├── README.md ├── LICENSE.txt └── get_ntdll_index.cpp /README.md: -------------------------------------------------------------------------------- 1 | ## Get ntdll syscall index 2 | 3 | ## Credits 4 | - [libpeconv](https://github.com/hasherezade/libpeconv) 5 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /get_ntdll_index.cpp: -------------------------------------------------------------------------------- 1 | 2 | 3 | #include 4 | 5 | BOOL safeWow64DisableDirectory( 6 | PVOID& arg 7 | ) 8 | { 9 | typedef BOOL (WINAPI *fnWow64DisableWow64FsRedirection)(PVOID* OldValue); 10 | fnWow64DisableWow64FsRedirection pfnWow64DisableWow64FsRedirection = \ 11 | (fnWow64DisableWow64FsRedirection) \ 12 | GetProcAddress(GetModuleHandleW(L"kernel32"), "Wow64DisableWow64FsRedirection"); 13 | if (pfnWow64DisableWow64FsRedirection) { 14 | pfnWow64DisableWow64FsRedirection(&arg); 15 | return TRUE; 16 | } 17 | else { 18 | return FALSE; 19 | } 20 | } 21 | 22 | 23 | BOOL safeWow64ReverDirectory( 24 | PVOID& arg 25 | ) 26 | { 27 | typedef BOOL (WINAPI *fnWow64RevertWow64FsRedirection)(PVOID* OldValue); 28 | fnWow64RevertWow64FsRedirection pfnWow64RevertWow64FsRedirection = \ 29 | (fnWow64RevertWow64FsRedirection) \ 30 | GetProcAddress(GetModuleHandleW(L"kernel32"), "Wow64RevertWow64FsRedirection"); 31 | if (pfnWow64RevertWow64FsRedirection) { 32 | pfnWow64RevertWow64FsRedirection(&arg); 33 | return TRUE; 34 | } 35 | else { 36 | return FALSE; 37 | } 38 | } 39 | 40 | 41 | VOID safeGetNativeSystemInfo( 42 | __out LPSYSTEM_INFO lpSystemInfo 43 | ) 44 | { 45 | if (NULL == lpSystemInfo) return; 46 | 47 | typedef VOID (WINAPI *fnGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); 48 | fnGetNativeSystemInfo pfnGetNativeSystemInfo = \ 49 | (fnGetNativeSystemInfo) \ 50 | GetProcAddress(GetModuleHandleW(L"kernel32"), "GetNativeSystemInfo"); 51 | if (pfnGetNativeSystemInfo) 52 | pfnGetNativeSystemInfo(lpSystemInfo); 53 | else 54 | GetSystemInfo(lpSystemInfo); 55 | } 56 | 57 | 58 | VOID safeGetVersion( 59 | __out PRTL_OSVERSIONINFOW lpVersionInformation 60 | ) 61 | { 62 | if (NULL == lpVersionInformation) return; 63 | 64 | typedef NTSTATUS(WINAPI* fnRtlGetVersion)(PRTL_OSVERSIONINFOW lpVersionInformation); 65 | fnRtlGetVersion pfnRtlGetVersion = \ 66 | (fnRtlGetVersion) \ 67 | GetProcAddress(GetModuleHandleW(L"ntdll"), "RtlGetVersion"); 68 | if (pfnRtlGetVersion) 69 | pfnRtlGetVersion(lpVersionInformation); 70 | else 71 | #pragma warning(push) 72 | #pragma warning(disable : 4996) 73 | if (FALSE == GetVersionExW(lpVersionInformation)) lpVersionInformation = { }; 74 | #pragma warning(pop) 75 | } 76 | 77 | 78 | BOOL WINAPI isWindows7OrGreater() { 79 | OSVERSIONINFOW osVer = { }; 80 | OSVERSIONINFOW osCheck = { }; 81 | osCheck.dwMajorVersion = HIBYTE(_WIN32_WINNT_WIN7); 82 | osCheck.dwMinorVersion = LOBYTE(_WIN32_WINNT_WIN7); 83 | safeGetVersion(&osVer); 84 | return (osVer.dwPlatformId == VER_PLATFORM_WIN32_NT && 85 | osVer.dwMajorVersion > osCheck.dwMajorVersion || 86 | ((osVer.dwMajorVersion == osCheck.dwMajorVersion) && 87 | (osVer.dwMinorVersion >= osCheck.dwMinorVersion))); 88 | } 89 | 90 | 91 | BOOL WINAPI isOs64() { 92 | SYSTEM_INFO si = { }; 93 | safeGetNativeSystemInfo(&si); 94 | return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 || 95 | si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_IA64); 96 | } 97 | 98 | 99 | BOOL WINAPI isWow64(HANDLE hProcess = ::GetCurrentProcess()) { 100 | BOOL bWow64 = FALSE; 101 | return (isOs64() && IsWow64Process(hProcess, &bWow64) && bWow64); 102 | } 103 | 104 | 105 | 106 | #include 107 | #include 108 | 109 | bool parse_function_syscall_index(void * fn, uint32_t & u32Idx, bool b64bit = isOs64()) { 110 | if (NULL == fn) 111 | return false; 112 | 113 | PBYTE pFn = PBYTE(fn); 114 | 115 | if (b64bit) { 116 | if (0xB8 == *((uint8_t*)(pFn + 3))) { 117 | uint32_t syscall_index = *((uint32_t*)(pFn + 4)); 118 | u32Idx = syscall_index; 119 | return true; 120 | } 121 | } 122 | else { 123 | if (0xB8 == *((uint8_t*)(pFn + 0))) { 124 | uint32_t syscall_index = *((uint32_t*)(pFn + 1)); 125 | u32Idx = syscall_index; 126 | return true; 127 | } 128 | } 129 | 130 | return false; 131 | } 132 | 133 | 134 | bool get_syscall_tables(std::unordered_map & syscall_tables) { 135 | 136 | syscall_tables.clear(); 137 | 138 | #ifndef _WIN64 139 | PVOID wow64FsReDirectory = NULL; 140 | BOOL isWow64FsReDriectory = isWow64(); 141 | 142 | if (isWow64FsReDriectory) 143 | safeWow64DisableDirectory(wow64FsReDirectory); 144 | #endif 145 | 146 | CHAR sysNtDll[MAX_PATH] = { }; 147 | ExpandEnvironmentStringsA("%systemroot%\\system32\\ntdll.dll", sysNtDll, sizeof(sysNtDll)); 148 | 149 | size_t v_size = 0; 150 | // Load the current executable from the file with the help of libpeconv: 151 | PBYTE loaded_pe = peconv::load_pe_module(sysNtDll, v_size, true, true); 152 | if (!loaded_pe) { 153 | return false; 154 | } 155 | 156 | std::vector name_list; 157 | peconv::get_exported_names(loaded_pe, name_list); 158 | for (std::string name : name_list) { 159 | if ('N' == name[0] && 't' == name[1] 160 | || 'Z' == name[0] && 'w' == name[1]) 161 | { 162 | FARPROC fn = peconv::get_exported_func(loaded_pe, (LPSTR)name.c_str()); 163 | uint32_t u32Idx = 0; 164 | if (parse_function_syscall_index(fn, u32Idx, peconv::is64bit(loaded_pe))) 165 | syscall_tables[name.c_str()] = u32Idx; 166 | } 167 | } 168 | peconv::free_pe_buffer(loaded_pe); 169 | 170 | #ifndef _WIN64 171 | if (isWow64FsReDriectory) 172 | safeWow64ReverDirectory(wow64FsReDirectory); 173 | #endif 174 | 175 | return bool(syscall_tables.size()); 176 | } 177 | 178 | 179 | 180 | 181 | 182 | 183 | #include 184 | 185 | int main() 186 | { 187 | if (!isWindows7OrGreater()) 188 | printf_s("sorry, the system is not supported.\n"); 189 | 190 | std::unordered_map syscall_tables; 191 | bool is_ok = get_syscall_tables(syscall_tables); 192 | 193 | printf_s("get sys call tables: %hs\n", is_ok ? "succeed." : "failed."); 194 | 195 | for (auto item : syscall_tables) 196 | printf_s("name:\t%hs [%x]\n", item.first.c_str(), item.second); 197 | 198 | ::system("pause"); 199 | return EXIT_SUCCESS; 200 | } 201 | 202 | --------------------------------------------------------------------------------