您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

72 行
1.8KB

  1. #ifndef GET_SYSCALL64_IDS_H
  2. #define GET_SYSCALL64_IDS_H
  3. /**
  4. \file
  5. */
  6. /**
  7. \brief Definition of the hashs of APIs and the error value INVALID_SYSCALL_ID
  8. */
  9. enum SYSCALL_IDS
  10. {
  11. // Files
  12. NTOPENFILE = 0xC29C5019, //! Supported by get_basic_syscall_ID
  13. NTCREATEFILE = 0x15A5ECDB, //! Supported by get_basic_syscall_ID
  14. NTREADFILE = 0x2E979AE3, //! Supported by get_basic_syscall_ID
  15. NTCLOSE = 0x8B8E133D, //! Supported by get_basic_syscall_ID
  16. NTWRITEFILE = 0xD69326B2,
  17. // Mutexes
  18. NTCREATEMUTANT = 0x280632B4,
  19. NTOPENMUTANT = 0xEC225D72,
  20. NTRELEASEMUTANT = 0x29567961,
  21. // Registry
  22. NTOPENKEY = 0x4BB73E02,
  23. NTQUERYVALUEKEY = 0xB4C18A83,
  24. // Process
  25. NTQUERYSYSTEMINFORMATION = 0xEE4F73A8,
  26. INVALID_SYSCALL_ID = 0xFFFFFFFF, //! Used to signify errors
  27. };
  28. /**
  29. \brief Gets the basic ID for the hash given.
  30. This function does not dependent on the ID table but instead has
  31. hardcoded definitions for a FEW Apis (these are marked in the
  32. SYSCALL_IDS enum)
  33. \param func The hash of the API that the ID is searched for
  34. \return Returns the ID or INVALID_SYSCALL_ID
  35. \sa get_syscall_ID()
  36. */
  37. DWORD get_basic_syscall_ID(SYSCALL_IDS func);
  38. /**
  39. \brief Initalizes the ID table.
  40. \return If FALSE no direct syscalls can be made.
  41. \sa free_ID_table()
  42. */
  43. BOOL initalize_ID_table();
  44. /**
  45. \brief Frees the ID table. After this is done
  46. no direct syscalls can be made anymore
  47. \sa initalize_ID_table()
  48. */
  49. VOID destroy_ID_table();
  50. /**
  51. \brief Gets the ID for the hash given.
  52. \pre This function does dependent on the ID table so make sure
  53. to initalize_ID_table() first.
  54. \param func The hash of the API that the ID is searched for
  55. \return Returns the ID or INVALID_SYSCALL_ID
  56. \sa initalize_ID_table()
  57. */
  58. DWORD get_syscall_ID(DWORD func);
  59. #endif // GET_SYSCALL64_IDS_H