 |     mov esp, ebp
17 |     pop ebp
18 |     ret
19 | _GetInfo_Direct endp
20 | 
21 | _DoDirectSyscall proc
22 |     call _GetInfo_Direct
23 |     mov [esp - 4], esi
24 |     mov [esp - 8], edi
25 |     mov ecx, [esp + 8]
26 |     lea esi, [esp + 12]
27 |     lea edi, [esp + 4]
28 |     rep movsd
29 |     mov esi, [esp - 4]
30 |     mov edi, [esp - 8]
31 |     mov edx, fs:[0C0h]
32 |     test edx, edx
33 |     call edx
34 |     ret
35 | _DoDirectSyscall endp
36 | 
37 | assume fs:error
38 | end


--------------------------------------------------------------------------------
/c_syscalls/asm/indirect.x64.asm:
--------------------------------------------------------------------------------
 1 | extern GetSsn:proc
 2 | 
 3 | .code
 4 | 
 5 | GetInfo_Indirect proc
 6 |     push rdx
 7 |     lea rdx, [rsp - 8]
 8 |     sub rsp, 38h
 9 |     call GetSsn
10 |     add rsp, 38h
11 |     mov rcx, [rsp - 8]
12 |     pop rdx
13 |     ret
14 | GetInfo_Indirect endp
15 | 
16 | DoIndirectSyscall proc
17 |     call GetInfo_Indirect
18 |     mov [rsp - 8], rsi
19 |     mov [rsp - 10h], rdi
20 |     mov [rsp - 18h], r12
21 |     mov r12, rcx
22 |     mov rcx, rdx
23 |     mov r10, r8
24 |     mov rdx, r9
25 |     mov  r8, [rsp + 28h]
26 |     mov  r9, [rsp + 30h]
27 |     sub rcx, 4
28 |     jle skip
29 |     lea rsi, [rsp + 38h]
30 |     lea rdi, [rsp + 28h]
31 |     rep movsq
32 | skip:
33 |     mov rcx, r12
34 |     mov rsi, [rsp - 8]
35 |     mov rdi, [rsp - 10h]
36 |     mov r12, [rsp - 18h]
37 |     jmp rcx
38 | DoIndirectSyscall endp
39 | 
40 | end


--------------------------------------------------------------------------------
/c_syscalls/asm/indirect.x86.asm:
--------------------------------------------------------------------------------
 1 | .MODEL FLAT
 2 | assume fs:nothing
 3 | 
 4 | extern _GetSsn:proc
 5 | 
 6 | .code
 7 | 
 8 | _GetInfo_Indirect proc
 9 |     push ebp
10 |     mov ebp, esp
11 |     push edx
12 |     lea edx, [esp - 4]
13 |     sub esp, 4
14 |     push edx
15 |     push eax
16 |     call _GetSsn
17 |     add esp, 8
18 |     and eax, 0000FFFFh
19 |     pop ecx
20 |     pop edx
21 |     mov esp, ebp
22 |     pop ebp
23 |     ret
24 | _GetInfo_Indirect endp
25 | 
26 | _DoIndirectSyscall proc
27 |     mov ecx, [esp + 8]
28 |     not ecx
29 |     add ecx, 1
30 |     lea edx, [esp + ecx * 4]
31 |     mov ecx, [esp]
32 |     mov [edx], ecx
33 |     mov [edx - 4], esi
34 |     mov [edx - 8], edi
35 |     mov eax, [esp + 4]
36 |     mov ecx, [esp + 8]
37 |     lea esi, [esp + 0Ch]
38 |     lea edi, [edx + 4]
39 |     rep movsd
40 |     mov esi, [edx - 4]
41 |     mov edi, [edx - 8]
42 |     mov esp, edx
43 |     call _GetInfo_Indirect
44 |     mov edx, fs:[0C0h]
45 |     test edx, edx
46 |     mov edx, fs:[0C0h]
47 |     jmp ecx
48 | _DoIndirectSyscall endp
49 | 
50 | assume fs:error
51 | end


--------------------------------------------------------------------------------
/c_syscalls/c_syscalls.c:
--------------------------------------------------------------------------------
  1 | #include "c_syscalls.h"
  2 | 
  3 | #define U_PTR(x) ((DWORD_PTR)x)
  4 | #define C_PTR(x) ((PVOID)x)
  5 | 
  6 | #ifdef _M_IX86
  7 | 
  8 | __declspec(naked) BOOL LocalIsWow64()
  9 | {
 10 |     __asm
 11 | 	{
 12 |         mov eax, fs:[0xc0]
 13 |         test eax, eax
 14 |         jne wow64
 15 |         mov eax, 0
 16 |         ret
 17 |         wow64:
 18 |         mov eax, 1
 19 |         ret
 20 |     }
 21 | }
 22 | 
 23 | #else
 24 | 
 25 | BOOL LocalIsWow64()
 26 | {
 27 |     return FALSE;
 28 | }
 29 | 
 30 | #endif
 31 | 
 32 | ULONG HashString(PVOID Inp, ULONG Len)
 33 | {
 34 | 	ULONG hsh;
 35 | 	PUCHAR ptr;
 36 | 	UCHAR cur;
 37 | 
 38 | 	hsh = 5381;
 39 | 	ptr = Inp;
 40 | 
 41 | 	while (TRUE)
 42 | 	{
 43 | 		cur = *ptr;
 44 | 
 45 | 		if (!Len)
 46 | 		{
 47 | 			if (! * ptr)
 48 | 			{
 49 | 				break;
 50 | 			}
 51 | 		}
 52 | 		else
 53 | 		{
 54 | 			if ((ULONG)(ptr - (PUCHAR)Inp) >= Len)
 55 | 			{
 56 | 				break;
 57 | 			}
 58 | 			if (!*ptr)
 59 | 			{
 60 | 				++ptr;
 61 | 				continue;
 62 | 			}
 63 | 		}
 64 | 
 65 | 		if (cur >= 'a')
 66 | 		{
 67 | 			cur -= 0x20;
 68 | 		}
 69 | 
 70 | 		hsh = ((hsh << 5) + hsh) + cur;
 71 | 		++ptr;
 72 | 	}
 73 | 	return hsh;
 74 | };
 75 | 
 76 | PVOID PebGetModule(IN ULONG Hsh)
 77 | {
 78 | 	PPEB peb;
 79 | 	PPEB_LDR_DATA ldr;
 80 | 	PLDR_DATA_TABLE_ENTRY dte;
 81 | 	PLIST_ENTRY ent;
 82 | 	PLIST_ENTRY hdr;
 83 | 	ULONG mod;
 84 | 
 85 | 	peb = NtCurrentTeb()->ProcessEnvironmentBlock;
 86 | 	ldr = peb->Ldr;
 87 | 	hdr = &ldr->InLoadOrderModuleList;
 88 | 	ent = hdr->Flink;
 89 | 
 90 | 	for (; hdr != ent; ent = ent->Flink)
 91 | 	{
 92 | 		dte = C_PTR(ent);
 93 | 		mod = HashString(dte->BaseDllName.Buffer, dte->BaseDllName.Length);
 94 | 
 95 | 		if (mod == Hsh)
 96 | 		{
 97 | 			return C_PTR( dte->DllBase );
 98 | 		}
 99 | 	}
100 | 	return NULL;
101 | }; 
102 | 
103 | PVOID PeGetFuncEat(PVOID Ptr, ULONG Hsh)
104 | {
105 | 	PIMAGE_DOS_HEADER dos;
106 | 	PIMAGE_NT_HEADERS nth;
107 | 	PIMAGE_DATA_DIRECTORY dir;
108 | 	PIMAGE_EXPORT_DIRECTORY exp;
109 | 	PDWORD aof;
110 | 	PDWORD aon;
111 | 	PUSHORT ano;
112 | 	PCHAR str;
113 | 	DWORD cnt;
114 | 	ULONG hxp;
115 | 
116 | 	dos = C_PTR(Ptr);
117 | 	nth = C_PTR(U_PTR(dos + dos->e_lfanew));
118 | 	dir = C_PTR(&nth->OptionalHeader.DataDirectory[0]);
119 | 
120 | 	if (dir->VirtualAddress)
121 | 	{
122 | 		exp = C_PTR(U_PTR(dos + dir->VirtualAddress));
123 | 		aof = C_PTR(U_PTR(dos + exp->AddressOfFunctions));
124 | 		aon = C_PTR(U_PTR(dos + exp->AddressOfNames));
125 | 		ano = C_PTR(U_PTR(dos + exp->AddressOfNameOrdinals));
126 | 
127 | 		for(cnt=0; cnt<exp->NumberOfNames; ++cnt)
128 | 		{	
129 | 			str = C_PTR( U_PTR(dos + aon[cnt]));
130 | 			hxp = HashString(str, 0);
131 | 
132 | 			if ( hxp == Hsh )
133 | 			{
134 | 				return C_PTR( U_PTR(dos + aof[ano[cnt]]));
135 | 			}
136 | 		}
137 | 	}
138 | 	return NULL;
139 | }
140 | 
141 | USHORT GetSsn(int hash, PVOID* addr)
142 | {
143 | 	PVOID ntdll_addr;
144 | 	PVOID funct_addr;
145 | 	PVOID ssn_addr;
146 | 	USHORT ssn;
147 | 
148 | 	ntdll_addr = PebGetModule(NTDLL);
149 | 	funct_addr = PeGetFuncEat(ntdll_addr, hash);
150 | 	ssn = *(PUSHORT)((DWORD_PTR) funct_addr + SYSCALL_SSN_DIST);
151 | 
152 | 	if (addr != NULL)
153 | 	{
154 | 		if (LocalIsWow64())
155 | 		{
156 | 			*addr = (PVOID)((DWORD_PTR)funct_addr + SYSCALL_INST_DIST_WOW64);
157 | 		}
158 | 		else
159 | 		{
160 | 			*addr = (PVOID)((DWORD_PTR)funct_addr + SYSCALL_INST_DIST);
161 | 		}
162 | 	}
163 | 
164 | 	return ssn;
165 | }


--------------------------------------------------------------------------------
/c_syscalls/c_syscalls.h:
--------------------------------------------------------------------------------
 1 | #ifndef _SYSCALL_H_
 2 | #define _SYSCALL_H_
 3 | 
 4 | #include <windows.h>
 5 | #include "apidef.h"
 6 | #include "nt_functions.h"
 7 | 
 8 | #ifdef _WIN64
 9 | 
10 | #define SYSCALL_SSN_DIST  0x4
11 | #define SYSCALL_INST_DIST 0x12
12 | #define SYSCALL_INST_DIST_WOW64 0x0
13 | 
14 | #else
15 | 
16 | #define SYSCALL_SSN_DIST  0x1
17 | #define SYSCALL_INST_DIST 0x0F
18 | #define SYSCALL_INST_DIST_WOW64 0x0A
19 | #endif
20 | 
21 | USHORT GetSsn(int hash, PVOID* addr);
22 | extern NTSTATUS DoDirectSyscall(int ssn, int n_args, ...);
23 | extern NTSTATUS DoIndirectSyscall(int ssn, int n_args, ...);
24 | 
25 | #endif


--------------------------------------------------------------------------------
/c_syscalls/c_syscalls.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <ItemGroup>
 22 |     <ClCompile Include="c_syscalls.c" />
 23 |     <ClCompile Include="main.c" />
 24 |   </ItemGroup>
 25 |   <ItemGroup>
 26 |     <ClInclude Include="apidef.h" />
 27 |     <ClInclude Include="c_syscalls.h" />
 28 |     <ClInclude Include="nt_functions.h" />
 29 |   </ItemGroup>
 30 |   <ItemGroup>
 31 |     <MASM Include="asm\direct.x64.asm">
 32 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
 33 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
 34 |     </MASM>
 35 |     <MASM Include="asm\direct.x86.asm">
 36 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
 37 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
 38 |     </MASM>
 39 |     <MASM Include="asm\indirect.x64.asm">
 40 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</ExcludedFromBuild>
 41 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</ExcludedFromBuild>
 42 |     </MASM>
 43 |     <MASM Include="asm\indirect.x86.asm">
 44 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
 45 |       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
 46 |     </MASM>
 47 |   </ItemGroup>
 48 |   <PropertyGroup Label="Globals">
 49 |     <VCProjectVersion>17.0</VCProjectVersion>
 50 |     <Keyword>Win32Proj</Keyword>
 51 |     <ProjectGuid>{97a1129c-7625-4e10-b635-15aaa9a0790e}</ProjectGuid>
 52 |     <RootNamespace>csyscalls</RootNamespace>
 53 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 57 |     <ConfigurationType>Application</ConfigurationType>
 58 |     <UseDebugLibraries>true</UseDebugLibraries>
 59 |     <PlatformToolset>v143</PlatformToolset>
 60 |     <CharacterSet>Unicode</CharacterSet>
 61 |   </PropertyGroup>
 62 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 63 |     <ConfigurationType>Application</ConfigurationType>
 64 |     <UseDebugLibraries>false</UseDebugLibraries>
 65 |     <PlatformToolset>v143</PlatformToolset>
 66 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 67 |     <CharacterSet>Unicode</CharacterSet>
 68 |   </PropertyGroup>
 69 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 70 |     <ConfigurationType>Application</ConfigurationType>
 71 |     <UseDebugLibraries>true</UseDebugLibraries>
 72 |     <PlatformToolset>v143</PlatformToolset>
 73 |     <CharacterSet>Unicode</CharacterSet>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 76 |     <ConfigurationType>Application</ConfigurationType>
 77 |     <UseDebugLibraries>false</UseDebugLibraries>
 78 |     <PlatformToolset>v143</PlatformToolset>
 79 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 80 |     <CharacterSet>Unicode</CharacterSet>
 81 |   </PropertyGroup>
 82 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 83 |   <ImportGroup Label="ExtensionSettings">
 84 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
 85 |   </ImportGroup>
 86 |   <ImportGroup Label="Shared">
 87 |   </ImportGroup>
 88 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 89 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 90 |   </ImportGroup>
 91 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 92 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 93 |   </ImportGroup>
 94 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 95 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 96 |   </ImportGroup>
 97 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 98 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 99 |   </ImportGroup>
100 |   <PropertyGroup Label="UserMacros" />
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |       <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
128 |     </Link>
129 |   </ItemDefinitionGroup>
130 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
131 |     <ClCompile>
132 |       <WarningLevel>Level3</WarningLevel>
133 |       <SDLCheck>true</SDLCheck>
134 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
135 |       <ConformanceMode>true</ConformanceMode>
136 |     </ClCompile>
137 |     <Link>
138 |       <SubSystem>Console</SubSystem>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
143 |     <ClCompile>
144 |       <WarningLevel>Level3</WarningLevel>
145 |       <FunctionLevelLinking>true</FunctionLevelLinking>
146 |       <IntrinsicFunctions>true</IntrinsicFunctions>
147 |       <SDLCheck>true</SDLCheck>
148 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
149 |       <ConformanceMode>true</ConformanceMode>
150 |     </ClCompile>
151 |     <Link>
152 |       <SubSystem>Console</SubSystem>
153 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
154 |       <OptimizeReferences>true</OptimizeReferences>
155 |       <GenerateDebugInformation>true</GenerateDebugInformation>
156 |       <ImageHasSafeExceptionHandlers>
157 |       </ImageHasSafeExceptionHandlers>
158 |     </Link>
159 |   </ItemDefinitionGroup>
160 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
161 |   <ImportGroup Label="ExtensionTargets">
162 |     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
163 |   </ImportGroup>
164 | </Project>


--------------------------------------------------------------------------------
/c_syscalls/c_syscalls.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="asm">
17 |       <UniqueIdentifier>{65d72c4c-8122-4add-8073-af977c9fc2b9}</UniqueIdentifier>
18 |     </Filter>
19 |   </ItemGroup>
20 |   <ItemGroup>
21 |     <ClCompile Include="main.c">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="c_syscalls.c">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |   </ItemGroup>
28 |   <ItemGroup>
29 |     <ClInclude Include="apidef.h">
30 |       <Filter>Header Files</Filter>
31 |     </ClInclude>
32 |     <ClInclude Include="c_syscalls.h">
33 |       <Filter>Header Files</Filter>
34 |     </ClInclude>
35 |     <ClInclude Include="nt_functions.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |   </ItemGroup>
39 |   <ItemGroup>
40 |     <MASM Include="asm\direct.x64.asm">
41 |       <Filter>asm</Filter>
42 |     </MASM>
43 |     <MASM Include="asm\direct.x86.asm">
44 |       <Filter>asm</Filter>
45 |     </MASM>
46 |     <MASM Include="asm\indirect.x64.asm">
47 |       <Filter>asm</Filter>
48 |     </MASM>
49 |     <MASM Include="asm\indirect.x86.asm">
50 |       <Filter>asm</Filter>
51 |     </MASM>
52 |   </ItemGroup>
53 | </Project>


--------------------------------------------------------------------------------
/c_syscalls/c_syscalls.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/c_syscalls/main.c:
--------------------------------------------------------------------------------
 1 | #include <Windows.h>
 2 | #include <stdio.h>
 3 | #include "c_syscalls.h"
 4 | 
 5 | //Compile in DEBUG mode.
 6 | int main()
 7 | {
 8 | 	PVOID lpAddress = NULL;
 9 | 	SIZE_T sDataSize = 4096;
10 | 	DoDirectSyscall(NT_ALLOCATE_VIRTUAL_MEMORY, (HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
11 | 	printf("[Direct Syscall | NtAllocateVirtualMemory] - Allocated memory at address: 0x%p\n", lpAddress);
12 | 
13 | 	PVOID lpAddress2 = NULL;
14 | 	SIZE_T sDataSize2 = 4096;
15 | 	DoIndirectSyscall(NT_ALLOCATE_VIRTUAL_MEMORY, (HANDLE)-1, &lpAddress2, 0, &sDataSize2, MEM_COMMIT, PAGE_READWRITE);
16 | 	printf("[Indirect Syscall | NtAllocateVirtualMemory] - Allocated memory at address: 0x%p\n", lpAddress2);
17 | 
18 | 	system("pause");
19 | 	return 0;
20 | }


--------------------------------------------------------------------------------
/c_syscalls/nt_functions.h:
--------------------------------------------------------------------------------
  1 | #define NTDLL 0x1edab0ed
  2 | 
  3 | #define NT_ACCESS_CHECK 0x7d0bc597, 8
  4 | #define NT_WORKER_FACTORY_WORKER_READY 0xe5659c68, 1
  5 | #define NT_ACCEPT_CONNECT_PORT 0x44832b86, 6
  6 | #define NT_MAP_USER_PHYSICAL_PAGES_SCATTER 0x5d849bc7, 3
  7 | #define NT_WAIT_FOR_SINGLE_OBJECT 0xe8ac0c3c, 3
  8 | #define NT_CALLBACK_RETURN 0x9756d5b4, 3
  9 | #define NT_READ_FILE 0xb2d93203, 9
 10 | #define NT_DEVICE_IO_CONTROL_FILE 0x5d57dd0, 10
 11 | #define NT_WRITE_FILE 0xe0d61db2, 9
 12 | #define NT_REMOVE_IO_COMPLETION 0x6f49a67, 5
 13 | #define NT_RELEASE_SEMAPHORE 0xf856f64c, 3
 14 | #define NT_REPLY_WAIT_RECEIVE_PORT 0x19ba6c70, 4
 15 | #define NT_REPLY_PORT 0xa4adfdb8, 2
 16 | #define NT_SET_INFORMATION_THREAD 0xc3c03f1, 4
 17 | #define NT_SET_EVENT 0xcb87d8b5, 2
 18 | #define NT_CLOSE 0x40d6e69d, 1
 19 | #define NT_QUERY_OBJECT 0xc85dc9b4, 5
 20 | #define NT_QUERY_INFORMATION_FILE 0xc25ebe23, 5
 21 | #define NT_OPEN_KEY 0x7682ed42, 3
 22 | #define NT_ENUMERATE_VALUE_KEY 0xd48a46f3, 6
 23 | #define NT_FIND_ATOM 0xf1fcabf9, 3
 24 | #define NT_QUERY_DEFAULT_LOCALE 0xb823a332, 2
 25 | #define NT_QUERY_KEY 0xa09795a6, 5
 26 | #define NT_QUERY_VALUE_KEY 0x85967123, 6
 27 | #define NT_ALLOCATE_VIRTUAL_MEMORY 0xf783b8ec, 6
 28 | #define NT_QUERY_INFORMATION_PROCESS 0x8cdc5dc2, 5
 29 | #define NT_WAIT_FOR_MULTIPLE_OBJECTS32 0xc1eff7de, 5
 30 | #define NT_WRITE_FILE_GATHER 0x329be3ed, 9
 31 | #define NT_CREATE_KEY 0x67f13d84, 7
 32 | #define NT_FREE_VIRTUAL_MEMORY 0x2802c609, 4
 33 | #define NT_IMPERSONATE_CLIENT_OF_PORT 0x22d8cb27, 2
 34 | #define NT_RELEASE_MUTANT 0xbc954fe1, 2
 35 | #define NT_QUERY_INFORMATION_TOKEN 0xf371fe4, 5
 36 | #define NT_REQUEST_WAIT_REPLY_PORT 0x2fb06f96, 3
 37 | #define NT_QUERY_VIRTUAL_MEMORY 0x10c0e85d, 6
 38 | #define NT_OPEN_THREAD_TOKEN 0x803347d2, 4
 39 | #define NT_QUERY_INFORMATION_THREAD 0xf5a0461b, 5
 40 | #define NT_OPEN_PROCESS 0x4b82f718, 4
 41 | #define NT_SET_INFORMATION_FILE 0xce250e79, 5
 42 | #define NT_MAP_VIEW_OF_SECTION 0xd6649bca, 10
 43 | #define NT_ACCESS_CHECK_AND_AUDIT_ALARM 0x259a7cce, 11
 44 | #define NT_UNMAP_VIEW_OF_SECTION 0x6aa412cd, 2
 45 | #define NT_REPLY_WAIT_RECEIVE_PORT_EX 0x720751ad, 5
 46 | #define NT_TERMINATE_PROCESS 0x4ed9dd4f, 2
 47 | #define NT_SET_EVENT_BOOST_PRIORITY 0x922e46be, 1
 48 | #define NT_READ_FILE_SCATTER 0x1b457c79, 9
 49 | #define NT_OPEN_THREAD_TOKEN_EX 0x5a248d8f, 5
 50 | #define NT_OPEN_PROCESS_TOKEN_EX 0xafaade16, 4
 51 | #define NT_QUERY_PERFORMANCE_COUNTER 0x5c380bef, 2
 52 | #define NT_ENUMERATE_KEY 0x4d8a8976, 6
 53 | #define NT_OPEN_FILE 0x46dde739, 6
 54 | #define NT_DELAY_EXECUTION 0xf5a936aa, 2
 55 | #define NT_QUERY_DIRECTORY_FILE 0x8b951172, 11
 56 | #define NT_QUERY_SYSTEM_INFORMATION 0x7bc23928, 4
 57 | #define NT_OPEN_SECTION 0x134eda0e, 3
 58 | #define NT_QUERY_TIMER 0x25787b5e, 5
 59 | #define NT_FS_CONTROL_FILE 0xecdfd601, 10
 60 | #define NT_WRITE_VIRTUAL_MEMORY 0xc3170192, 5
 61 | #define NT_CLOSE_OBJECT_AUDIT_ALARM 0x232b3618, 3
 62 | #define NT_DUPLICATE_OBJECT 0x4441d859, 7
 63 | #define NT_QUERY_ATTRIBUTES_FILE 0xba693724, 2
 64 | #define NT_CLEAR_EVENT 0xa689fdd0, 1
 65 | #define NT_READ_VIRTUAL_MEMORY 0xa3288103, 5
 66 | #define NT_OPEN_EVENT 0x228fba7b, 3
 67 | #define NT_ADJUST_PRIVILEGES_TOKEN 0x2dbc736d, 6
 68 | #define NT_DUPLICATE_TOKEN 0x8e160b23, 6
 69 | #define NT_CONTINUE 0xfc3a6c2c, 2
 70 | #define NT_QUERY_DEFAULT_U_I_LANGUAGE 0x578918a4, 1
 71 | #define NT_QUEUE_APC_THREAD 0xa6664b8, 5
 72 | #define NT_YIELD_EXECUTION 0x1ee06b52, 0
 73 | #define NT_ADD_ATOM 0x24bca141, 3
 74 | #define NT_CREATE_EVENT 0x28d3233d, 5
 75 | #define NT_QUERY_VOLUME_INFORMATION_FILE 0xde14875b, 5
 76 | #define NT_CREATE_SECTION 0xb80f7b50, 7
 77 | #define NT_FLUSH_BUFFERS_FILE 0xc7654d16, 2
 78 | #define NT_APPHELP_CACHE_CONTROL 0x25eebfe6, 2
 79 | #define NT_CREATE_PROCESS_EX 0xf8b2017, 9
 80 | #define NT_CREATE_THREAD 0x653e8db3, 8
 81 | #define NT_IS_PROCESS_IN_JOB 0xd3f27134, 2
 82 | #define NT_PROTECT_VIRTUAL_MEMORY 0x50e92888, 5
 83 | #define NT_QUERY_SECTION 0xe891472, 5
 84 | #define NT_RESUME_THREAD 0x5a4bc3d0, 2
 85 | #define NT_TERMINATE_THREAD 0xccf58808, 2
 86 | #define NT_READ_REQUEST_DATA 0x46f12e26, 6
 87 | #define NT_CREATE_FILE 0x66163fbb, 11
 88 | #define NT_QUERY_EVENT 0x24700bdf, 5
 89 | #define NT_WRITE_REQUEST_DATA 0x50d83ef5, 6
 90 | #define NT_OPEN_DIRECTORY_OBJECT 0x922d89e5, 3
 91 | #define NT_ACCESS_CHECK_BY_TYPE_AND_AUDIT_ALARM 0x6706fc8b, 16
 92 | #define NT_WAIT_FOR_MULTIPLE_OBJECTS 0x8eded6d9, 5
 93 | #define NT_SET_INFORMATION_OBJECT 0x214310, 4
 94 | #define NT_CANCEL_IO_FILE 0xc13a1b25, 2
 95 | #define NT_TRACE_EVENT 0x70c25cd8, 4
 96 | #define NT_POWER_INFORMATION 0xe77b5d3a, 5
 97 | #define NT_SET_VALUE_KEY 0xd9a01639, 6
 98 | #define NT_CANCEL_TIMER 0x63b61f6e, 2
 99 | #define NT_SET_TIMER 0xcc904834, 7
100 | #define NT_ACCESS_CHECK_BY_TYPE 0x7213ee34, 11
101 | #define NT_ACCESS_CHECK_BY_TYPE_RESULT_LIST 0x3de86a8f, 11
102 | #define NT_ACCESS_CHECK_BY_TYPE_RESULT_LIST_AND_AUDIT_ALARM 0xf71974c6, 16
103 | #define NT_ACCESS_CHECK_BY_TYPE_RESULT_LIST_AND_AUDIT_ALARM_BY_HANDLE 0xd43c72cd, 17
104 | #define NT_ACQUIRE_PROCESS_ACTIVITY_REFERENCE 0x4822b84c, 0
105 | #define NT_ADD_ATOM_EX 0x4669febe, 4
106 | #define NT_ADD_BOOT_ENTRY 0x8cfcc776, 2
107 | #define NT_ADD_DRIVER_ENTRY 0xfc0195ae, 2
108 | #define NT_ADJUST_GROUPS_TOKEN 0xe9bb5b13, 6
109 | #define NT_ADJUST_TOKEN_CLAIMS_AND_DEVICE_GROUPS 0x3478f50f, 16
110 | #define NT_ALERT_RESUME_THREAD 0x5ba11e28, 2
111 | #define NT_ALERT_THREAD 0xd96aec97, 1
112 | #define NT_ALERT_THREAD_BY_THREAD_ID 0xc0f4e737, 1
113 | #define NT_ALLOCATE_LOCALLY_UNIQUE_ID 0x159a83a0, 1
114 | #define NT_ALLOCATE_RESERVE_OBJECT 0x2c8401ff, 3
115 | #define NT_ALLOCATE_USER_PHYSICAL_PAGES 0x345b0718, 3
116 | #define NT_ALLOCATE_UUIDS 0xb2afc8d6, 4
117 | #define NT_ALLOCATE_VIRTUAL_MEMORY_EX 0xe755ad29, 7
118 | #define NT_ALPC_ACCEPT_CONNECT_PORT 0xa549d986, 9
119 | #define NT_ALPC_CANCEL_MESSAGE 0xe2a31692, 3
120 | #define NT_ALPC_CONNECT_PORT 0xe2ffd616, 11
121 | #define NT_ALPC_CONNECT_PORT_EX 0xa24dbcd3, 11
122 | #define NT_ALPC_CREATE_PORT 0x392a43e0, 3
123 | #define NT_ALPC_CREATE_PORT_SECTION 0x953c8875, 6
124 | #define NT_ALPC_CREATE_RESOURCE_RESERVE 0xce92221f, 4
125 | #define NT_ALPC_CREATE_SECTION_VIEW 0x3ff3b9ab, 3
126 | #define NT_ALPC_CREATE_SECURITY_CONTEXT 0xb2e79ff8, 3
127 | #define NT_ALPC_DELETE_PORT_SECTION 0xed5864d4, 3
128 | #define NT_ALPC_DELETE_RESOURCE_RESERVE 0x4ff315fe, 3
129 | #define NT_ALPC_DELETE_SECTION_VIEW 0x980f960a, 3
130 | #define NT_ALPC_DELETE_SECURITY_CONTEXT 0x344893d7, 3
131 | #define NT_ALPC_DISCONNECT_PORT 0xba6b8fb6, 2
132 | #define NT_ALPC_IMPERSONATE_CLIENT_CONTAINER_OF_PORT 0xedd54bca, 3
133 | #define NT_ALPC_IMPERSONATE_CLIENT_OF_PORT 0x9569f927, 3
134 | #define NT_ALPC_OPEN_SENDER_PROCESS 0x501dc7b9, 6
135 | #define NT_ALPC_OPEN_SENDER_THREAD 0x12d0cd32, 6
136 | #define NT_ALPC_QUERY_INFORMATION 0xe6fcff83, 5
137 | #define NT_ALPC_QUERY_INFORMATION_MESSAGE 0xfa7cdac8, 6
138 | #define NT_ALPC_REVOKE_SECURITY_CONTEXT 0xaebaa8b0, 3
139 | #define NT_ALPC_SEND_WAIT_RECEIVE_PORT 0x2f26df2e, 8
140 | #define NT_ALPC_SET_INFORMATION 0x89d914d9, 4
141 | #define NT_ARE_MAPPED_FILES_THE_SAME 0xcb7ae170, 2
142 | #define NT_ASSIGN_PROCESS_TO_JOB_OBJECT 0x12e128c0, 2
143 | #define NT_ASSOCIATE_WAIT_COMPLETION_PACKET 0x2966574a, 8
144 | #define NT_CALL_ENCLAVE 0xcc85de41, 4
145 | #define NT_CANCEL_IO_FILE_EX 0xf82d81a2, 3
146 | #define NT_CANCEL_SYNCHRONOUS_IO_FILE 0x9f6de590, 3
147 | #define NT_CANCEL_TIMER2 0xda7a0d60, 2
148 | #define NT_CANCEL_WAIT_COMPLETION_PACKET 0xcc7d18d4, 2
149 | #define NT_COMMIT_COMPLETE 0x8f6156e9, 2
150 | #define NT_COMMIT_ENLISTMENT 0x8af1a7f3, 2
151 | #define NT_COMMIT_REGISTRY_TRANSACTION 0x7c1dc1af, 2
152 | #define NT_COMMIT_TRANSACTION 0x38b10216, 2
153 | #define NT_COMPACT_KEYS 0xde3f064a, 2
154 | #define NT_COMPARE_OBJECTS 0xd4948458, 2
155 | #define NT_COMPARE_SIGNING_LEVELS 0xe556e6e8, 2
156 | #define NT_COMPARE_TOKENS 0xd4f72ee2, 3
157 | #define NT_COMPLETE_CONNECT_PORT 0x7d12820f, 1
158 | #define NT_COMPRESS_KEY 0xff79c1dc, 1
159 | #define NT_CONNECT_PORT 0xae23a816, 8
160 | #define NT_CONVERT_BETWEEN_AUXILIARY_COUNTER_AND_PERFORMANCE_COUNTER 0x1ae4332f, 4
161 | #define NT_CREATE_DEBUG_OBJECT 0xebaf8b59, 4
162 | #define NT_CREATE_DIRECTORY_OBJECT 0x42144d27, 3
163 | #define NT_CREATE_DIRECTORY_OBJECT_EX 0x185c3c24, 5
164 | #define NT_CREATE_ENCLAVE 0x975a1239, 9
165 | #define NT_CREATE_ENLISTMENT 0x2c58167e, 8
166 | #define NT_CREATE_EVENT_PAIR 0xd8297649, 3
167 | #define NT_CREATE_I_R_TIMER 0xd5c9d417, 2
168 | #define NT_CREATE_IO_COMPLETION 0xc2a771ad, 4
169 | #define NT_CREATE_JOB_OBJECT 0xc2e8586d, 3
170 | #define NT_CREATE_JOB_SET 0x4e611902, 3
171 | #define NT_CREATE_KEY_TRANSACTED 0x7ed2e46d, 8
172 | #define NT_CREATE_KEYED_EVENT 0xd39e7f0f, 4
173 | #define NT_CREATE_LOW_BOX_TOKEN 0xc26a3d77, 9
174 | #define NT_CREATE_MAILSLOT_FILE 0x53d65760, 8
175 | #define NT_CREATE_MUTANT 0x55d6b954, 4
176 | #define NT_CREATE_NAMED_PIPE_FILE 0x1da0062e, 14
177 | #define NT_CREATE_PAGING_FILE 0xc4989dd1, 4
178 | #define NT_CREATE_PARTITION 0x6e0b2b35, 4
179 | #define NT_CREATE_PORT 0x661bd5e0, 5
180 | #define NT_CREATE_PRIVATE_NAMESPACE 0xeff1eac3, 4
181 | #define NT_CREATE_PROCESS 0xf043985a, 8
182 | #define NT_CREATE_PROFILE 0xf0454d8c, 9
183 | #define NT_CREATE_PROFILE_EX 0x16cee9c9, 10
184 | #define NT_CREATE_REGISTRY_TRANSACTION 0xcc5cbc9a, 4
185 | #define NT_CREATE_RESOURCE_MANAGER 0xa38fc4de, 7
186 | #define NT_CREATE_SEMAPHORE 0xcfcacedf, 5
187 | #define NT_CREATE_SYMBOLIC_LINK_OBJECT 0xfbada4a2, 4
188 | #define NT_CREATE_THREAD_EX 0xaf18cfb0, 11
189 | #define NT_CREATE_TIMER 0x29db92bc, 4
190 | #define NT_CREATE_TIMER2 0x654dea6e, 5
191 | #define NT_CREATE_TOKEN 0x29ded47c, 13
192 | #define NT_CREATE_TOKEN_EX 0x1ce5ecb9, 17
193 | #define NT_CREATE_TRANSACTION 0x6e54201, 10
194 | #define NT_CREATE_TRANSACTION_MANAGER 0x5cf4c0fc, 6
195 | #define NT_CREATE_USER_PROCESS 0x54ce5f79, 11
196 | #define NT_CREATE_WAIT_COMPLETION_PACKET 0xe437b662, 3
197 | #define NT_CREATE_WAITABLE_PORT 0x3acada89, 5
198 | #define NT_CREATE_WNF_STATE_NAME 0xce746a68, 7
199 | #define NT_CREATE_WORKER_FACTORY 0x8b4d01cd, 10
200 | #define NT_DEBUG_ACTIVE_PROCESS 0x240dea9, 2
201 | #define NT_DEBUG_CONTINUE 0x6b3dbff3, 3
202 | #define NT_DELETE_ATOM 0x29824a4b, 1
203 | #define NT_DELETE_BOOT_ENTRY 0xa407a6c0, 1
204 | #define NT_DELETE_DRIVER_ENTRY 0x1416f78, 1
205 | #define NT_DELETE_FILE 0x2984d8fa, 1
206 | #define NT_DELETE_KEY 0x1422ae3, 1
207 | #define NT_DELETE_OBJECT_AUDIT_ALARM 0x866b8255, 3
208 | #define NT_DELETE_PRIVATE_NAMESPACE 0x9d715a82, 1
209 | #define NT_DELETE_VALUE_KEY 0xff70d480, 2
210 | #define NT_DELETE_WNF_STATE_DATA 0x2a0657c0, 2
211 | #define NT_DELETE_WNF_STATE_NAME 0x2a0bd2a7, 1
212 | #define NT_DISABLE_LAST_KNOWN_GOOD 0xcf1adec5, 0
213 | #define NT_DISPLAY_STRING 0x715df854, 1
214 | #define NT_DRAW_TEXT 0xb15412fa, 1
215 | #define NT_ENABLE_LAST_KNOWN_GOOD 0x6153a078, 0
216 | #define NT_ENUMERATE_BOOT_ENTRIES 0x6dc75d7b, 2
217 | #define NT_ENUMERATE_DRIVER_ENTRIES 0x3c6ce4f3, 2
218 | #define NT_ENUMERATE_SYSTEM_ENVIRONMENT_VALUES_EX 0xe138b974, 3
219 | #define NT_ENUMERATE_TRANSACTION_OBJECT 0xf06ae7aa, 5
220 | #define NT_EXTEND_SECTION 0xb5ee2704, 2
221 | #define NT_FILTER_BOOT_OPTION 0x70006bba, 5
222 | #define NT_FILTER_TOKEN 0xe9893eae, 6
223 | #define NT_FILTER_TOKEN_EX 0x70d3ab6b, 14
224 | #define NT_FLUSH_BUFFERS_FILE_EX 0x35ecf3d3, 5
225 | #define NT_FLUSH_INSTALL_U_I_LANGUAGE 0xd2b44de2, 2
226 | #define NT_FLUSH_INSTRUCTION_CACHE 0x6269b87f, 3
227 | #define NT_FLUSH_KEY 0xea529d52, 1
228 | #define NT_FLUSH_PROCESS_WRITE_BUFFERS 0xf8463ac0, 0
229 | #define NT_FLUSH_VIRTUAL_MEMORY 0x237a7709, 4
230 | #define NT_FLUSH_WRITE_BUFFER 0xcfc108ae, 0
231 | #define NT_FREE_USER_PHYSICAL_PAGES 0x79a55ab5, 3
232 | #define NT_FREEZE_REGISTRY 0xb5c32001, 1
233 | #define NT_FREEZE_TRANSACTIONS 0x9e6ef9a1, 2
234 | #define NT_GET_CACHED_SIGNING_LEVEL 0x21050586, 6
235 | #define NT_GET_COMPLETE_WNF_STATE_SUBSCRIPTION 0x6fcf6351, 6
236 | #define NT_GET_CONTEXT_THREAD 0x6d22f884, 2
237 | #define NT_GET_CURRENT_PROCESSOR_NUMBER 0x74827693, 0
238 | #define NT_GET_CURRENT_PROCESSOR_NUMBER_EX 0x9efa7090, 1
239 | #define NT_GET_DEVICE_POWER_STATE 0x6e80505, 2
240 | #define NT_GET_M_U_I_REGISTRY_INFO 0x8227e977, 3
241 | #define NT_GET_NEXT_PROCESS 0x963c3a5, 5
242 | #define NT_GET_NEXT_THREAD 0xa410fb9e, 6
243 | #define NT_GET_NLS_SECTION_PTR 0x5f90b7ff, 5
244 | #define NT_GET_NOTIFICATION_RESOURCE_MANAGER 0x2bb2e171, 7
245 | #define NT_GET_WRITE_WATCH 0xb8ef5569, 7
246 | #define NT_IMPERSONATE_ANONYMOUS_TOKEN 0xc17b4718, 1
247 | #define NT_IMPERSONATE_THREAD 0x1027a586, 3
248 | #define NT_INITIALIZE_ENCLAVE 0xb85c18d7, 5
249 | #define NT_INITIALIZE_NLS_FILES 0x9d2565f9, 3
250 | #define NT_INITIALIZE_REGISTRY 0x179311b2, 1
251 | #define NT_INITIATE_POWER_ACTION 0x354e9229, 4
252 | #define NT_IS_SYSTEM_RESUME_AUTOMATIC 0xd01fac80, 0
253 | #define NT_IS_U_I_LANGUAGE_COMITTED 0x6a5a3ade, 0
254 | #define NT_LISTEN_PORT 0xf1ec98bb, 2
255 | #define NT_LOAD_DRIVER 0x3e81f9b3, 1
256 | #define NT_LOAD_ENCLAVE_DATA 0x47592f1f, 9
257 | #define NT_LOAD_HOT_PATCH 0xca39db82, 2
258 | #define NT_LOAD_KEY 0x8cf13090, 2
259 | #define NT_LOAD_KEY2 0x2b1742c2, 3
260 | #define NT_LOAD_KEY_EX 0x8dff9dcd, 8
261 | #define NT_LOCK_FILE 0x303d9110, 10
262 | #define NT_LOCK_PRODUCT_ACTIVATION_KEYS 0xcf28a99f, 2
263 | #define NT_LOCK_REGISTRY_KEY 0x51260ed2, 1
264 | #define NT_LOCK_VIRTUAL_MEMORY 0x91711eb0, 4
265 | #define NT_MAKE_PERMANENT_OBJECT 0xa09d1f86, 1
266 | #define NT_MAKE_TEMPORARY_OBJECT 0xeeeeac7f, 1
267 | #define NT_MANAGE_PARTITION 0xe433c24a, 5
268 | #define NT_MAP_C_M_F_MODULE 0x5055da81, 6
269 | #define NT_MAP_USER_PHYSICAL_PAGES 0xd0830d11, 3
270 | #define NT_MAP_VIEW_OF_SECTION_EX 0x1fabf87, 9
271 | #define NT_MODIFY_BOOT_ENTRY 0xa35955, 1
272 | #define NT_MODIFY_DRIVER_ENTRY 0xf3941b4d, 1
273 | #define NT_NOTIFY_CHANGE_DIRECTORY_FILE 0x74f2b45b, 9
274 | #define NT_NOTIFY_CHANGE_DIRECTORY_FILE_EX 0x7c714058, 10
275 | #define NT_NOTIFY_CHANGE_KEY 0x54fbd14f, 10
276 | #define NT_NOTIFY_CHANGE_MULTIPLE_KEYS 0xde632b6e, 12
277 | #define NT_NOTIFY_CHANGE_SESSION 0x8da5f84a, 8
278 | #define NT_OPEN_ENLISTMENT 0x672ae47c, 5
279 | #define NT_OPEN_EVENT_PAIR 0xbb7c87, 3
280 | #define NT_OPEN_IO_COMPLETION 0xfd65b72b, 3
281 | #define NT_OPEN_JOB_OBJECT 0xeb7a5eab, 3
282 | #define NT_OPEN_KEY_EX 0x22f34eff, 4
283 | #define NT_OPEN_KEY_TRANSACTED 0x1159d9ab, 4
284 | #define NT_OPEN_KEY_TRANSACTED_EX 0xcf36f9a8, 5
285 | #define NT_OPEN_KEYED_EVENT 0xe714d0d, 3
286 | #define NT_OPEN_MUTANT 0x87263852, 3
287 | #define NT_OPEN_OBJECT_AUDIT_ALARM 0x2c2ce714, 12
288 | #define NT_OPEN_PARTITION 0x969d3173, 3
289 | #define NT_OPEN_PRIVATE_NAMESPACE 0x4332bf41, 4
290 | #define NT_OPEN_PROCESS_TOKEN 0x350dca99, 3
291 | #define NT_OPEN_REGISTRY_TRANSACTION 0xcc222858, 3
292 | #define NT_OPEN_RESOURCE_MANAGER 0xf3a9019c, 5
293 | #define NT_OPEN_SEMAPHORE 0xf85cd51d, 3
294 | #define NT_OPEN_SESSION 0x146fd5bd, 3
295 | #define NT_OPEN_SYMBOLIC_LINK_OBJECT 0x227590a0, 3
296 | #define NT_OPEN_THREAD 0x968e0cb1, 4
297 | #define NT_OPEN_TIMER 0x239829fa, 3
298 | #define NT_OPEN_TRANSACTION 0x9c11cfbf, 5
299 | #define NT_OPEN_TRANSACTION_MANAGER 0x83bcacfa, 6
300 | #define NT_PLUG_PLAY_CONTROL 0x3c8eebd6, 3
301 | #define NT_PRE_PREPARE_COMPLETE 0x2b591896, 2
302 | #define NT_PRE_PREPARE_ENLISTMENT 0x3e088e0, 2
303 | #define NT_PREPARE_COMPLETE 0xc5f855af, 2
304 | #define NT_PREPARE_ENLISTMENT 0xc3437039, 2
305 | #define NT_PRIVILEGE_CHECK 0x256dcecc, 3
306 | #define NT_PRIVILEGE_OBJECT_AUDIT_ALARM 0x908d0409, 6
307 | #define NT_PRIVILEGED_SERVICE_AUDIT_ALARM 0xa3d3d2a7, 5
308 | #define NT_PROPAGATION_COMPLETE 0xe6eaafa4, 4
309 | #define NT_PROPAGATION_FAILED 0x1051e530, 3
310 | #define NT_PULSE_EVENT 0xb4855d12, 2
311 | #define NT_QUERY_AUXILIARY_COUNTER_FREQUENCY 0xb30398e7, 1
312 | #define NT_QUERY_BOOT_ENTRY_ORDER 0x8ca0daff, 2
313 | #define NT_QUERY_BOOT_OPTIONS 0x30e175bd, 2
314 | #define NT_QUERY_DEBUG_FILTER_STATE 0xeea9c7ab, 2
315 | #define NT_QUERY_DIRECTORY_FILE_EX 0xc51f3f2f, 10
316 | #define NT_QUERY_DIRECTORY_OBJECT 0xd99de849, 7
317 | #define NT_QUERY_DRIVER_ENTRY_ORDER 0xd76b1b77, 2
318 | #define NT_QUERY_EA_FILE 0xb0f5fb83, 9
319 | #define NT_QUERY_FULL_ATTRIBUTES_FILE 0x9afec117, 2
320 | #define NT_QUERY_INFORMATION_ATOM 0xc25c2f74, 5
321 | #define NT_QUERY_INFORMATION_BY_NAME 0xccd4ca5f, 5
322 | #define NT_QUERY_INFORMATION_ENLISTMENT 0xe2fc2e6, 5
323 | #define NT_QUERY_INFORMATION_JOB_OBJECT 0xe8c817d5, 5
324 | #define NT_QUERY_INFORMATION_PORT 0xc2645448, 5
325 | #define NT_QUERY_INFORMATION_RESOURCE_MANAGER 0x6dab7246, 5
326 | #define NT_QUERY_INFORMATION_TRANSACTION 0x23b27b69, 5
327 | #define NT_QUERY_INFORMATION_TRANSACTION_MANAGER 0x14465564, 5
328 | #define NT_QUERY_INFORMATION_WORKER_FACTORY 0x104e3535, 5
329 | #define NT_QUERY_INSTALL_U_I_LANGUAGE 0xf5bb4936, 1
330 | #define NT_QUERY_INTERVAL_PROFILE 0x14494c33, 2
331 | #define NT_QUERY_IO_COMPLETION 0x4158100f, 5
332 | #define NT_QUERY_LICENSE_VALUE 0xeb2f303d, 5
333 | #define NT_QUERY_MULTIPLE_VALUE_KEY 0x9d187e0f, 6
334 | #define NT_QUERY_MUTANT 0xc510b636, 5
335 | #define NT_QUERY_OPEN_SUB_KEYS 0x2287c895, 2
336 | #define NT_QUERY_OPEN_SUB_KEYS_EX 0xe39c4b12, 4
337 | #define NT_QUERY_PORT_INFORMATION_PROCESS 0x5466fcc7, 0
338 | #define NT_QUERY_QUOTA_INFORMATION_FILE 0xfdc5bf2d, 9
339 | #define NT_QUERY_SECURITY_ATTRIBUTES_TOKEN 0xf5b5a1bd, 6
340 | #define NT_QUERY_SECURITY_OBJECT 0x8cd2436c, 5
341 | #define NT_QUERY_SECURITY_POLICY 0x9013d465, 6
342 | #define NT_QUERY_SEMAPHORE 0xab0f3881, 5
343 | #define NT_QUERY_SYMBOLIC_LINK_OBJECT 0xa7a80484, 3
344 | #define NT_QUERY_SYSTEM_ENVIRONMENT_VALUE 0x45633fd4, 4
345 | #define NT_QUERY_SYSTEM_ENVIRONMENT_VALUE_EX 0x2b328e11, 5
346 | #define NT_QUERY_SYSTEM_INFORMATION_EX 0x75352c65, 6
347 | #define NT_QUERY_TIMER_RESOLUTION 0xa19002b2, 3
348 | #define NT_QUERY_WNF_STATE_DATA 0x4d1f8de3, 6
349 | #define NT_QUERY_WNF_STATE_NAME_INFORMATION 0x4c836db0, 5
350 | #define NT_QUEUE_APC_THREAD_EX 0x3d927bf5, 6
351 | #define NT_RAISE_EXCEPTION 0xdce2e48a, 3
352 | #define NT_RAISE_HARD_ERROR 0x7ffa7e04, 6
353 | #define NT_READ_ONLY_ENLISTMENT 0x252e2a8, 2
354 | #define NT_RECOVER_ENLISTMENT 0x949a70a0, 2
355 | #define NT_RECOVER_RESOURCE_MANAGER 0xc4a9c440, 1
356 | #define NT_RECOVER_TRANSACTION_MANAGER 0x1f781d1e, 1
357 | #define NT_REGISTER_PROTOCOL_ADDRESS_INFORMATION 0xdd3cd4a, 5
358 | #define NT_REGISTER_THREAD_TERMINATE_PORT 0x578f1ff2, 1
359 | #define NT_RELEASE_KEYED_EVENT 0xdaf941c, 4
360 | #define NT_RELEASE_WORKER_FACTORY_WORKER 0xb0031914, 1
361 | #define NT_REMOVE_IO_COMPLETION_EX 0x9684d964, 6
362 | #define NT_REMOVE_PROCESS_DEBUG 0x3d7585bb, 2
363 | #define NT_RENAME_KEY 0xf0318468, 2
364 | #define NT_RENAME_TRANSACTION_MANAGER 0xc4e60360, 2
365 | #define NT_REPLACE_KEY 0x1810bec, 3
366 | #define NT_REPLACE_PARTITION_UNIT 0x696a9fdd, 3
367 | #define NT_REPLY_WAIT_REPLY_PORT 0x21e811d9, 2
368 | #define NT_REQUEST_PORT 0x4ebd4ad5, 2
369 | #define NT_RESET_EVENT 0xd7ee504c, 2
370 | #define NT_RESET_WRITE_WATCH 0x23a7956c, 3
371 | #define NT_RESTORE_KEY 0x4fd018f4, 3
372 | #define NT_RESUME_PROCESS 0x86f79217, 1
373 | #define NT_REVERT_CONTAINER_IMPERSONATION 0x47b484ca, 0
374 | #define NT_ROLLBACK_COMPLETE 0x86a1356a, 2
375 | #define NT_ROLLBACK_ENLISTMENT 0x51a32ab4, 2
376 | #define NT_ROLLBACK_REGISTRY_TRANSACTION 0xc398ed90, 2
377 | #define NT_ROLLBACK_TRANSACTION 0xd592dcf7, 2
378 | #define NT_ROLLFORWARD_TRANSACTION_MANAGER 0xf58bf5d6, 2
379 | #define NT_SAVE_KEY 0x889d2fff, 2
380 | #define NT_SAVE_KEY_EX 0x24a934fc, 3
381 | #define NT_SAVE_MERGED_KEYS 0x13414c26, 3
382 | #define NT_SECURE_CONNECT_PORT 0x24be8fbd, 9
383 | #define NT_SERIALIZE_BOOT 0x178ee343, 0
384 | #define NT_SET_BOOT_ENTRY_ORDER 0xea137895, 2
385 | #define NT_SET_BOOT_OPTIONS 0x4ed10b13, 2
386 | #define NT_SET_CACHED_SIGNING_LEVEL 0xeda0c392, 5
387 | #define NT_SET_CACHED_SIGNING_LEVEL2 0xa1b93604, 6
388 | #define NT_SET_CONTEXT_THREAD 0xffa0bf10, 2
389 | #define NT_SET_DEBUG_FILTER_STATE 0x733a22c1, 3
390 | #define NT_SET_DEFAULT_HARD_ERROR_PORT 0xc719a866, 1
391 | #define NT_SET_DEFAULT_LOCALE 0x104de608, 2
392 | #define NT_SET_DEFAULT_U_I_LANGUAGE 0x6e24d67a, 1
393 | #define NT_SET_DRIVER_ENTRY_ORDER 0x5bfb768d, 2
394 | #define NT_SET_EA_FILE 0x3b076319, 4
395 | #define NT_SET_HIGH_EVENT_PAIR 0x286bcc81, 1
396 | #define NT_SET_HIGH_WAIT_LOW_EVENT_PAIR 0x8b7e89e8, 1
397 | #define NT_SET_I_R_TIMER 0xf881c78f, 2
398 | #define NT_SET_INFORMATION_DEBUG_OBJECT 0x4a269857, 5
399 | #define NT_SET_INFORMATION_ENLISTMENT 0x65827bbc, 4
400 | #define NT_SET_INFORMATION_JOB_OBJECT 0xa59c0deb, 4
401 | #define NT_SET_INFORMATION_KEY 0x91e22c82, 4
402 | #define NT_SET_INFORMATION_RESOURCE_MANAGER 0x50a120dc, 4
403 | #define NT_SET_INFORMATION_SYMBOLIC_LINK 0xeaab6fa9, 4
404 | #define NT_SET_INFORMATION_TOKEN 0x93c77afa, 4
405 | #define NT_SET_INFORMATION_TRANSACTION 0x655c4eff, 4
406 | #define NT_SET_INFORMATION_TRANSACTION_MANAGER 0x6ed7843a, 4
407 | #define NT_SET_INFORMATION_VIRTUAL_MEMORY 0x946ac239, 6
408 | #define NT_SET_INFORMATION_WORKER_FACTORY 0x63bb464b, 4
409 | #define NT_SET_INTERVAL_PROFILE 0x200f9c89, 2
410 | #define NT_SET_IO_COMPLETION 0x1d3a5025, 5
411 | #define NT_SET_IO_COMPLETION_EX 0x550ef6a2, 6
412 | #define NT_SET_LDT_ENTRIES 0x9f1d3b71, 6
413 | #define NT_SET_LOW_EVENT_PAIR 0x7952a0f3, 1
414 | #define NT_SET_LOW_WAIT_HIGH_EVENT_PAIR 0x43f9fa88, 1
415 | #define NT_SET_QUOTA_INFORMATION_FILE 0xba99b543, 4
416 | #define NT_SET_SECURITY_OBJECT 0xea44e102, 3
417 | #define NT_SET_SYSTEM_ENVIRONMENT_VALUE 0x870d136a, 2
418 | #define NT_SET_SYSTEM_ENVIRONMENT_VALUE_EX 0x7e9f9f27, 5
419 | #define NT_SET_SYSTEM_INFORMATION 0x925df6fe, 3
420 | #define NT_SET_SYSTEM_POWER_STATE 0xdf7bbc6, 3
421 | #define NT_SET_SYSTEM_TIME 0xca883367, 2
422 | #define NT_SET_THREAD_EXECUTION_STATE 0x533483a0, 2
423 | #define NT_SET_TIMER2 0x5e994ee6, 4
424 | #define NT_SET_TIMER_EX 0x31c32e71, 4
425 | #define NT_SET_TIMER_RESOLUTION 0xad565308, 3
426 | #define NT_SET_UUID_SEED 0xe8bf79ab, 1
427 | #define NT_SET_VOLUME_INFORMATION_FILE 0x35674031, 5
428 | #define NT_SET_WNF_PROCESS_NOTIFICATION_EVENT 0xfc62d146, 1
429 | #define NT_SHUTDOWN_SYSTEM 0x211ccd48, 1
430 | #define NT_SHUTDOWN_WORKER_FACTORY 0x6417a7b5, 2
431 | #define NT_SIGNAL_AND_WAIT_FOR_SINGLE_OBJECT 0x78983aed, 4
432 | #define NT_SINGLE_PHASE_REJECT 0xbe34a197, 2
433 | #define NT_START_PROFILE 0x75d57f46, 1
434 | #define NT_STOP_PROFILE 0xd681d99e, 1
435 | #define NT_SUBSCRIBE_WNF_STATE_CHANGE 0x7e61ae3b, 4
436 | #define NT_SUSPEND_PROCESS 0x4f236448, 1
437 | #define NT_SUSPEND_THREAD 0xe43d93e1, 2
438 | #define NT_SYSTEM_DEBUG_CONTROL 0x954b7c14, 6
439 | #define NT_TERMINATE_ENCLAVE 0xf5f0572e, 2
440 | #define NT_TERMINATE_JOB_OBJECT 0x2023aea2, 2
441 | #define NT_TEST_ALERT 0x858a32df, 0
442 | #define NT_THAW_REGISTRY 0x6b8c4b34, 0
443 | #define NT_THAW_TRANSACTIONS 0x1e708654, 0
444 | #define NT_TRACE_CONTROL 0x12a85b7, 6
445 | #define NT_TRANSLATE_FILE_PATH 0xede60742, 4
446 | #define NT_UMS_THREAD_YIELD 0x87d8230b, 1
447 | #define NT_UNLOAD_DRIVER 0x41812a76, 1
448 | #define NT_UNLOAD_KEY 0x21d16033, 1
449 | #define NT_UNLOAD_KEY2 0x5bfd66c5, 2
450 | #define NT_UNLOAD_KEY_EX 0xdbaa4230, 2
451 | #define NT_UNLOCK_FILE 0x6123b513, 5
452 | #define NT_UNLOCK_VIRTUAL_MEMORY 0xad9f7613, 4
453 | #define NT_UNMAP_VIEW_OF_SECTION_EX 0xa3f4034a, 3
454 | #define NT_UNSUBSCRIBE_WNF_STATE_CHANGE 0x547ac3de, 1
455 | #define NT_UPDATE_WNF_STATE_DATA 0x5a146bf0, 7
456 | #define NT_VDM_CONTROL 0x4514dd0f, 2
457 | #define NT_WAIT_FOR_ALERT_BY_THREAD_ID 0x9376f59b, 2
458 | #define NT_WAIT_FOR_DEBUG_EVENT 0x593b99ec, 4
459 | #define NT_WAIT_FOR_KEYED_EVENT 0xd8cc6c17, 4
460 | #define NT_WAIT_FOR_WORK_VIA_WORKER_FACTORY 0xfaa56dd8, 2
461 | #define NT_WAIT_HIGH_EVENT_PAIR 0xde54fcea, 1
462 | #define NT_WAIT_LOW_EVENT_PAIR 0xf332e83c, 1
463 | #define NT_ACQUIRE_C_M_F_VIEW_OWNERSHIP 0x701cf6c1, 3
464 | #define NT_CANCEL_DEVICE_WAKEUP_REQUEST 0xd5d269d3, 1
465 | #define NT_CLEAR_ALL_SAVEPOINTS_TRANSACTION 0xc7e05999, 1
466 | #define NT_CLEAR_SAVEPOINT_TRANSACTION 0x70891ccd, 2
467 | #define NT_ROLLBACK_SAVEPOINT_TRANSACTION 0x3f8f1250, 2
468 | #define NT_SAVEPOINT_TRANSACTION 0x70d2e26, 3
469 | #define NT_SAVEPOINT_COMPLETE 0x71fe7cf9, 2
470 | #define NT_CREATE_SECTION_EX 0xf9db988d, 9
471 | #define NT_CREATE_CROSS_VM_EVENT 0x89388cca, 0
472 | #define NT_GET_PLUG_PLAY_EVENT 0x96420517, 4
473 | #define NT_LIST_TRANSACTIONS 0x9c75b5dc, 0
474 | #define NT_MARSHALL_TRANSACTION 0xf19f9a81, 0
475 | #define NT_PULL_TRANSACTION 0x314ce56a, 0
476 | #define NT_RELEASE_C_M_F_VIEW_OWNERSHIP 0xb0943c58, 0
477 | #define NT_WAIT_FOR_WNF_NOTIFICATIONS 0x8124d2a8, 0
478 | #define NT_START_TM 0xb37a7a76, 0
479 | #define NT_SET_INFORMATION_PROCESS 0x76efd658, 4
480 | #define NT_REQUEST_DEVICE_WAKEUP 0x921bb3cd, 1
481 | #define NT_REQUEST_WAKEUP_LATENCY 0x3422970d, 1
482 | #define NT_QUERY_SYSTEM_TIME 0x4d80f0d1, 1
483 | #define NT_MANAGE_HOT_PATCH 0x4b83a96b, 4
484 | #define NT_CONTINUE_EX 0xf4863069, 2
485 | #define RTL_CREATE_USER_THREAD 0x6c827322, 10
486 | 


--------------------------------------------------------------------------------
/direct-syscalls-vs-indirect-syscalls.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/C5Hackr/c_syscalls/12b0efd292af51c76761703c59d5009b53e2c254/direct-syscalls-vs-indirect-syscalls.pdf


--------------------------------------------------------------------------------