|
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 |
- #ifndef GET_SYSCALL64_IDS_H
- #define GET_SYSCALL64_IDS_H
- /**
- \file
- */
-
- /**
- \brief Definition of the hashs of APIs and the error value INVALID_SYSCALL_ID
- */
- enum SYSCALL_IDS
- {
- // Files
- NTOPENFILE = 0xC29C5019, //! Supported by get_basic_syscall_ID
- NTCREATEFILE = 0x15A5ECDB, //! Supported by get_basic_syscall_ID
- NTREADFILE = 0x2E979AE3, //! Supported by get_basic_syscall_ID
- NTCLOSE = 0x8B8E133D, //! Supported by get_basic_syscall_ID
- NTWRITEFILE = 0xD69326B2,
-
- // Mutexes
- NTCREATEMUTANT = 0x280632B4,
- NTOPENMUTANT = 0xEC225D72,
- NTRELEASEMUTANT = 0x29567961,
-
- // Registry
- NTOPENKEY = 0x4BB73E02,
- NTQUERYVALUEKEY = 0xB4C18A83,
-
- // Process
- NTQUERYSYSTEMINFORMATION = 0xEE4F73A8,
-
- INVALID_SYSCALL_ID = 0xFFFFFFFF, //! Used to signify errors
- };
-
- /**
- \brief Gets the basic ID for the hash given.
-
- This function does not dependent on the ID table but instead has
- hardcoded definitions for a FEW Apis (these are marked in the
- SYSCALL_IDS enum)
- \param func The hash of the API that the ID is searched for
- \return Returns the ID or INVALID_SYSCALL_ID
- \sa get_syscall_ID()
- */
- DWORD get_basic_syscall_ID(SYSCALL_IDS func);
-
- /**
- \brief Initalizes the ID table.
- \return If FALSE no direct syscalls can be made.
- \sa free_ID_table()
- */
- BOOL initalize_ID_table();
-
- /**
- \brief Frees the ID table. After this is done
- no direct syscalls can be made anymore
- \sa initalize_ID_table()
- */
- VOID destroy_ID_table();
-
- /**
- \brief Gets the ID for the hash given.
- \pre This function does dependent on the ID table so make sure
- to initalize_ID_table() first.
- \param func The hash of the API that the ID is searched for
- \return Returns the ID or INVALID_SYSCALL_ID
- \sa initalize_ID_table()
- */
- DWORD get_syscall_ID(DWORD func);
-
- #endif // GET_SYSCALL64_IDS_H
-
|
