wacked
/
syscall64
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Haara
Puu: 2129994ceb
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '2129994ceb'
${ noResults }
syscall64/get_syscall64_ids.cpp

516 lines
14KB
Raaka Blame Historia 

  1. #include <cstdio>

  2. #include <ntdll.h>

  3. #include <cstdint>

  4. 

  5. #include "structs.h"

  6. #include "wow64ext.h"

  7. #include "misc.h"

  8. #include "syscall64.h"

  9. #include "get_syscall64_ids.h"

  10. 

  11. /**

  12. \file

  13. */

  14. 

  15. /**

  16. \brief All functions doing direct syscalls are saved with a hash of their name

  17. and the accompying syscall ID in the table (API_TO_INDEX*) ID_table.

  18. To get the ID for a given hash the table can be searched.

  19. (To speed up the search the table is sorted and a binary search is used)

  20. */

  21. struct API_TO_INDEX

  22. {

  23. 	DWORD hash;

  24. 	DWORD id;

  25. } *ID_table = NULL;

  26. DWORD ID_table_count = 0; //!< Count of entries in ID_table

  27. 

  28. /**

  29. 	\brief Parses the ID out of a x64 function.

  30. 	\return Returns the ID or INVALID_SYSCALL_ID on err

  31. */

  32. static DWORD get_syscall_id(LPBYTE function)

  33. {

  34. 	if(!function)

  35. 		return INVALID_SYSCALL_ID;

  36. 

  37. 	/*

  38. 	00000000`77b61800 4c8bd1          mov     r10,rcx

  39. 	00000000`77b61803 b852000000      mov     eax,52h

  40. 	00000000`77b61808 0f05            syscall

  41. 

  42. 	On Windows 10 it's:

  43. 	0:000> u NtOpenFile

  44. 	ntdll!NtOpenFile:

  45. 	00007ffe`62bf6720 4c8bd1          mov     r10,rcx

  46. 	00007ffe`62bf6723 b833000000      mov     eax,33h

  47. 	00007ffe`62bf6728 f604250803fe7f01 test    byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1

  48. 	00007ffe`62bf6730 7503            jne     ntdll!NtOpenFile+0x15 (00007ffe`62bf6735)

  49. 	00007ffe`62bf6732 0f05            syscall

  50. 	00007ffe`62bf6734 c3              ret

  51. 	00007ffe`62bf6735 cd2e            int     2Eh

  52. 	00007ffe`62bf6737 c3              ret

  53. 	*/

  54. 

  55. 	const unsigned char MOV_R10_RCX_OPCODE[] = {0x4c, 0x8b, 0xd1};

  56. 	if(memcmp(function, MOV_R10_RCX_OPCODE, sizeof(MOV_R10_RCX_OPCODE)))

  57. 		return INVALID_SYSCALL_ID;

  58. 

  59. 	const unsigned char SYSCALL_OPCODE[] = {0x0f, 0x05};

  60. 	const size_t SYSCALL_OFFSET_OLD = 8,

  61. 		SYSCALL_OFFSET_10 = 0x12;

  62. 	uint8_t* old = function + SYSCALL_OFFSET_OLD;

  63. 	uint8_t* win10 = function + SYSCALL_OFFSET_10;

  64. 	if (memcmp(old, SYSCALL_OPCODE, sizeof(SYSCALL_OPCODE)) &&

  65. 		memcmp(win10, SYSCALL_OPCODE, sizeof(SYSCALL_OPCODE))) 

  66. 	{

  67. 		return INVALID_SYSCALL_ID;

  68. 	}

  69. 

  70. 	const unsigned char MOV_EAX_OPCODE = 0xB8;

  71. 	const size_t MOV_EAX_ID_OFFSET = 3;

  72. 	if(MOV_EAX_OPCODE != *(function + MOV_EAX_ID_OFFSET))

  73. 		return INVALID_SYSCALL_ID;

  74. 

  75. 	return *(PDWORD)(function + MOV_EAX_ID_OFFSET + 1);

  76. }

  77. 

  78. 

  79. /**

  80. 	\brief Parses the given image to get the ID or just count them.

  81. 	\return Number of entries found / populated

  82. 	\param imageBase Image base of the DLL the info will be taken from

  83. 	\param ids The struct the info is put into. If NULL - won't be touched

  84. */

  85. static DWORD get_syscall_ids(LPVOID imageBase, API_TO_INDEX* ids)

  86. {

  87. 	if(!imageBase)

  88. 		return 0;

  89. 

  90. 	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)imageBase;

  91. 	// not a valid DOS header

  92. 	if(IMAGE_DOS_SIGNATURE != dos->e_magic)

  93. 		return 0;

  94. 

  95. 	PIMAGE_NT_HEADERS64 nt = (PIMAGE_NT_HEADERS64)((LPBYTE)imageBase + dos->e_lfanew);

  96. 	// not a valid PE or not the correct architecture

  97. 	if(IMAGE_NT_SIGNATURE != nt->Signature || IMAGE_FILE_MACHINE_AMD64 != nt->FileHeader.Machine)

  98. 	{

  99. 		return 0;

  100. 	}

  101. 

  102. 	// No exports?

  103. 	if(!nt->OptionalHeader.DataDirectory->Size)

  104. 		return 0;

  105. 

  106. 	DWORD count = 0; //! Number of functions who do direct syscalls

  107. 	IMAGE_EXPORT_DIRECTORY *exportDir = (IMAGE_EXPORT_DIRECTORY *)((LPBYTE)imageBase + nt->OptionalHeader.DataDirectory->VirtualAddress);

  108. 	PDWORD nameRef = (DWORD *)((LPBYTE)imageBase + exportDir->AddressOfNames);

  109. 	WORD* ordinal = (WORD *)((LPBYTE)imageBase + exportDir->AddressOfNameOrdinals);

  110. 	DWORD* addressOfFunctions = (DWORD*)((LPBYTE)imageBase + exportDir->AddressOfFunctions);

  111. 

  112. 	printf("Total functions: %d\n", exportDir->NumberOfNames);

  113. 	for(DWORD i = 0; i < exportDir->NumberOfNames; i++, nameRef++)

  114. 	{

  115. 		const char* name = (const char*)((LPBYTE)imageBase + (*nameRef));

  116. 		LPBYTE address = (LPBYTE)imageBase + addressOfFunctions[ordinal[i]];

  117. 

  118. 		DWORD id = get_syscall_id(address);

  119. 		if(INVALID_SYSCALL_ID == id)

  120. 			continue;

  121. 

  122. 		// Put it into the table

  123. 		if(ids)

  124. 		{

  125. 			ids[count].hash = hash(name);

  126. 			ids[count].id = id;

  127. 		}

  128. 		// Print info

  129. 		else

  130. 		{

  131. 			printf("%s (%X) = %X\n", name, hash(name), id);

  132. 		}

  133. 		count++;

  134. 	}

  135. 

  136. 	return count;

  137. }

  138. 

  139. /**

  140. \brief (Bubble)Sorts the ID_table so it can be searched via binary search

  141. */

  142. static void sort_ID_table()

  143. {

  144. 	DWORD n = ID_table_count;

  145. 

  146. 	bool swapped = false;

  147. 	do

  148. 	{

  149. 		for(unsigned int i = 0; i < n - 1; ++i)

  150. 		{

  151. 			if(ID_table[i].hash > ID_table[i + 1].hash)

  152. 			{

  153. 				API_TO_INDEX tmp = {ID_table[i].hash, ID_table[i].id};

  154. 

  155. 				ID_table[i].hash = ID_table[i + 1].hash;

  156. 				ID_table[i].id = ID_table[i + 1].id;

  157. 

  158. 				ID_table[i + 1].hash = tmp.hash;

  159. 				ID_table[i + 1].id = tmp.id;

  160. 

  161. 				swapped = true;

  162. 			}

  163. 		}

  164. 		n = n - 1;

  165. 	} while(swapped == true && n);

  166. }

  167. 

  168. /**

  169. \brief Gets the path to the x64 ntdll in native format

  170. \param path Output buffer

  171. */

  172. static void get_ntdll_path(wchar_t* path)

  173. {

  174. 	wchar_t systemDirectory[MAX_PATH];

  175. 

  176. 	if(!path)

  177. 		return;

  178. 

  179. 	GetSystemDirectory(systemDirectory, _countof(systemDirectory));

  180. 

  181. 	wsprintfW(path, L"\\??\\%s\\ntdll.dll", systemDirectory);

  182. }

  183. /**

  184. */

  185. static BOOL read_ntdll(LPBYTE& content, DWORD& size)

  186. {

  187. 	wchar_t ntdllPath[MAX_PATH]; //! Path in the native format 

  188. 	get_ntdll_path(ntdllPath);

  189. 	printf("%ls\n", ntdllPath);

  190. 

  191. 	_UNICODE_STRING_T<DWORD64> filename = {lstrlenW(ntdllPath) * sizeof(WCHAR), MAX_PATH  * sizeof(WCHAR), (DWORD64)ntdllPath};

  192. 	_OBJECT_ATTRIBUTES_T<DWORD64> obja = {sizeof(_OBJECT_ATTRIBUTES_T<DWORD64>), NULL, (DWORD64)&filename, OBJ_CASE_INSENSITIVE, NULL, NULL};

  193. 	_IO_STATUS_BLOCK_T<DWORD64> iostatusblock = {0};

  194. 

  195. 	_HANDLE_T<DWORD64> fileHandle = {(DWORD64)INVALID_HANDLE_VALUE};

  196. 	NTSTATUS stat = DO_SYSCALL(get_basic_syscall_ID(NTOPENFILE), &fileHandle,

  197. 		FILE_READ_DATA | SYNCHRONIZE, &obja, &iostatusblock, FILE_SHARE_READ,

  198. 		FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);

  199. 	if(STATUS_SUCCESS != stat)

  200. 	{

  201. 		printf("NTSTATUS: %X\tHandle: %llX\n", stat, fileHandle.h);

  202. 		return FALSE;

  203. 	}

  204. 	printf("Handle: %llX\n", fileHandle.h);

  205. 

  206. 	if(!(size = GetFileSize((HANDLE)fileHandle.h, NULL)))

  207. 	{

  208. 		DO_SYSCALL(get_basic_syscall_ID(NTCLOSE), fileHandle.h);

  209. 		return FALSE;

  210. 	}

  211. 	printf("Size of ntdll: %dkb\n", size / 1024);

  212. 

  213. 	/* As no code is actually executed in the new ntdll - but only

  214. 	a few bytes are read from it - rw is enough */

  215. 	if(!(content = (LPBYTE)VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE,

  216. 		PAGE_READWRITE)))

  217. 	{

  218. 		DO_SYSCALL(get_basic_syscall_ID(NTCLOSE), fileHandle.h);

  219. 		return FALSE;

  220. 	}

  221. 	printf("content %p\n", content);

  222. 

  223. 	printf("ios ptr %X", &iostatusblock);

  224. 	LARGE_INTEGER offset = {0};

  225. 	stat = DO_SYSCALL(get_basic_syscall_ID(NTREADFILE), 

  226. 		(HANDLE)fileHandle.h, 

  227. 		NULL, // event

  228. 		NULL, // ApcRoutine

  229. 		NULL, // ApcContext

  230. 		&iostatusblock,

  231. 		content,

  232. 		size,

  233. 		&offset,

  234. 		NULL); // key

  235. 	if(STATUS_SUCCESS != stat)

  236. 	{

  237. 		VirtualFree(content, 0, MEM_RELEASE);

  238. 		content = NULL;

  239. 		DO_SYSCALL(get_basic_syscall_ID(NTCLOSE), fileHandle.h);

  240. 		printf("Reading failed: %X\t%X != %X\n", stat, size, offset.LowPart);

  241. 		return FALSE;

  242. 	}

  243. 	printf("ios: %X\toffset: %X\n", iostatusblock.Status, offset.LowPart);

  244. 

  245. 	DO_SYSCALL(get_basic_syscall_ID(NTCLOSE), fileHandle.h);

  246. 	return TRUE;

  247. }

  248. 

  249. /**

  250. 	\brief (Partly) maps the image.

  251. 

  252. 	This does NOT fix relocations, imports, TLS, sets section protections yadda yadda.

  253. 	As this image is only used to parse out the IDs that is no problem.

  254. 	\param content Raw data of the file to be mapped

  255. 	\param mappedImage The finished image

  256. */

  257. static BOOL map_PE(LPBYTE content, LPBYTE* mappedImage)

  258. {

  259. 	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)content;

  260. 	if(IMAGE_DOS_SIGNATURE != dos->e_magic)

  261. 	{

  262. 		printf("Not a valid DOS header: %s\n", content);

  263. 		return FALSE;

  264. 	}

  265. 

  266. 	PIMAGE_NT_HEADERS64 nt = (PIMAGE_NT_HEADERS64)(content + dos->e_lfanew);

  267. 	if(IMAGE_NT_SIGNATURE != nt->Signature)

  268. 	{

  269. 		printf("Not a valid PE header\n");

  270. 		return FALSE;

  271. 	}

  272. 

  273. 	/* Must be mapped properly (Actually almost -

  274. 	only the code section would be needed) so the IDs can be be

  275. 	parsed properly */

  276. 	if(!(*mappedImage = (LPBYTE)VirtualAlloc(NULL, nt->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE,

  277. 		PAGE_READWRITE)))

  278. 	{

  279. 		printf("Can't alloc\n");

  280. 		return FALSE;

  281. 	}

  282. 

  283. 	printf("Let's map that shit @ %p. %X sections. %X imageSize\n", *mappedImage,

  284. 		nt->FileHeader.NumberOfSections, nt->OptionalHeader.SizeOfImage);

  285. 

  286. 	// Copy up to the first section (Size of optional header + delta optional header to start of image)

  287. 	memcpy(*mappedImage, content, nt->FileHeader.SizeOfOptionalHeader + ((LPBYTE)&nt->OptionalHeader - (LPBYTE)content));

  288. 

  289. 	// Copy sections

  290. #define IMAGE_FIRST_SECTION64( ntheader ) ((PIMAGE_SECTION_HEADER)        \

  291. 	((ULONG_PTR)(ntheader)+\

  292. 	FIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader) + \

  293. 	((ntheader))->FileHeader.SizeOfOptionalHeader   \

  294. 	))

  295. 	PIMAGE_SECTION_HEADER pish = IMAGE_FIRST_SECTION64(nt);

  296. 	for(unsigned int i = 0; i < nt->FileHeader.NumberOfSections; i++)

  297. 	{

  298. 		printf("Copy %Xbytes @ RVA %X From %X\n", pish->SizeOfRawData, pish->VirtualAddress, pish->PointerToRawData);

  299. 		memcpy((*mappedImage + pish->VirtualAddress), (content + pish->PointerToRawData),

  300. 			pish->SizeOfRawData);

  301. 		pish++;

  302. 	}

  303. 

  304. 	return TRUE;

  305. }

  306. 

  307. /**

  308. \brief Initalize the ID_table.

  309. */

  310. BOOL initalize_ID_table()

  311. {

  312. 	LPBYTE ntdll = NULL, imageBase = NULL;

  313. 	DWORD ntdllSize = 0;

  314. 	if(!read_ntdll(ntdll, ntdllSize))

  315. 		return FALSE;

  316. 	if(!map_PE(ntdll, &imageBase))

  317. 		return FALSE;

  318. 

  319. 	ID_table_count = get_syscall_ids(imageBase, NULL);

  320. 	printf("%i functions who do direct syscalls\n", ID_table_count);

  321. 	if(!ID_table_count)

  322. 		return FALSE;

  323. 

  324. 	if(!(ID_table = (API_TO_INDEX*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ID_table_count * sizeof(API_TO_INDEX))))

  325. 		return FALSE;

  326. 

  327. 	if(!get_syscall_ids(imageBase, ID_table))

  328. 		return FALSE;

  329. 

  330. 	VirtualFree(ntdll, 0, MEM_RELEASE);

  331. 	VirtualFree(imageBase, 0, MEM_RELEASE);

  332. 

  333. 	sort_ID_table();

  334. 

  335. 	return TRUE;

  336. }

  337. 

  338. /**

  339. 	\brief Has a few hardcoded IDs and returns the correct one for the current OS

  340. 

  341. 	Which IDs exactly are hardcoded can be seen in the enum.

  342. 	Table made mostly with data from:

  343. 	x86: http://j00ru.vexillium.org/ntapi/

  344. 	WOW64: http://j00ru.vexillium.org/ntapi_64/

  345. 

  346. 	\fixme >=Win8 Support?

  347. */

  348. DWORD get_basic_syscall_ID(SYSCALL_IDS func)

  349. {

  350. 	_KUSER_SHARED_DATA* _kuser_s_d = GET_KUSER_SHARED_DATA();

  351. 	ULONG majorVersion = _kuser_s_d->NtMajorVersion;

  352. 	ULONG minorVersion = _kuser_s_d->NtMinorVersion;

  353. 	NT_PRODUCT_TYPE productType = _kuser_s_d->NtProductType;

  354. 	_PEB* p = (_PEB*)__readfsdword(0x30);

  355. 	ULONG buildID = p->NtBuildNumber;

  356. 

  357. 	switch(majorVersion)

  358. 	{

  359. 	case 5:

  360. 		// XP

  361. 		if(1 == minorVersion ||

  362. 			(2 == minorVersion && VER_NT_WORKSTATION == productType))

  363. 		{

  364. 			if(NTOPENFILE == func)

  365. 				return 0x30;

  366. 			else if(NTCREATEFILE == func)

  367. 				return 0x52;

  368. 			else if(NTREADFILE == func)

  369. 				return 0x03;

  370. 			else if(NTCLOSE == func)

  371. 				return 0x0C;

  372. 		}

  373. 		// Server 2003

  374. 		else

  375. 		{

  376. 			printf("SRV03 unsupported\n"); // fixme

  377. 			if(NTOPENFILE == func)

  378. 				return 0x7a;

  379. 			else if(NTCREATEFILE == func)

  380. 				return 0x26;

  381. 			else if(NTREADFILE == func)

  382. 				return 0xbf;

  383. 			else if(NTCLOSE == func)

  384. 				return 0x1b;

  385. 		}

  386. 		break;

  387. 	case 6:

  388. 		switch(minorVersion)

  389. 		{

  390. 		// Vista SP0-2 & Server 2008

  391. 		case 0:

  392. 			printf("Vista unsupported\n"); // fixme

  393. 			if(NTOPENFILE == func)

  394. 				return 0xba;

  395. 			else if(NTCREATEFILE == func)

  396. 				return 0x3c;

  397. 			else if(NTREADFILE == func)

  398. 				return 0x102;

  399. 			else if(NTCLOSE == func)

  400. 				return 0x30;

  401. 			break;

  402. 		// Win7

  403. 		case 1:

  404. 			if(NTOPENFILE == func)

  405. 				return 0x30;

  406. 			else if(NTCREATEFILE == func)

  407. 				return 0x52;

  408. 			else if(NTREADFILE == func)

  409. 				return 0x03;

  410. 			else if(NTCLOSE == func)

  411. 				return 0x0C;

  412. 		// Win 8

  413. 		case 2:

  414. 			printf("Win8 unsupported\n"); // fixme

  415. 			if(NTOPENFILE == func)

  416. 				return 0xe7;

  417. 			else if(NTCREATEFILE == func)

  418. 				return 0x15f;

  419. 			else if(NTREADFILE == func)

  420. 				return 0x86;

  421. 			else if(NTCLOSE == func)

  422. 				return 0x0171;

  423. 			break;

  424. 		}

  425. 		break;

  426. 	// Win 10

  427. 	case 10:

  428. 		if (NTOPENFILE == func)

  429. 			return 0x0033;

  430. 		else if (NTCREATEFILE == func)

  431. 			return 0x55;

  432. 		else if (NTREADFILE == func)

  433. 			return 0x06;

  434. 		else if (NTCLOSE == func)

  435. 			return 0x0f;

  436. 	}

  437. 

  438. 	return INVALID_SYSCALL_ID;

  439. }

  440. 

  441. DWORD get_syscall_ID(DWORD func)

  442. {

  443. 	DWORD left = 0, right = ID_table_count;

  444. 

  445. 	while(left != right)

  446. 	{

  447. 		DWORD middle = (left + right) / 2;

  448. 

  449. 		if(func == ID_table[middle].hash)

  450. 			return ID_table[middle].id;

  451. 		if(func > ID_table[middle].hash)

  452. 			left = middle + 1;

  453. 		else

  454. 			right = middle - 1;

  455. 	}

  456. 

  457. 	if(func == ID_table[left].hash)

  458. 	{

  459. 		return ID_table[left].id;

  460. 	}

  461. 

  462. 	return INVALID_SYSCALL_ID;

  463. }

  464. 

  465. VOID destroy_ID_table()

  466. {

  467. 	HeapFree(GetProcessHeap(), 0, ID_table);

  468. }

  469. 

  470. #if 0

  471. BOOL test_id_table()

  472. {

  473. 	LPVOID imageBase = GetModuleHandle(TEXT("ntdll.dll"));

  474. 

  475. 	PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)imageBase;

  476. 	// not a valid DOS header

  477. 	if(IMAGE_DOS_SIGNATURE != dos->e_magic)

  478. 		return FALSE;

  479. 

  480. 	PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((LPBYTE)imageBase + dos->e_lfanew);

  481. 	// not a valid PE or not the correct architecture

  482. 	if(IMAGE_NT_SIGNATURE != nt->Signature || IMAGE_FILE_MACHINE_I386 != nt->FileHeader.Machine)

  483. 	{

  484. 		return FALSE;

  485. 	}

  486. 

  487. 	// No exports?

  488. 	if(!nt->OptionalHeader.DataDirectory->Size)

  489. 		return FALSE;

  490. 

  491. 	IMAGE_EXPORT_DIRECTORY *exportDir = (IMAGE_EXPORT_DIRECTORY *)((LPBYTE)imageBase + nt->OptionalHeader.DataDirectory->VirtualAddress);

  492. 	PDWORD nameRef = (DWORD *)((LPBYTE)imageBase + exportDir->AddressOfNames);

  493. 	WORD* ordinal = (WORD *)((LPBYTE)imageBase + exportDir->AddressOfNameOrdinals);

  494. 	DWORD* addressOfFunctions = (DWORD*)((LPBYTE)imageBase + exportDir->AddressOfFunctions);

  495. 

  496. 	for(DWORD i = 0; i < exportDir->NumberOfNames; i++, nameRef++)

  497. 	{

  498. 		const char* name = (const char*)((LPBYTE)imageBase + (*nameRef));

  499. 		LPBYTE address = (LPBYTE)imageBase + addressOfFunctions[ordinal[i]];

  500. 

  501. 		DWORD id = get_syscall_id(address);

  502. 		if(INVALID_SYSCALL_ID == id)

  503. 			continue;

  504. 

  505. 		// At address is a function doing direct syscalls - check if can be found

  506. 		if(INVALID_SYSCALL_ID == get_syscall_ID(hash(name)))

  507. 		{

  508. 			printf("%s not found", name);

  509. 			return FALSE;

  510. 		}

  511. 	}

  512. 

  513. 	return TRUE;

  514. }

  515. 

  516. #endif