├── test ├── shellcode │ ├── CMakelists.txt │ └── shellcode.cpp └── shellcodetester │ ├── CMakelists.txt │ └── main.c ├── LICENSE ├── tools └── scextractor.py ├── README.md ├── CMakelists.txt ├── .gitignore ├── cmake └── FindWdk.cmake └── include └── sc4cpp.h /test/shellcode/CMakelists.txt: -------------------------------------------------------------------------------- 1 | ksc4pp_add_shellcode(helloworld 2 | WINVER 0x0602 3 | shellcode.cpp 4 | ) -------------------------------------------------------------------------------- /test/shellcodetester/CMakelists.txt: -------------------------------------------------------------------------------- 1 | 2 | project(shellcodetester) 3 | wdk_add_driver(shellcodetester main.c) 4 | # add custom command to sign the driver 5 | add_custom_command(TARGET shellcodetester POST_BUILD 6 | COMMAND signtool sign /v /n WDKTestCert $ 7 | ) -------------------------------------------------------------------------------- /test/shellcode/shellcode.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | SC_NOINLINE 4 | SC_CODESEG_REORDERING 5 | DWORD WINAPI Func(PCSTR lpAnsiMsg) { 6 | SC_IMPORT_API_BATCH_BEGIN(); 7 | SC_IMPORT_API_BATCH(DbgPrint); 8 | SC_IMPORT_API_BATCH_END(); 9 | DbgPrint(lpAnsiMsg); 10 | return 0; 11 | } 12 | SC_MAIN_BEGIN() 13 | { 14 | Func(SC_PISTRINGA("Hello, world!")); 15 | } 16 | SC_MAIN_END(); -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 windpiaoxue 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /tools/scextractor.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import pefile 4 | import sys 5 | from pathlib import Path 6 | 7 | 8 | def extract_shellcode(sc_path : Path) -> Path: 9 | image = pefile.PE(str(sc_path)) 10 | if not image.is_exe() and not image.is_dll(): 11 | raise Exception("The file is not a valid PE file.") 12 | 13 | for symbol in image.DIRECTORY_ENTRY_EXPORT.symbols: 14 | if symbol.name.decode() == "SCBegin": 15 | sc_begin = symbol.address 16 | elif symbol.name.decode() == "SCEnd": 17 | sc_end = symbol.address 18 | if "sc_begin" not in locals().keys() or "sc_end" not in locals().keys(): 19 | raise Exception("Not found shellcode in the PE file.") 20 | 21 | sc_path = sc_path.parent.joinpath(sc_path.stem).with_suffix(".sc") 22 | sc_path.write_bytes(image.get_data(sc_begin, sc_end - sc_begin)) 23 | return sc_path 24 | 25 | 26 | if __name__ == "__main__": 27 | if len(sys.argv) != 2: 28 | raise Exception("Invalid parameters.") 29 | sc_path = Path(sys.argv[1]) 30 | if not sc_path.is_file(): 31 | raise Exception("Invalid parameters.") 32 | sc_path = extract_shellcode(sc_path) 33 | print(f"------ The shellcode extracted successfully and saved {sc_path} ------") 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ksc4cpp 2 | ksc4cpp is a shellcode framework for windows kernel based on C++ 3 | 4 | modified from sc4cpp 5 | 6 | Tested on Windows 10, Version 21H2 7 | 8 | ## Compiler 9 | Clang for Windows 10 | 11 | ## Compiler options 12 | ``` 13 | must using clang-cl for compiling 14 | /O2 /Os /MT /GS- /Gs1048576 -mno-sse -Wno-address-of-temporary 15 | ``` 16 | ## Build using Cmake 17 | 18 | cmake file: 19 | 20 | ```cmake 21 | add_subdirectory("ksd4cpp") 22 | ksc4pp_add_shellcode(helloworld 23 | WINVER 0x0602 24 | shellcode.cpp 25 | ) 26 | ``` 27 | 28 | build: 29 | 30 | ``` 31 | mkdir build 32 | cd build 33 | cmake .. 34 | # do not use Debug mode 35 | cmake --build --config Release 36 | ``` 37 | 38 | ## Example 39 | ```cpp 40 | #include 41 | 42 | SC_NOINLINE 43 | SC_CODESEG_REORDERING 44 | DWORD WINAPI Func(PCSTR lpAnsiMsg) { 45 | SC_IMPORT_API_BATCH_BEGIN(); 46 | SC_IMPORT_API_BATCH(DbgPrint); 47 | SC_IMPORT_API_BATCH_END(); 48 | DbgPrint(lpAnsiMsg); 49 | return 0; 50 | } 51 | SC_MAIN_BEGIN() 52 | { 53 | Func(SC_PISTRINGA("Hello, world!")); 54 | } 55 | SC_MAIN_END(); 56 | ``` 57 | 58 | ## Credit 59 | 60 | [Windows x64 shellcode for locating the base address of ntoskrnl.exe](https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6) 61 | 62 | [[原创]X64 Kernel Shellcode获取Ntos Base-编程技术-看雪论坛-安全社区|安全招聘|bbs.pediy.com](https://bbs.pediy.com/thread-266744.htm) 63 | 64 | [windpiaoxue/sc4cpp: sc4cpp is a shellcode framework based on C++](https://github.com/windpiaoxue/sc4cpp) 65 | -------------------------------------------------------------------------------- /CMakelists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.25) 2 | project(ksc4cpp) 3 | 4 | list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake") 5 | find_package(WDK REQUIRED) 6 | 7 | 8 | 9 | function(ksc4pp_add_shellcode _target) 10 | cmake_parse_arguments(WDK "" "KMDF;WINVER;NTDDI_VERSION" "" ${ARGN}) 11 | 12 | add_executable(${_target} ${WDK_UNPARSED_ARGUMENTS}) 13 | # add include directories 14 | 15 | set_target_properties(${_target} PROPERTIES SUFFIX ".sys") 16 | set_target_properties(${_target} PROPERTIES COMPILE_OPTIONS "${WDK_COMPILE_FLAGS}") 17 | set_target_properties(${_target} PROPERTIES COMPILE_DEFINITIONS 18 | "${WDK_COMPILE_DEFINITIONS};$<$:${WDK_COMPILE_DEFINITIONS_DEBUG}>;_WIN32_WINNT=${WDK_WINVER}" 19 | ) 20 | set_target_properties(${_target} PROPERTIES LINK_FLAGS "${WDK_LINK_FLAGS}") 21 | 22 | if(WDK_NTDDI_VERSION) 23 | target_compile_definitions(${_target} PRIVATE NTDDI_VERSION=${WDK_NTDDI_VERSION}) 24 | endif() 25 | 26 | target_include_directories(${_target} PRIVATE ${CMAKE_CURRENT_FUNCTION_LIST_DIR}/include) 27 | target_include_directories(${_target} SYSTEM PRIVATE 28 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/shared" 29 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km" 30 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km/crt" 31 | ) 32 | 33 | target_link_libraries(${_target} WDK::NTOSKRNL WDK::HAL WDK::WMILIB) 34 | 35 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 36 | target_link_libraries(${_target} WDK::MEMCMP) 37 | endif() 38 | 39 | set_property(TARGET ${_target} APPEND_STRING PROPERTY LINK_FLAGS "/ENTRY:SCBegin") 40 | 41 | if(DEFINED WDK_KMDF) 42 | target_include_directories(${_target} SYSTEM PRIVATE "${WDK_ROOT}/Include/wdf/kmdf/${WDK_KMDF}") 43 | target_link_libraries(${_target} 44 | "${WDK_ROOT}/Lib/wdf/kmdf/${WDK_PLATFORM}/${WDK_KMDF}/WdfDriverEntry.lib" 45 | "${WDK_ROOT}/Lib/wdf/kmdf/${WDK_PLATFORM}/${WDK_KMDF}/WdfLdr.lib" 46 | ) 47 | endif() 48 | 49 | set_target_properties(${_target} 50 | PROPERTIES 51 | VS_PLATFORM_TOOLSET ClangCL) 52 | set(CMAKE_INCLUDE_SYSTEM_FLAG_CXX "-imsvc" PARENT_SCOPE) 53 | set(CMAKE_INCLUDE_SYSTEM_FLAG_C "-imsvc" PARENT_SCOPE) 54 | 55 | set(COMPILE_FLAGS "/O2" "/Os" "/MT" "/GS-" "/Gs1048576" "-mno-sse" "-Wno-address-of-temporary") 56 | set_target_properties(${_target} PROPERTIES COMPILE_OPTIONS "${COMPILE_FLAGS}") 57 | 58 | 59 | # add custom command to sign the driver 60 | add_custom_command(TARGET ${_target} POST_BUILD 61 | COMMAND py -3 "${CMAKE_CURRENT_FUNCTION_LIST_DIR}/tools/scextractor.py" $ 62 | ) 63 | endfunction() 64 | 65 | add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/test/shellcode") 66 | add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/test/shellcodetester") -------------------------------------------------------------------------------- /test/shellcodetester/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #pragma comment(linker, "/merge:.data=.text") 4 | #pragma comment(linker, "/section:.text,RWE") 5 | 6 | void DriverUnload(PDRIVER_OBJECT DriverObject) 7 | { 8 | UNREFERENCED_PARAMETER(DriverObject); 9 | } 10 | unsigned char hexData[330] = { 11 | 0xE9, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x38, 0x48, 0xB8, 0x48, 0x65, 0x6C, 0x6C, 0x6F, 12 | 0x2C, 0x20, 0x77, 0x48, 0x8D, 0x4C, 0x24, 0x28, 0x48, 0x89, 0x01, 0xC7, 0x41, 0x08, 0x6F, 0x72, 13 | 0x6C, 0x64, 0x66, 0xC7, 0x41, 0x0C, 0x21, 0x00, 0xE8, 0x06, 0x00, 0x00, 0x00, 0x90, 0x48, 0x83, 14 | 0xC4, 0x38, 0xC3, 0x41, 0x56, 0x56, 0x57, 0x53, 0x48, 0x83, 0xEC, 0x48, 0x49, 0x89, 0xCE, 0x65, 15 | 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x48, 0x04, 0x80, 0x39, 0x48, 0x75, 16 | 0x12, 0x80, 0x79, 0x01, 0x8D, 0x75, 0x0C, 0x80, 0x79, 0x02, 0x1D, 0x75, 0x06, 0x80, 0x79, 0x06, 17 | 0xFF, 0x74, 0x05, 0x48, 0xFF, 0xC9, 0xEB, 0xE4, 0x48, 0x63, 0x41, 0x03, 0x48, 0x01, 0xC8, 0x48, 18 | 0x83, 0xC0, 0x07, 0x31, 0xD2, 0xA9, 0xFF, 0x0F, 0x00, 0x00, 0x0F, 0x95, 0xC2, 0x48, 0x29, 0xD1, 19 | 0xA9, 0xFF, 0x0F, 0x00, 0x00, 0x75, 0xC5, 0x48, 0x63, 0x48, 0x3C, 0x8B, 0x8C, 0x08, 0x88, 0x00, 20 | 0x00, 0x00, 0x44, 0x8B, 0x5C, 0x08, 0x18, 0x4D, 0x85, 0xDB, 0x74, 0x53, 0x8B, 0x74, 0x08, 0x20, 21 | 0x48, 0x01, 0xC6, 0x44, 0x8B, 0x44, 0x08, 0x24, 0x49, 0x01, 0xC0, 0x44, 0x8B, 0x4C, 0x08, 0x1C, 22 | 0x49, 0x01, 0xC1, 0x4C, 0x8D, 0x50, 0x01, 0x31, 0xDB, 0x8B, 0x3C, 0x9E, 0x8A, 0x14, 0x38, 0x84, 23 | 0xD2, 0x74, 0x24, 0x4C, 0x01, 0xD7, 0xB9, 0xC5, 0x9D, 0x1C, 0x81, 0x0F, 0xB6, 0xD2, 0x31, 0xCA, 24 | 0x69, 0xCA, 0x93, 0x01, 0x00, 0x01, 0x8A, 0x17, 0x48, 0xFF, 0xC7, 0x84, 0xD2, 0x75, 0xEC, 0x81, 25 | 0xF9, 0x98, 0x15, 0x70, 0x34, 0x74, 0x0D, 0x48, 0xFF, 0xC3, 0x4C, 0x39, 0xDB, 0x75, 0xCA, 0xCC, 26 | 0x31, 0xC0, 0xEB, 0x0E, 0x89, 0xD9, 0x41, 0x0F, 0xB7, 0x0C, 0x48, 0x41, 0x8B, 0x0C, 0x89, 0x48, 27 | 0x01, 0xC8, 0x48, 0x8D, 0x4C, 0x24, 0x20, 0xC7, 0x01, 0x10, 0x00, 0x12, 0x00, 0x48, 0xBA, 0x44, 28 | 0x00, 0x62, 0x00, 0x67, 0x00, 0x50, 0x00, 0x48, 0x8D, 0x5C, 0x24, 0x30, 0x48, 0x89, 0x13, 0x48, 29 | 0xBA, 0x72, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x48, 0x89, 0x53, 0x08, 0x66, 0xC7, 0x43, 30 | 0x10, 0x00, 0x00, 0x48, 0x89, 0x59, 0x08, 0xFF, 0xD0, 0x4C, 0x89, 0xF1, 0xFF, 0xD0, 0x31, 0xC0, 31 | 0x48, 0x83, 0xC4, 0x48, 0x5B, 0x5F, 0x5E, 0x41, 0x5E, 0xC3 32 | }; 33 | 34 | 35 | 36 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, 37 | PUNICODE_STRING RegistryPath) 38 | { 39 | 40 | UNREFERENCED_PARAMETER(DriverObject); 41 | UNREFERENCED_PARAMETER(RegistryPath); 42 | ((void(*)())hexData)(); 43 | 44 | // auto ntoskrnl_base = GetNtoskrnlBaseAddress(); 45 | // // print the address of ntoskrnl.exe 46 | // DbgPrint("ntoskrnl.exe base address: %p", ntoskrnl_base); 47 | 48 | // set driver unload function 49 | DriverObject->DriverUnload = DriverUnload; 50 | return STATUS_SUCCESS; 51 | } -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | 352 | .vscode/ 353 | build/ -------------------------------------------------------------------------------- /cmake/FindWdk.cmake: -------------------------------------------------------------------------------- 1 | # Redistribution and use is allowed under the OSI-approved 3-clause BSD license. 2 | # Copyright (c) 2018 Sergey Podobry (sergey.podobry at gmail.com). All rights reserved. 3 | 4 | #.rst: 5 | # FindWDK 6 | # ---------- 7 | # 8 | # This module searches for the installed Windows Development Kit (WDK) and 9 | # exposes commands for creating kernel drivers and kernel libraries. 10 | # 11 | # Output variables: 12 | # - `WDK_FOUND` -- if false, do not try to use WDK 13 | # - `WDK_ROOT` -- where WDK is installed 14 | # - `WDK_VERSION` -- the version of the selected WDK 15 | # - `WDK_WINVER` -- the WINVER used for kernel drivers and libraries 16 | # (default value is `0x0601` and can be changed per target or globally) 17 | # - `WDK_NTDDI_VERSION` -- the NTDDI_VERSION used for kernel drivers and libraries, 18 | # if not set, the value will be automatically calculated by WINVER 19 | # (default value is left blank and can be changed per target or globally) 20 | # 21 | # Example usage: 22 | # 23 | # find_package(WDK REQUIRED) 24 | # 25 | # wdk_add_library(KmdfCppLib STATIC KMDF 1.15 26 | # KmdfCppLib.h 27 | # KmdfCppLib.cpp 28 | # ) 29 | # target_include_directories(KmdfCppLib INTERFACE .) 30 | # 31 | # wdk_add_driver(KmdfCppDriver KMDF 1.15 32 | # Main.cpp 33 | # ) 34 | # target_link_libraries(KmdfCppDriver KmdfCppLib) 35 | # 36 | 37 | if(DEFINED ENV{WDKContentRoot}) 38 | file(GLOB WDK_NTDDK_FILES 39 | "$ENV{WDKContentRoot}/Include/*/km/ntddk.h" # WDK 10 40 | "$ENV{WDKContentRoot}/Include/km/ntddk.h" # WDK 8.0, 8.1 41 | ) 42 | else() 43 | file(GLOB WDK_NTDDK_FILES 44 | "C:/Program Files*/Windows Kits/*/Include/*/km/ntddk.h" # WDK 10 45 | "C:/Program Files*/Windows Kits/*/Include/km/ntddk.h" # WDK 8.0, 8.1 46 | ) 47 | endif() 48 | 49 | if(WDK_NTDDK_FILES) 50 | if (NOT CMAKE_VERSION VERSION_LESS 3.18.0) 51 | list(SORT WDK_NTDDK_FILES COMPARE NATURAL) # sort to use the latest available WDK 52 | endif() 53 | list(GET WDK_NTDDK_FILES -1 WDK_LATEST_NTDDK_FILE) 54 | endif() 55 | 56 | include(FindPackageHandleStandardArgs) 57 | find_package_handle_standard_args(WDK REQUIRED_VARS WDK_LATEST_NTDDK_FILE) 58 | 59 | if (NOT WDK_LATEST_NTDDK_FILE) 60 | return() 61 | endif() 62 | 63 | get_filename_component(WDK_ROOT ${WDK_LATEST_NTDDK_FILE} DIRECTORY) 64 | get_filename_component(WDK_ROOT ${WDK_ROOT} DIRECTORY) 65 | get_filename_component(WDK_VERSION ${WDK_ROOT} NAME) 66 | get_filename_component(WDK_ROOT ${WDK_ROOT} DIRECTORY) 67 | if (NOT WDK_ROOT MATCHES ".*/[0-9][0-9.]*$") # WDK 10 has a deeper nesting level 68 | get_filename_component(WDK_ROOT ${WDK_ROOT} DIRECTORY) # go up once more 69 | set(WDK_LIB_VERSION "${WDK_VERSION}") 70 | set(WDK_INC_VERSION "${WDK_VERSION}") 71 | else() # WDK 8.0, 8.1 72 | set(WDK_INC_VERSION "") 73 | foreach(VERSION winv6.3 win8 win7) 74 | if (EXISTS "${WDK_ROOT}/Lib/${VERSION}/") 75 | set(WDK_LIB_VERSION "${VERSION}") 76 | break() 77 | endif() 78 | endforeach() 79 | set(WDK_VERSION "${WDK_LIB_VERSION}") 80 | endif() 81 | 82 | message(STATUS "WDK_ROOT: " ${WDK_ROOT}) 83 | message(STATUS "WDK_VERSION: " ${WDK_VERSION}) 84 | 85 | set(WDK_WINVER "0x0601" CACHE STRING "Default WINVER for WDK targets") 86 | set(WDK_NTDDI_VERSION "" CACHE STRING "Specified NTDDI_VERSION for WDK targets if needed") 87 | 88 | set(WDK_ADDITIONAL_FLAGS_FILE "${CMAKE_CURRENT_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/wdkflags.h") 89 | file(WRITE ${WDK_ADDITIONAL_FLAGS_FILE} "#pragma runtime_checks(\"suc\", off)") 90 | 91 | set(WDK_COMPILE_FLAGS 92 | "/Zp8" # set struct alignment 93 | "/GF" # enable string pooling 94 | "/GR-" # disable RTTI 95 | "/Gz" # __stdcall by default 96 | "/kernel" # create kernel mode binary 97 | "/FIwarning.h" # disable warnings in WDK headers 98 | "/FI${WDK_ADDITIONAL_FLAGS_FILE}" # include file to disable RTC 99 | ) 100 | 101 | set(WDK_COMPILE_DEFINITIONS "WINNT=1") 102 | set(WDK_COMPILE_DEFINITIONS_DEBUG "MSC_NOOPT;DEPRECATE_DDK_FUNCTIONS=1;DBG=1") 103 | 104 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 105 | list(APPEND WDK_COMPILE_DEFINITIONS "_X86_=1;i386=1;STD_CALL") 106 | set(WDK_PLATFORM "x86") 107 | elseif(CMAKE_SIZEOF_VOID_P EQUAL 8) 108 | list(APPEND WDK_COMPILE_DEFINITIONS "_WIN64;_AMD64_;AMD64") 109 | set(WDK_PLATFORM "x64") 110 | else() 111 | message(FATAL_ERROR "Unsupported architecture") 112 | endif() 113 | 114 | string(CONCAT WDK_LINK_FLAGS 115 | "/MANIFEST:NO " # 116 | "/DRIVER " # 117 | "/OPT:REF " # 118 | "/INCREMENTAL:NO " # 119 | "/OPT:ICF " # 120 | "/SUBSYSTEM:NATIVE " # 121 | "/MERGE:_TEXT=.text;_PAGE=PAGE " # 122 | "/NODEFAULTLIB " # do not link default CRT 123 | "/SECTION:INIT,d " # 124 | "/VERSION:10.0 " # 125 | ) 126 | 127 | # Generate imported targets for WDK lib files 128 | file(GLOB WDK_LIBRARIES "${WDK_ROOT}/Lib/${WDK_LIB_VERSION}/km/${WDK_PLATFORM}/*.lib") 129 | foreach(LIBRARY IN LISTS WDK_LIBRARIES) 130 | get_filename_component(LIBRARY_NAME ${LIBRARY} NAME_WE) 131 | string(TOUPPER ${LIBRARY_NAME} LIBRARY_NAME) 132 | add_library(WDK::${LIBRARY_NAME} INTERFACE IMPORTED) 133 | set_property(TARGET WDK::${LIBRARY_NAME} PROPERTY INTERFACE_LINK_LIBRARIES ${LIBRARY}) 134 | endforeach(LIBRARY) 135 | unset(WDK_LIBRARIES) 136 | 137 | function(wdk_add_driver _target) 138 | cmake_parse_arguments(WDK "" "KMDF;WINVER;NTDDI_VERSION" "" ${ARGN}) 139 | 140 | add_executable(${_target} ${WDK_UNPARSED_ARGUMENTS}) 141 | 142 | set_target_properties(${_target} PROPERTIES SUFFIX ".sys") 143 | set_target_properties(${_target} PROPERTIES COMPILE_OPTIONS "${WDK_COMPILE_FLAGS}") 144 | set_target_properties(${_target} PROPERTIES COMPILE_DEFINITIONS 145 | "${WDK_COMPILE_DEFINITIONS};$<$:${WDK_COMPILE_DEFINITIONS_DEBUG}>;_WIN32_WINNT=${WDK_WINVER}" 146 | ) 147 | set_target_properties(${_target} PROPERTIES LINK_FLAGS "${WDK_LINK_FLAGS}") 148 | if(WDK_NTDDI_VERSION) 149 | target_compile_definitions(${_target} PRIVATE NTDDI_VERSION=${WDK_NTDDI_VERSION}) 150 | endif() 151 | 152 | target_include_directories(${_target} SYSTEM PRIVATE 153 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/shared" 154 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km" 155 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km/crt" 156 | ) 157 | 158 | target_link_libraries(${_target} WDK::NTOSKRNL WDK::HAL WDK::BUFFEROVERFLOWK WDK::WMILIB) 159 | 160 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 161 | target_link_libraries(${_target} WDK::MEMCMP) 162 | endif() 163 | 164 | if(DEFINED WDK_KMDF) 165 | target_include_directories(${_target} SYSTEM PRIVATE "${WDK_ROOT}/Include/wdf/kmdf/${WDK_KMDF}") 166 | target_link_libraries(${_target} 167 | "${WDK_ROOT}/Lib/wdf/kmdf/${WDK_PLATFORM}/${WDK_KMDF}/WdfDriverEntry.lib" 168 | "${WDK_ROOT}/Lib/wdf/kmdf/${WDK_PLATFORM}/${WDK_KMDF}/WdfLdr.lib" 169 | ) 170 | 171 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 172 | set_property(TARGET ${_target} APPEND_STRING PROPERTY LINK_FLAGS "/ENTRY:FxDriverEntry@8") 173 | elseif(CMAKE_SIZEOF_VOID_P EQUAL 8) 174 | set_property(TARGET ${_target} APPEND_STRING PROPERTY LINK_FLAGS "/ENTRY:FxDriverEntry") 175 | endif() 176 | else() 177 | if(CMAKE_SIZEOF_VOID_P EQUAL 4) 178 | set_property(TARGET ${_target} APPEND_STRING PROPERTY LINK_FLAGS "/ENTRY:GsDriverEntry@8") 179 | elseif(CMAKE_SIZEOF_VOID_P EQUAL 8) 180 | set_property(TARGET ${_target} APPEND_STRING PROPERTY LINK_FLAGS "/ENTRY:GsDriverEntry") 181 | endif() 182 | endif() 183 | endfunction() 184 | 185 | function(wdk_add_library _target) 186 | cmake_parse_arguments(WDK "" "KMDF;WINVER;NTDDI_VERSION" "" ${ARGN}) 187 | 188 | add_library(${_target} ${WDK_UNPARSED_ARGUMENTS}) 189 | 190 | set_target_properties(${_target} PROPERTIES COMPILE_OPTIONS "${WDK_COMPILE_FLAGS}") 191 | set_target_properties(${_target} PROPERTIES COMPILE_DEFINITIONS 192 | "${WDK_COMPILE_DEFINITIONS};$<$:${WDK_COMPILE_DEFINITIONS_DEBUG};>_WIN32_WINNT=${WDK_WINVER}" 193 | ) 194 | if(WDK_NTDDI_VERSION) 195 | target_compile_definitions(${_target} PRIVATE NTDDI_VERSION=${WDK_NTDDI_VERSION}) 196 | endif() 197 | 198 | target_include_directories(${_target} SYSTEM PRIVATE 199 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/shared" 200 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km" 201 | "${WDK_ROOT}/Include/${WDK_INC_VERSION}/km/crt" 202 | ) 203 | 204 | if(DEFINED WDK_KMDF) 205 | target_include_directories(${_target} SYSTEM PRIVATE "${WDK_ROOT}/Include/wdf/kmdf/${WDK_KMDF}") 206 | endif() 207 | endfunction() 208 | -------------------------------------------------------------------------------- /include/sc4cpp.h: -------------------------------------------------------------------------------- 1 | /** 2 | * Copyright (c) 2021 smh 3 | * All rights reserved 4 | * 5 | * Permission is hereby granted, free of charge, to any person obtaining a copy 6 | * of this software and associated documentation files (the "Software"), to deal 7 | * in the Software without restriction, including without limitation the rights 8 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | * copies of the Software, and to permit persons to whom the Software is 10 | * furnished to do so, subject to the following conditions: 11 | * 12 | * The above copyright notice and this permission notice shall be included in 13 | * all copies or substantial portions of the Software. 14 | * 15 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | * SOFTWARE. 22 | */ 23 | #pragma once 24 | 25 | #if !defined(__clang__) || !defined(_WIN32) 26 | #error "sc4cpp only supports Clang on windows" 27 | #endif 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #define _countof(array) (sizeof(array) / sizeof(array[0])) 34 | #define _T(x) L##x 35 | // #include 36 | 37 | // #include 38 | 39 | #ifdef _DEBUG 40 | #define SC_DEBUG 41 | #endif // _DEBUG 42 | 43 | #ifdef _WIN64 44 | #define SC_WIN64 45 | #endif // _WIN64 46 | 47 | #define SC_CONSTEXPR constexpr 48 | #define SC_NOINLINE __declspec(noinline) 49 | #define SC_FORCEINLINE __forceinline 50 | 51 | #define SC_EXTERN_C_BEGIN \ 52 | extern "C" \ 53 | { 54 | #define SC_DLL_IMPORT __declspec(dllimport) 55 | #define SC_DLL_EXPORT __declspec(dllexport) 56 | #define SC_EXTERN_C_END } 57 | 58 | #define SC_NAKEDFUNC __declspec(naked) 59 | #define SC_ASM __asm 60 | #define SC_EMIT(c) __asm _emit(c) 61 | 62 | #define SC_CODESEG(s) __declspec(code_seg(".code$" #s)) 63 | 64 | #define SC_CODESEG_START SC_CODESEG(CAA) 65 | #define SC_CODESEG_END SC_CODESEG(CZZ) 66 | #define SC_CODESEG_MAIN SC_CODESEG(CBA) 67 | 68 | // Make sure it is between MAIN and END. 69 | #define SC_CODESEG_REORDERING SC_CODESEG(CXI) 70 | 71 | namespace SC 72 | { 73 | // https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function 74 | template 75 | SC_FORCEINLINE SC_CONSTEXPR DWORD Hash(PCSTR lpName) 76 | { 77 | DWORD dwHash = 2166136261u; 78 | for (; *lpName != '\0'; ++lpName) 79 | { 80 | dwHash = (dwHash ^ (BYTE)Converter()(*lpName)) * 16777619ull; 81 | } 82 | return dwHash; 83 | } 84 | SC_FORCEINLINE SC_CONSTEXPR DWORD Hash(PCSTR lpName) 85 | { 86 | struct Converter 87 | { 88 | SC_CONSTEXPR Converter() {} 89 | SC_CONSTEXPR CHAR operator()(CHAR c) const { return c; } 90 | }; 91 | return Hash(lpName); 92 | } 93 | SC_FORCEINLINE SC_CONSTEXPR DWORD HashI(PCSTR lpName) 94 | { 95 | struct Converter 96 | { 97 | SC_CONSTEXPR Converter() {} 98 | SC_CONSTEXPR CHAR operator()(CHAR c) const 99 | { 100 | return c >= 'A' && c <= 'Z' ? c + ('a' - 'A') : c; 101 | } 102 | }; 103 | return Hash(lpName); 104 | } 105 | 106 | SC_FORCEINLINE PVOID GetNtoskrnlBaseAddress() 107 | { 108 | #pragma pack(push, 1) 109 | typedef struct 110 | { 111 | UCHAR Padding[4]; 112 | PVOID InterruptServiceRoutine; 113 | } IDT_ENTRY; 114 | #pragma pack(pop) 115 | 116 | // Find the address of IdtBase using gs register. 117 | const auto idt_base = reinterpret_cast(__readgsqword(0x38)); 118 | 119 | // Find the address of the first (or any) interrupt service routine. 120 | const auto first_isr_address = idt_base[0].InterruptServiceRoutine; 121 | 122 | // search this pattern "48 8D 1D ?? ?? ?? FF" backwards from the 123 | // first_isr_address 124 | auto ptr = reinterpret_cast(first_isr_address); 125 | while (1) 126 | { 127 | if (*(reinterpret_cast(ptr)) != 0x48 || 128 | *(reinterpret_cast(ptr + 1)) != 0x8D || 129 | *(reinterpret_cast(ptr + 2)) != 0x1D || 130 | *(reinterpret_cast(ptr + 6)) != 0xFF) 131 | { 132 | ptr--; 133 | } 134 | else 135 | { 136 | // we found the pattern, now we need to calculate the offset 137 | auto offset = *(reinterpret_cast(ptr + 3)); 138 | auto ntoskernl_base = ptr + 7 + offset; 139 | // check ntoskernel_base is page aligned 140 | if (ntoskernl_base % 0x1000 == 0) 141 | { 142 | return reinterpret_cast(ntoskernl_base); 143 | } 144 | else 145 | { 146 | ptr--; 147 | } 148 | } 149 | } 150 | } 151 | 152 | SC_FORCEINLINE PIMAGE_NT_HEADERS GetNTHeaders(PVOID lpDLLBase) 153 | { 154 | PIMAGE_DOS_HEADER lpDOSHeader = (PIMAGE_DOS_HEADER)lpDLLBase; 155 | return (PIMAGE_NT_HEADERS)((PBYTE)lpDLLBase + lpDOSHeader->e_lfanew); 156 | } 157 | SC_FORCEINLINE PVOID MmGetSystemRoutineAddressByHash(DWORD dwProcHash) 158 | { 159 | auto lpNtBase = (PSTR)GetNtoskrnlBaseAddress(); 160 | PIMAGE_NT_HEADERS lpNTHeaders = GetNTHeaders(lpNtBase); 161 | DWORD dwExportDirectoryRAV = 162 | lpNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] 163 | .VirtualAddress; 164 | if (dwExportDirectoryRAV == 0) 165 | { 166 | } 167 | PIMAGE_EXPORT_DIRECTORY lpExportDirectory = 168 | (PIMAGE_EXPORT_DIRECTORY)(lpNtBase + dwExportDirectoryRAV); 169 | PDWORD lpNameRAVs = (PDWORD)(lpNtBase + lpExportDirectory->AddressOfNames); 170 | PWORD lpOrdinals = 171 | (PWORD)(lpNtBase + lpExportDirectory->AddressOfNameOrdinals); 172 | PDWORD lpProcRAVs = 173 | (PDWORD)(lpNtBase + lpExportDirectory->AddressOfFunctions); 174 | for (DWORD dwIdx = 0; dwIdx < lpExportDirectory->NumberOfNames; ++dwIdx) 175 | { 176 | if (Hash(lpNtBase + lpNameRAVs[dwIdx]) == dwProcHash) 177 | { 178 | return lpNtBase + lpProcRAVs[lpOrdinals[dwIdx]]; 179 | } 180 | } 181 | __debugbreak(); 182 | return NULL; // No return 183 | } 184 | // For Compile-time calculation 185 | template 186 | SC_FORCEINLINE PVOID MmGetSystemRoutineAddressByHash() 187 | { 188 | return MmGetSystemRoutineAddressByHash(dwProcHash); 189 | } 190 | 191 | SC_FORCEINLINE PVOID GetProcAddressByHash(DWORD dwDLLHash, DWORD dwProcHash) 192 | { 193 | __debugbreak(); 194 | LPSTR lpDLLBase = (LPSTR) nullptr; 195 | if (lpDLLBase == NULL) 196 | { 197 | } 198 | PIMAGE_NT_HEADERS lpNTHeaders = GetNTHeaders(lpDLLBase); 199 | DWORD dwExportDirectoryRAV = 200 | lpNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] 201 | .VirtualAddress; 202 | if (dwExportDirectoryRAV == 0) 203 | { 204 | } 205 | PIMAGE_EXPORT_DIRECTORY lpExportDirectory = 206 | (PIMAGE_EXPORT_DIRECTORY)(lpDLLBase + dwExportDirectoryRAV); 207 | if (HashI(lpDLLBase + lpExportDirectory->Name) != dwDLLHash) 208 | { 209 | } 210 | PDWORD lpNameRAVs = (PDWORD)(lpDLLBase + lpExportDirectory->AddressOfNames); 211 | PWORD lpOrdinals = 212 | (PWORD)(lpDLLBase + lpExportDirectory->AddressOfNameOrdinals); 213 | PDWORD lpProcRAVs = 214 | (PDWORD)(lpDLLBase + lpExportDirectory->AddressOfFunctions); 215 | for (DWORD dwIdx = 0; dwIdx < lpExportDirectory->NumberOfNames; ++dwIdx) 216 | { 217 | if (Hash(lpDLLBase + lpNameRAVs[dwIdx]) == dwProcHash) 218 | { 219 | // FIXME: DLL Function Forwarding 220 | return lpDLLBase + lpProcRAVs[lpOrdinals[dwIdx]]; 221 | } 222 | } 223 | __debugbreak(); 224 | return NULL; // No return 225 | } 226 | 227 | // For Compile-time calculation 228 | template 229 | SC_FORCEINLINE PVOID GetProcAddressByHash() 230 | { 231 | return GetProcAddressByHash(dwDLLHash, dwProcHash); 232 | } 233 | 234 | template struct integer_sequence 235 | { // sequence of integer parameters 236 | 237 | using value_type = _Ty; 238 | 239 | _NODISCARD static constexpr size_t size() noexcept 240 | { 241 | return sizeof...(_Vals); 242 | } 243 | }; 244 | // ALIAS TEMPLATE make_integer_sequence 245 | template 246 | using make_integer_sequence = __make_integer_seq; 247 | 248 | template 249 | using index_sequence = integer_sequence; 250 | 251 | template 252 | using make_index_sequence = make_integer_sequence; 253 | 254 | template 255 | using index_sequence_for = make_index_sequence; 256 | 257 | // Position Independent String 258 | template struct PIString; 259 | template 260 | struct PIString> 261 | { 262 | CharType szBuffer_[sizeof...(Indices)]; 263 | SC_FORCEINLINE SC_CONSTEXPR explicit PIString( 264 | const CharType (&szLiteral)[sizeof...(Indices)]) 265 | : szBuffer_{(szLiteral[Indices])...} 266 | { 267 | } 268 | }; 269 | } // namespace SC 270 | 271 | #ifdef SC_WIN64 272 | #define SC_BEGIN_CODE \ 273 | SC_DLL_EXPORT SC_CODESEG_START VOID SCBegin() { SCMain(NULL); } 274 | #else 275 | // clang-format off 276 | #define SC_BEGIN_CODE \ 277 | SC_DLL_EXPORT SC_CODESEG_START SC_NAKEDFUNC VOID SCBegin() { \ 278 | /* CALL $+5 */ \ 279 | SC_EMIT(0xE8) SC_EMIT(0x00) SC_EMIT(0x00) SC_EMIT(0x00) SC_EMIT(0x00) \ 280 | SC_ASM POP EAX \ 281 | SC_ASM LEA EAX, [EAX - 5] \ 282 | SC_ASM LEA ECX, [SCBegin] \ 283 | SC_ASM NEG ECX \ 284 | SC_ASM LEA EAX, [EAX + ECX + SCMain] \ 285 | SC_ASM PUSH EAX \ 286 | SC_ASM CALL EAX \ 287 | SC_ASM RET \ 288 | } 289 | // clang-format on 290 | #endif // SC_WIN64 291 | 292 | #define SC_MAIN_BEGIN() \ 293 | SC_EXTERN_C_BEGIN \ 294 | SC_DLL_EXPORT VOID WINAPI SCMain(ULONG_PTR SCMainVA); \ 295 | SC_BEGIN_CODE \ 296 | SC_DLL_EXPORT SC_CODESEG_MAIN VOID WINAPI SCMain(ULONG_PTR SCMainVA) 297 | #define SC_MAIN_END() \ 298 | SC_DLL_EXPORT SC_CODESEG_END VOID SCEnd() { __debugbreak(); } \ 299 | SC_EXTERN_C_END 300 | 301 | #define SC_PISTRINGA(szLiteralA) \ 302 | (::SC::PIString>( \ 303 | szLiteralA) \ 304 | .szBuffer_) 305 | #define SC_PISTRINGW(szLiteralW) \ 306 | (::SC::PIString>( \ 307 | szLiteralW) \ 308 | .szBuffer_) 309 | #define SC_PISTRINGU(szLiteralW) \ 310 | (&UNICODE_STRING{sizeof(szLiteralW) - sizeof(WCHAR), sizeof(szLiteralW), \ 311 | SC_PISTRINGW(szLiteralW)}) 312 | 313 | #ifdef SC_WIN64 314 | #define SC_PIFUNCTION(fnReordered) ((decltype(fnReordered) *)fnReordered) 315 | #else 316 | // Must be invoked in SCMain. 317 | #define SC_PIFUNCTION(fnReordered) \ 318 | ((decltype(fnReordered) *)(((ULONG_PTR)(fnReordered) - \ 319 | (ULONG_PTR)SCMain) + \ 320 | SCMainVA)) 321 | #endif // SC_WIN64 322 | 323 | #define SC_GET_API_ADDRESS(szAPIName) \ 324 | (::SC::MmGetSystemRoutineAddressByHash<::SC::Hash(szAPIName)>()) 325 | 326 | // #define SC_IMPORT_API_AS(fnVarName, szDLLName, fnAPIName) \ 327 | // auto fnVarName = \ 328 | // (decltype(::fnAPIName) *)SC_GET_API_ADDRESS(szDLLName, #fnAPIName) 329 | // #define SC_IMPORT_API(szDLLName, fnAPIName) \ 330 | // SC_IMPORT_API_AS(fnAPIName, szDLLName, fnAPIName) 331 | #define SC_IMPORT_API_AS(fnVarName, fnAPIName) \ 332 | auto fnVarName = (decltype(::fnAPIName) *)SC_GET_API_ADDRESS(#fnAPIName) 333 | #define SC_IMPORT_API(fnAPIName) SC_IMPORT_API_AS(fnAPIName, fnAPIName) 334 | 335 | #define SC_IMPORT_API_BATCH_BEGIN() \ 336 | SC_IMPORT_API_AS(fnSCGetFnAddress, MmGetSystemRoutineAddress) 337 | #define SC_IMPORT_API_BATCH(fnAPIName) \ 338 | auto fnAPIName = \ 339 | (decltype(::fnAPIName) *)(fnSCGetFnAddress(SC_PISTRINGU(_T(#fnAPIName)))) 340 | #define SC_IMPORT_API_BATCH_END() 341 | --------------------------------------------------------------------------------