├── .github
└── workflows
│ └── msbuild.yml
├── .gitignore
├── LICENSE
├── NtSymbol.sln
├── NtSymbol
├── NtSymbol.vcxproj
├── NtSymbol.vcxproj.filters
└── main.cpp
├── README.md
├── image.png
└── libNtSymbol
├── libNtSymbol.vcxproj
├── libNtSymbol.vcxproj.filters
├── ntsymbol.cpp
└── ntsymbol.hpp
/.github/workflows/msbuild.yml:
--------------------------------------------------------------------------------
1 | name: MSBuild
2 |
3 | on: [push]
4 |
5 | env:
6 | # Path to the solution file relative to the root of the project.
7 | SOLUTION_FILE_PATH: .
8 |
9 | # Configuration type to build.
10 | # You can convert this to a build matrix if you need coverage of multiple configuration types.
11 | # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
12 | BUILD_CONFIGURATION: Release
13 |
14 | BUILD_PLATFORM: x64
15 |
16 | jobs:
17 | build:
18 | runs-on: windows-latest
19 |
20 | steps:
21 | - uses: actions/checkout@v2
22 |
23 | - name: Add MSBuild to PATH
24 | uses: microsoft/setup-msbuild@v1.0.2
25 |
26 | - name: Restore NuGet packages
27 | working-directory: ${{env.GITHUB_WORKSPACE}}
28 | run: nuget restore ${{env.SOLUTION_FILE_PATH}}
29 |
30 | - name: Build
31 | working-directory: ${{env.GITHUB_WORKSPACE}}
32 | # Add additional options to the MSBuild command line here (like platform or verbosity level).
33 | # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
34 | run: msbuild /m /p:platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
35 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Kento Oki
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/NtSymbol.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31321.278
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtSymbol", "NtSymbol\NtSymbol.vcxproj", "{FED9D827-4ECB-4EEA-992B-2C0444995F08}"
7 | ProjectSection(ProjectDependencies) = postProject
8 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC} = {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}
9 | EndProjectSection
10 | EndProject
11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libNtSymbol", "libNtSymbol\libNtSymbol.vcxproj", "{F4507BCF-01D8-46CD-B1F0-F8E911136BFC}"
12 | EndProject
13 | Global
14 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
15 | Debug|x64 = Debug|x64
16 | Debug|x86 = Debug|x86
17 | Release|x64 = Release|x64
18 | Release|x86 = Release|x86
19 | EndGlobalSection
20 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
21 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Debug|x64.ActiveCfg = Debug|x64
22 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Debug|x64.Build.0 = Debug|x64
23 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Debug|x86.ActiveCfg = Debug|Win32
24 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Debug|x86.Build.0 = Debug|Win32
25 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Release|x64.ActiveCfg = Release|x64
26 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Release|x64.Build.0 = Release|x64
27 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Release|x86.ActiveCfg = Release|Win32
28 | {FED9D827-4ECB-4EEA-992B-2C0444995F08}.Release|x86.Build.0 = Release|Win32
29 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Debug|x64.ActiveCfg = Debug|x64
30 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Debug|x64.Build.0 = Debug|x64
31 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Debug|x86.ActiveCfg = Debug|Win32
32 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Debug|x86.Build.0 = Debug|Win32
33 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Release|x64.ActiveCfg = Release|x64
34 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Release|x64.Build.0 = Release|x64
35 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Release|x86.ActiveCfg = Release|Win32
36 | {F4507BCF-01D8-46CD-B1F0-F8E911136BFC}.Release|x86.Build.0 = Release|Win32
37 | EndGlobalSection
38 | GlobalSection(SolutionProperties) = preSolution
39 | HideSolutionNode = FALSE
40 | EndGlobalSection
41 | GlobalSection(ExtensibilityGlobals) = postSolution
42 | SolutionGuid = {24E73B2B-406F-4FCE-8791-BFF1A71B17F5}
43 | EndGlobalSection
44 | EndGlobal
45 |
--------------------------------------------------------------------------------
/NtSymbol/NtSymbol.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {fed9d827-4ecb-4eea-992b-2c0444995f08}
25 | NtSymbol
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 | $(VC_IncludePath);$(WindowsSDK_IncludePath);$(SolutionDir)\libNtSymbol;
85 |
86 |
87 |
88 | Level3
89 | true
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 | Level3
101 | true
102 | true
103 | true
104 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 | true
111 | true
112 |
113 |
114 |
115 |
116 | Level3
117 | true
118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | Console
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 | true
130 | true
131 | true
132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
133 | true
134 | stdcpp17
135 |
136 |
137 | Console
138 | true
139 | true
140 | true
141 | $(OutDir);%(AdditionalLibraryDirectories)
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
--------------------------------------------------------------------------------
/NtSymbol/NtSymbol.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/NtSymbol/main.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | * MIT License
3 | *
4 | * Copyright (c) 2021 Kento Oki
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in all
14 | * copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 | * SOFTWARE.
23 | *
24 | */
25 |
26 | #include
27 |
28 | #include
29 | #pragma comment(lib, "libNtSymbol.lib")
30 |
31 | int main(int argc, const char** argv, const char** envp)
32 | {
33 | ntsymbol ntoskrnl("%SYSTEMROOT%\\system32\\ntoskrnl.exe");
34 | if (!ntoskrnl.init())
35 | {
36 | printf("[!] failed to init ntoskrnl symbol\n");
37 | return EXIT_FAILURE;
38 | }
39 |
40 | printf("[*] *** ntoskrnl.exe ***\n");
41 | printf("[*] PsNtosImageBase: 0x%llX\n", ntoskrnl.resolve(L"PsNtosImageBase"));
42 | printf("[*] MmUnloadedDrivers: 0x%llX\n", ntoskrnl.resolve(L"MmUnloadedDrivers"));
43 | printf("[*] CmpLogExt: 0x%llX\n", ntoskrnl.resolve(L"CmpLogExt"));
44 | printf("[*] _EPROCESS::SectionBaseAddress: 0x%llX\n", ntoskrnl.resolve(L"_EPROCESS", L"SectionBaseAddress"));
45 | printf("[*] _EPROCESS::RundownProtect: 0x%llX\n", ntoskrnl.resolve(L"_EPROCESS", L"RundownProtect"));
46 | printf("[*] _ETHREAD::Win32StartAddress: 0x%llX\n", ntoskrnl.resolve(L"_ETHREAD", L"Win32StartAddress"));
47 | printf("[*] _ETHREAD::ChargeOnlySession: 0x%llX\n", ntoskrnl.resolve(L"_ETHREAD", L"ChargeOnlySession"));
48 |
49 | ntsymbol cidll("%SYSTEMROOT%\\system32\\ci.dll");
50 | if (!cidll.init())
51 | {
52 | printf("[!] failed to init CI.dll symbol\n");
53 | return EXIT_FAILURE;
54 | }
55 |
56 | printf("[*] *** CI.dll ***\n");
57 | printf("[*] g_CiOptions: 0x%llX\n", cidll.resolve(L"g_CiOptions"));
58 |
59 | return EXIT_SUCCESS;
60 | }
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | 
4 | 
5 | 
6 |
7 |
8 | # NtSymbol
9 |
10 | Resolve DOS MZ executable symbols at runtime
11 |
12 | # Example
13 |
14 | You no longer have not have to use memory pattern scan inside your sneaky rootkit. Pass the RVAs into your kernel payloads!
15 |
16 | ```cpp
17 | int main()
18 | {
19 | ntsymbol ntoskrnl("%SYSTEMROOT%\\system32\\ntoskrnl.exe");
20 | ntoskrnl.init();
21 | /* Useful for retriving NTOS image base without any calls */
22 | const auto RvaPsNtosImageBase = ntoskrnl.resolve(L"PsNtosImageBase");
23 |
24 |
25 | ntsymbol cidll("%SYSTEMROOT%\\system32\\CI.dll");
26 | cidll.init();
27 | /* DSE Bypass! */
28 | const auto RvaCiOptions = cidll.resolve(L"g_CiOptions");
29 | }
30 | ```
31 |
--------------------------------------------------------------------------------
/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/NtSymbol/93dd42f1de3849cc5d5c51df7418d25384e118c9/image.png
--------------------------------------------------------------------------------
/libNtSymbol/libNtSymbol.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | 16.0
29 | Win32Proj
30 | {f4507bcf-01d8-46cd-b1f0-f8e911136bfc}
31 | libNtSymbol
32 | 10.0
33 |
34 |
35 |
36 | StaticLibrary
37 | true
38 | v142
39 | Unicode
40 |
41 |
42 | StaticLibrary
43 | false
44 | v142
45 | true
46 | Unicode
47 |
48 |
49 | StaticLibrary
50 | true
51 | v142
52 | Unicode
53 |
54 |
55 | StaticLibrary
56 | false
57 | v142
58 | true
59 | Unicode
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 | true
87 |
88 |
89 | false
90 |
91 |
92 |
93 | Level3
94 | true
95 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)
96 | true
97 | Use
98 | pch.h
99 |
100 |
101 |
102 |
103 | true
104 |
105 |
106 |
107 |
108 | Level3
109 | true
110 | true
111 | true
112 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)
113 | true
114 | Use
115 | pch.h
116 |
117 |
118 |
119 |
120 | true
121 | true
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | _DEBUG;_LIB;%(PreprocessorDefinitions)
130 | true
131 | Use
132 | pch.h
133 |
134 |
135 |
136 |
137 | true
138 |
139 |
140 |
141 |
142 | Level3
143 | true
144 | true
145 | true
146 | NDEBUG;_LIB;%(PreprocessorDefinitions)
147 | true
148 | NotUsing
149 |
150 |
151 | stdcpp17
152 |
153 |
154 |
155 |
156 | true
157 | true
158 | true
159 |
160 |
161 |
162 |
163 |
164 |
--------------------------------------------------------------------------------
/libNtSymbol/libNtSymbol.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/libNtSymbol/ntsymbol.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | * MIT License
3 | *
4 | * Copyright (c) 2021 Kento Oki
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in all
14 | * copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 | * SOFTWARE.
23 | *
24 | */
25 |
26 | #include "ntsymbol.hpp"
27 |
28 | ntsymbol::ntsymbol(const std::string& image_path)
29 | : symbol_server("http://msdl.microsoft.com/download/symbols/")
30 | , process(GetCurrentProcess())
31 | {
32 | char buffer[MAX_PATH];
33 | GetCurrentDirectoryA(MAX_PATH, buffer);
34 | this->symbol_path = std::string(buffer) + "\\";
35 |
36 | if (ExpandEnvironmentStringsA(image_path.c_str(), buffer, MAX_PATH))
37 | this->image_path = buffer;
38 | else
39 | this->image_path = image_path;
40 | }
41 |
42 | ntsymbol::~ntsymbol()
43 | {
44 | SymCleanup(this->process);
45 | }
46 |
47 | ntsymbol::pe_debug_info ntsymbol::get_debug_info()
48 | {
49 | /*
50 | * NOTE:
51 | * SymSrvGetFileIndexInfo is not supported in
52 | * WinXP & Win2k3 versions of dbghelp.dll
53 | * See more on https://bugzilla.mozilla.org/show_bug.cgi?id=712109
54 | */
55 |
56 | pe_blob lib(this->image_path);
57 | if (!lib.valid())
58 | return {};
59 |
60 | const auto nt_headers = ImageNtHeader(lib.as());
61 | const auto debug_dir =
62 | reinterpret_cast(
63 | lib.as() +
64 | nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG].VirtualAddress);
65 |
66 | if (debug_dir->Type != IMAGE_DEBUG_TYPE_CODEVIEW)
67 | return {};
68 |
69 | auto debug_info = reinterpret_cast(
70 | lib.as() + debug_dir->AddressOfRawData);
71 |
72 | ntsymbol::pe_debug_info info{};
73 | info.guid = *reinterpret_cast(debug_info->guid);
74 | info.age = debug_info->age;
75 | info.image_name = debug_info->image_name;
76 |
77 | return info;
78 | }
79 |
80 | std::string ntsymbol::get_msdl_link()
81 | {
82 | const auto replace_string = [](std::string s1, std::string s2, std::string s3) -> auto
83 | {
84 | std::string::size_type pos(s1.find(s2));
85 |
86 | while (pos != std::string::npos)
87 | {
88 | s1.replace(pos, s2.length(), s3);
89 | pos = s1.find(s2, pos + s3.length());
90 | }
91 |
92 | return s1;
93 | };
94 |
95 | const auto debug_info = this->get_debug_info();
96 | if (debug_info.image_name.empty())
97 | return {};
98 |
99 | char buf[MAX_PATH];
100 | sprintf_s(buf, "%d", debug_info.age);
101 |
102 | const auto guid_str = this->guid2str(debug_info.guid);
103 | const auto repl = replace_string(guid_str, "-", "");
104 | return
105 | std::string(
106 | "http://msdl.microsoft.com/download/symbols/" +
107 | debug_info.image_name + "/" + repl + buf + "/" +
108 | debug_info.image_name);
109 | }
110 |
111 | std::string ntsymbol::guid2str(GUID guid)
112 | {
113 | std::string guid_str;
114 | RPC_CSTR rpc_str;
115 |
116 | if (UuidToStringA(reinterpret_cast(&guid), &rpc_str) == RPC_S_OK)
117 | {
118 | guid_str = reinterpret_cast(rpc_str);
119 | RpcStringFreeA(&rpc_str);
120 | }
121 |
122 | return guid_str;
123 | }
124 |
125 | bool ntsymbol::download_symbol()
126 | {
127 | const auto debug_info = this->get_debug_info();
128 | const auto filename = debug_info.image_name;
129 | if (filename.empty())
130 | return false;
131 |
132 | const auto link = this->get_msdl_link();
133 | if (link.empty())
134 | return false;
135 |
136 | const auto full_path = this->symbol_path + filename;
137 | if (std::filesystem::exists(full_path))
138 | return true;
139 |
140 | return SUCCEEDED(URLDownloadToFileA(nullptr, link.c_str(), full_path.c_str(), 0, nullptr));
141 | }
142 |
143 | bool ntsymbol::init()
144 | {
145 | if (!std::filesystem::exists(this->symbol_path))
146 | return false;
147 |
148 | if (!this->download_symbol())
149 | return false;
150 |
151 | if (!SymInitialize(this->process, nullptr, FALSE))
152 | return false;
153 |
154 | if (!(this->base =
155 | SymLoadModuleEx(
156 | this->process, nullptr, this->image_path.c_str(), nullptr, 0, 0, nullptr, 0)))
157 | return false;
158 |
159 | return true;
160 | }
161 |
162 | uint64_t ntsymbol::resolve(const std::wstring& name)
163 | {
164 | SYMBOL_INFOW symbol_info = { 0 };
165 |
166 | if (!SymGetTypeFromNameW(this->process, this->base, name.data(), &symbol_info))
167 | return 0;
168 |
169 | ULONG offset;
170 | if (!SymGetTypeInfo(this->process, this->base, symbol_info.Index, TI_GET_ADDRESSOFFSET, &offset))
171 | return 0;
172 |
173 | return static_cast(offset);
174 | }
175 |
176 | uint64_t ntsymbol::resolve(const std::wstring& struct_name, const std::wstring& member_name)
177 | {
178 | ULONG offset = 0;
179 |
180 | this->enum_symbol(struct_name, [&](ULONG child_id, void*)
181 | {
182 | LPCWSTR name;
183 | if (SymGetTypeInfo(this->process, this->base, child_id, TI_GET_SYMNAME, &name))
184 | {
185 | if (!_wcsicmp(member_name.data(), name))
186 | {
187 | if (SymGetTypeInfo(this->process, this->base, child_id, TI_GET_OFFSET, &offset))
188 | {
189 | VirtualFree((LPVOID)name, 0, MEM_RELEASE);
190 | return false;
191 | }
192 | }
193 |
194 | VirtualFree((LPVOID)name, 0, MEM_RELEASE);
195 | }
196 |
197 | return true;
198 | });
199 |
200 | return static_cast(offset);
201 | }
202 |
203 | pe_blob::pe_blob(const std::string& path) : blob(LoadLibraryExA(path.data(), NULL, DONT_RESOLVE_DLL_REFERENCES))
204 | {
205 | }
206 |
207 | pe_blob::~pe_blob()
208 | {
209 | if (this->blob)
210 | FreeLibrary(reinterpret_cast(this->blob));
211 | }
212 |
213 | bool pe_blob::valid()
214 | {
215 | return !!this->blob;
216 | }
217 |
--------------------------------------------------------------------------------
/libNtSymbol/ntsymbol.hpp:
--------------------------------------------------------------------------------
1 | /*
2 | * MIT License
3 | *
4 | * Copyright (c) 2021 Kento Oki
5 | *
6 | * Permission is hereby granted, free of charge, to any person obtaining a copy
7 | * of this software and associated documentation files (the "Software"), to deal
8 | * in the Software without restriction, including without limitation the rights
9 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | * copies of the Software, and to permit persons to whom the Software is
11 | * furnished to do so, subject to the following conditions:
12 | *
13 | * The above copyright notice and this permission notice shall be included in all
14 | * copies or substantial portions of the Software.
15 | *
16 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 | * SOFTWARE.
23 | *
24 | */
25 |
26 | #pragma once
27 | #include
28 | #include
29 | #include
30 |
31 | #include
32 | #pragma comment(lib, "dbghelp.lib")
33 |
34 | #pragma comment(lib, "rpcrt4.lib") // UuidToStringA, RpcStringFreeA
35 | #pragma comment(lib, "urlmon.lib") // UrlDownloadToFileA
36 |
37 | class pe_blob
38 | {
39 | public:
40 | pe_blob(const std::string& path);
41 | ~pe_blob();
42 | bool valid();
43 | template T as() noexcept { return reinterpret_cast(this->blob); }
44 | private:
45 | void* blob;
46 | };
47 |
48 | class ntsymbol
49 | {
50 | struct pe_debug_info
51 | {
52 | GUID guid;
53 | uint32_t age;
54 | std::string image_name;
55 | };
56 |
57 | struct IMAGE_DEBUG_DIRECTORY_RAW
58 | {
59 | char format[4];
60 | char guid[16];
61 | unsigned long age;
62 | char image_name[256];
63 | };
64 |
65 | public:
66 | ntsymbol(const std::string& image_path);
67 | ~ntsymbol();
68 | bool init();
69 |
70 | template
71 | bool enum_symbol(
72 | const std::wstring& root_name, const C&& callback, void* context = nullptr)
73 | {
74 | SYMBOL_INFOW symbol_info = { 0 };
75 | if (!SymGetTypeFromNameW(this->process, this->base, root_name.data(), &symbol_info))
76 | return true;
77 |
78 | ULONG child_count;
79 | if (!SymGetTypeInfo(this->process, this->base, symbol_info.TypeIndex, TI_GET_CHILDRENCOUNT, &child_count))
80 | return true;
81 |
82 | const auto alloc_size = child_count * sizeof(ULONG) + sizeof(TI_FINDCHILDREN_PARAMS);
83 | const auto children = reinterpret_cast(VirtualAlloc(NULL, alloc_size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE));
84 | if (!children)
85 | return true;
86 |
87 | RtlZeroMemory(children, alloc_size);
88 | children->Count = child_count;
89 | children->Start = 0;
90 |
91 | if (!SymGetTypeInfo(this->process, this->base, symbol_info.TypeIndex, TI_FINDCHILDREN, children))
92 | {
93 | VirtualFree(reinterpret_cast(children), 0, MEM_RELEASE);
94 | return true;
95 | }
96 |
97 | for (ULONG i = children->Start; i < children->Count; i++)
98 | {
99 | if (!callback(children->ChildId[i], context))
100 | {
101 | VirtualFree(reinterpret_cast(children), 0, MEM_RELEASE);
102 | return false;
103 | }
104 | }
105 |
106 | VirtualFree(reinterpret_cast(children), 0, MEM_RELEASE);
107 | return true;
108 | }
109 |
110 | uint64_t resolve(const std::wstring& name);
111 | uint64_t resolve(const std::wstring& struct_name, const std::wstring& member_name);
112 |
113 | private:
114 | pe_debug_info get_debug_info();
115 | std::string get_msdl_link();
116 | std::string guid2str(GUID guid);
117 | bool download_symbol();
118 |
119 | std::string image_path;
120 | std::string symbol_server;
121 | std::string symbol_path;
122 | HANDLE process;
123 | uint64_t base;
124 | };
125 |
126 |
--------------------------------------------------------------------------------