summaryrefslogtreecommitdiff
path: root/hookproc.c
diff options
context:
space:
mode:
Diffstat (limited to 'hookproc.c')
-rw-r--r--hookproc.c1799
1 files changed, 1799 insertions, 0 deletions
diff --git a/hookproc.c b/hookproc.c
new file mode 100644
index 0000000..cba59d5
--- /dev/null
+++ b/hookproc.c
@@ -0,0 +1,1799 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * hookproc.c
7 *
8 * Abstract:
9 *
10 * This module implements various service operation (system call) hooking routines.
11 *
12 * Since not all the Zw* services are exported, we use a hack to find the required information.
13 * ntdll.dll contains stubs for calling all the system services. All stubs start with
14 * "mov eax, function_index" instruction where function_index is an index into a global
15 * system call table. By parsing ntdll.dll and extracting all the function indeces
16 * we can map all the Zw* names to their appropriate system call table indeces.
17 *
18 * Author:
19 *
20 * Eugene Tsyrklevich 16-Feb-2004
21 *
22 * Revision History:
23 *
24 * None.
25 */
26
27#include <NTDDK.h>
28#include "hookproc.h"
29#include "sysinfo.h"
30#include "ntproto.h"
31#include "learn.h"
32#include "file.h"
33#include "registry.h"
34#include "section.h"
35#include "sysinfo.h"
36#include "semaphore.h"
37#include "dirobj.h"
38#include "symlink.h"
39#include "mutant.h"
40#include "event.h"
41#include "port.h"
42#include "job.h"
43#include "token.h"
44#include "timer.h"
45#include "driverobj.h"
46#include "process.h"
47#include "procname.h"
48#include "time.h"
49#include "atom.h"
50#include "vdm.h"
51#include "debug.h"
52#include "i386.h"
53#include "misc.h"
54#include "log.h"
55
56
57#ifdef ALLOC_PRAGMA
58#pragma alloc_text (INIT, InitSyscallsHooks)
59#pragma alloc_text (INIT, InstallSyscallsHooks)
60#pragma alloc_text (PAGE, RemoveSyscallsHooks)
61#endif
62
63
64#if DBG
65int HookedRoutineRunning = 0;
66#endif
67
68PCHAR NTDLL_Base;
69
70int ZwCallsNumber = 0;
71
72
73
74/*
75 * FindFunctionOffset()
76 *
77 * Description:
78 * Finds a Zw* system call offset in a system service table.
79 *
80 * Implementation of all the Zw* system services (such as ZwOpenFile or ZwCreateProcess())
81 * start with a "mov eax, function_offset" instruction. Function offset is extracted from
82 * the first instruction.
83 *
84 * Parameters:
85 * Function - Pointer to the function code.
86 *
87 * Returns:
88 * Integer function offset (-1 in case of a failure).
89 */
90
91/* "MOV EAX,IMM32" opcode */
92#define OPCODE_MOV 0xB8
93
94/* macro shortcut for bailing out of FindFunctionOffset in case of an error */
95
96#define ABORT_FindFunctionOffset(msg) { \
97 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionOffset():")); \
98 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \
99 return -1; \
100 }
101
102int
103FindFunctionOffset(PULONG_PTR Function)
104{
105 PUCHAR Instruction;
106 ULONG num, ServiceIDNumber, ServiceTableIndex;
107
108
109 /*
110 * Make sure that the service code starts with a MOV EAX,IMM32 instruction:
111 *
112 * lkd> u ZwCreateFile
113 * nt!ZwCreateFile:
114 * 804f86f4 b825000000 mov eax,0x25
115 */
116
117 Instruction = (PUCHAR) Function;
118
119 if (*Instruction != OPCODE_MOV)
120
121 ABORT_FindFunctionOffset(("Invalid opcode %x\n", *Instruction));
122
123
124 /*
125 * Extract the Service Descriptor Table index (4 bytes following the mov opcode)
126 *
127 * The index format is as follows:
128 *
129 * Leading 18 bits are all zeroes
130 * Following 2 bits are system service table index (3 bits on Win64)
131 * Following 12 bits are service number
132 */
133
134 num = * (PULONG) ++Instruction;
135
136
137 /* only SERVICE_TABLE_INDEX_BITS LSB bits should be set */
138
139 ServiceTableIndex = num >> SERVICE_ID_NUMBER_BITS;
140
141 if (ServiceTableIndex >= NUMBER_SERVICE_TABLES)
142
143 ABORT_FindFunctionOffset(("Invalid SSDT index: %x (%x)\n", ServiceTableIndex, num));
144
145
146 /* XXX temporary? There exist 4 (8 on IA64) service tables. All the Zw* system services are in table 0 */
147 if (ServiceTableIndex != 0)
148
149 ABORT_FindFunctionOffset(("Invalid SSDT index2: %x (%x)\n", ServiceTableIndex, num));
150
151
152 /* Verify Service ID Number is in range */
153
154 ServiceIDNumber = num & SERVICE_ID_NUMBER_MASK;
155
156//XXX shouldn't we be using the shadow table instead??
157//shadow table Zw* base address is the same in addition to GUI table
158 if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)
159
160 ABORT_FindFunctionOffset(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));
161
162
163 return ServiceIDNumber;
164}
165
166
167
168#if 0
169
170/*
171 * HookSystemService()
172 *
173 * Description:
174 * Replaces an existing sytem service pointer (n a global system service table) with another function pointer.
175 *
176 * Parameters:
177 * OldService - Pointer to the service code to mediate.
178 * NewService - Pointer to the new function code.
179 *
180 * Returns:
181 * Current OldService indexed system service function pointer.
182 */
183
184/* macro shortcut for bailing out of HookSystemService in case of an error */
185
186#define ABORT_HookSystemService(msg) { \
187 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemService():")); \
188 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, (msg)); \
189 return NULL; \
190 }
191
192PVOID
193HookSystemService(PVOID OldService, PVOID NewService)
194{
195 PULONG_PTR ssdt;
196 PULONG_PTR retptr = NULL;
197 ULONG ServiceIDNumber;
198
199
200 if (OldService == NULL || NewService == NULL)
201
202 ABORT_HookSystemService(("NULL detected. OldService=%x NewService=%x", OldService, NewService));
203
204
205 ServiceIDNumber = FindFunctionOffset(OldService);
206
207 if (ServiceIDNumber == -1)
208
209 ABORT_HookSystemService(("FindFunctionOffset(%x) failed", OldService));
210
211
212 ssdt = KeServiceDescriptorTable[0].ServiceTableBase;
213
214
215 retptr = (PULONG_PTR) ssdt[ServiceIDNumber];
216
217 if (retptr == NULL)
218
219 ABORT_HookSystemService(("ssdt[index] = NULL\n"));
220
221
222 if (((ULONG) retptr & SystemAddressStart) == 0)
223
224 ABORT_HookSystemService(("invalid code instruction specified\n"));
225
226
227 retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService);
228
229
230 return retptr;
231}
232
233#endif
234
235
236
237/*
238 * HookSystemServiceByIndex()
239 *
240 * Description:
241 * Replaces an existing sytem service (n a global system service table) with another function pointer.
242 *
243 * Parameters:
244 * ServiceIDNumber - Index of a system service to mediate.
245 * NewService - Pointer to the new function code.
246 *
247 * Returns:
248 * Current ServiceIDNumber indexed system service function pointer.
249 */
250
251/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */
252
253#define ABORT_HookSystemServiceByIndex(msg) { \
254 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemServiceByIndex():")); \
255 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \
256 return NULL; \
257 }
258
259PVOID
260HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService)
261{
262 PULONG_PTR ssdt;
263 PULONG_PTR retptr = NULL;
264 ULONG ServiceTableIndex = 0;
265
266
267 ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase;
268
269
270 /* Verify Service ID Number is in range */
271
272//XXX shouldn't we be using the shadow table instead??
273 if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)
274
275 ABORT_HookSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));
276
277
278 retptr = (PULONG_PTR) ssdt[ServiceIDNumber];
279
280 if (retptr == NULL)
281
282 ABORT_HookSystemServiceByIndex(("ssdt[index] = NULL\n"));
283
284
285 if (((ULONG) retptr & SystemAddressStart) == 0)
286
287 ABORT_HookSystemServiceByIndex(("invalid code instruction specified\n"));
288
289
290 retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService);
291
292
293 return retptr;
294}
295
296
297#if 0
298/*
299 * FindSystemServiceByIndex()
300 *
301 * Description:XXX
302 * Replaces an existing sytem service (n a global system service table) with another function pointer.
303 *
304 * Parameters:
305 * ServiceIDNumber - Index of a system service to mediate.
306 * NewService - Pointer to the new function code.
307 *
308 * Returns:
309 * Current ServiceIDNumber indexed system service function pointer.
310 */
311
312/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */
313
314#define ABORT_FindSystemServiceByIndex(msg) { LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindSystemServiceByIndex():")); LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); return NULL; }
315
316PULONG
317FindSystemServiceByIndex(ULONG ServiceIDNumber)
318{
319 PULONG_PTR ssdt;
320 PULONG_PTR retptr = NULL;
321 ULONG ServiceTableIndex = 0;
322
323
324 ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase;
325
326
327 /* Verify Service ID Number is in range */
328
329//XXX shouldn't we be using the shadow table instead??
330 if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)
331
332 ABORT_FindSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices));
333
334
335 retptr = (PULONG_PTR) ssdt[ServiceIDNumber];
336
337 if (retptr == NULL)
338
339 ABORT_FindSystemServiceByIndex(("ssdt[index] = NULL\n"));
340
341
342 if (((ULONG) retptr & SystemAddressStart) == 0)
343
344 ABORT_FindSystemServiceByIndex(("invalid code instruction specified\n"));
345
346
347 return (PULONG) ssdt[ServiceIDNumber];
348}
349#endif
350
351
352/*
353 * HookSystemServiceByName()
354 *
355 * Description:
356 * Replaces an existing sytem service (n a global system service table) with another function pointer.
357 *
358 * Parameters:
359 * ServiceName - Name of a Zw* system service to mediate.
360 * HookFunction - Pointer to the mediator function code.
361 *
362 * Returns:
363 * TRUE to indicate success, FALSE if failed.
364 */
365
366BOOLEAN
367HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction)
368{
369 int i;
370
371
372 for (i = 0; i < ZwCallsNumber; i++)
373 {
374 if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
375 {
376// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("HookSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));
377
378 // hijack the syscall if not hijacked already
379 if (ZwCalls[i].Hijacked == FALSE && ZwCalls[i].ServiceIDNumber != -1)
380 {
381 if ((ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber,
382 HookFunction ? HookFunction : ZwCalls[i].HookFunction)) != NULL)
383 {
384 ZwCalls[i].Hijacked = TRUE;
385 }
386 }
387
388 return TRUE;
389 }
390 }
391
392
393 return FALSE;
394}
395
396
397
398#if 0
399/*
400 * FindSystemServiceIndex()
401 *
402 * Description:
403 * Find a system service index for a specified service name.
404 *
405 * Parameters:
406 * ServiceName - Name of a Zw* system service to find.
407 *
408 * Returns:
409 * System service index if found, -1 otherwise.
410 */
411
412ULONG
413FindSystemServiceIndex(PCHAR ServiceName)
414{
415 int i;
416
417
418 for (i = 0; i < ZwCallsNumber; i++)
419 {
420 if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
421 {
422// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));
423
424 return ZwCalls[i].ServiceIDNumber;
425 }
426 }
427
428
429 return -1;
430}
431#endif
432
433
434/*
435 * FindSystemServiceNumber()
436 *
437 * Description:
438 * Find a system service number for a specified service name.
439 *
440 * Parameters:
441 * ServiceName - Name of a Zw* system service to find.
442 *
443 * Returns:
444 * System service number if found, -1 otherwise.
445 */
446
447ULONG
448FindSystemServiceNumber(PCHAR ServiceName)
449{
450 int i;
451
452
453 for (i = 0; i < ZwCallsNumber; i++)
454 {
455 if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0)
456 {
457// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber));
458
459 return i;
460 }
461 }
462
463
464 return -1;
465}
466
467
468
469/*
470 * Find_NTDLL_Base()
471 *
472 * Description:
473 * Returns the base address of mapped ntdll.dll in a "System" process context.
474 *
475 * NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
476 *
477 * Parameters:
478 * None.
479 *
480 * Returns:
481 * ntdll.dll base address (NULL if not found).
482 */
483
484PVOID
485Find_NTDLL_Base()
486{
487 ULONG size, i;
488 PVOID ntdll = NULL;
489 PULONG SystemInfo;
490 PSYSTEM_MODULE_INFORMATION pSMI;
491 NTSTATUS status;
492
493
494 /*
495 * The data returned to the SystemInformation buffer is a ULONG count of the number of
496 * modules followed immediately by an array of SYSTEM_MODULE_INFORMATION.
497 *
498 * The system modules are the Portable Executable (PE) format files loaded into the
499 * kernel address space (ntoskrnl.exe, hal.dll, device drivers, and so on) and ntdll.dll.
500 */
501
502
503 /* first, find out the total amount of module information to be returned */
504
505 status = ZwQuerySystemInformation(SystemModuleInformation, &size, 0, &size);
506 if (size == 0 || size > 1024*1024)
507 {
508 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: ZwQuerySystemInformation failed. status=%x size=%d\n", status, size));
509 return NULL;
510 }
511
512
513 /* second, allocate the required amount of memory */
514
515 SystemInfo = ExAllocatePoolWithTag(PagedPool, size + 4, _POOL_TAG);
516 if (SystemInfo == NULL)
517 {
518 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: out of memory (requested %d bytes)\n", size + 4));
519 return NULL;
520 }
521
522
523 /* third, request the module information */
524
525 ZwQuerySystemInformation(SystemModuleInformation, SystemInfo, size, &i);
526
527 if (size != ((*SystemInfo * sizeof(SYSTEM_MODULE_INFORMATION)) + 4))
528 {
529 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: inconsistent size (%d != %d * %d + 4)\n", size, *SystemInfo, sizeof(SYSTEM_MODULE_INFORMATION)));
530 return NULL;
531 }
532
533
534
535 pSMI = (PSYSTEM_MODULE_INFORMATION) (SystemInfo + 1);
536
537 for (i = 0; i < *SystemInfo; i++)
538 {
539// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("comparing '%s' (base 0x%x)\n", pSMI[i].ImageName + pSMI[i].ModuleNameOffset, pSMI[i].Base));
540
541 if (_stricmp(pSMI[i].ImageName + pSMI[i].ModuleNameOffset, "ntdll.dll") == 0)
542 {
543 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_VERBOSE, ("Find_NTDLL_Base: ntdll.dll base address is %x\n", pSMI[i].Base));
544 ntdll = pSMI[i].Base;
545 break;
546 }
547 }
548
549 ExFreePoolWithTag(SystemInfo, _POOL_TAG);
550
551
552 return ntdll;
553}
554
555
556#if 0
557PVOID
558Find_Kernel32_Base2()
559{
560 PVOID Kernel32 = NULL;
561 NTSTATUS status;
562 OBJECT_ATTRIBUTES ObjectAttributes;
563 IO_STATUS_BLOCK isb;
564 HANDLE FileHandle;
565 UNICODE_STRING usName;
566 PVOID BaseAddress = NULL;
567 SIZE_T Size;
568 CHAR buffer[256];
569
570
571// RtlInitUnicodeString(&usName, L"\\SystemRoot\\System32\\kernel32.dll");
572 RtlInitUnicodeString(&usName, L"\\??\\c:\\windows\\system32\\kernel32.dll");
573 InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
574
575 status = ZwCreateFile(&FileHandle, GENERIC_READ, &ObjectAttributes, &isb, NULL, 0, 0, 0, 0, NULL, 0);
576 if (!NT_SUCCESS(status))
577 {
578 LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("Find_Kernel32_Base: Failed to open file %S (%x)\n", usName.Buffer, status));
579 return FALSE;
580 }
581
582
583 status = ZwReadFile(FileHandle, NULL, NULL, NULL, &isb, (PVOID) buffer, sizeof(buffer) - 1, 0, NULL);
584
585 if (! NT_SUCCESS(status))
586 {
587 if (status != STATUS_END_OF_FILE)
588 {
589 LOG(LOG_SS_POLICY, LOG_PRIORITY_DEBUG, ("LoadSecurityPolicy: ZwReadFile failed rc=%x\n", status));
590 }
591 }
592
593 ZwClose(FileHandle);
594
595
596 return Kernel32;
597}
598
599
600
601PVOID
602Find_Kernel32_Base()
603{
604 PVOID Kernel32 = NULL;
605 NTSTATUS status;
606 OBJECT_ATTRIBUTES ObjectAttributes;
607 HANDLE SectionHandle;
608 UNICODE_STRING usName;
609 PVOID BaseAddress = NULL;
610 SIZE_T Size;
611 NTSTATUS q;
612
613
614 RtlInitUnicodeString(&usName, L"\\KnownDlls\\kernel32.dll");
615 InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_KERNEL_HANDLE, NULL, NULL);
616
617 if (NT_SUCCESS( ZwOpenSection(&SectionHandle, SECTION_MAP_READ, &ObjectAttributes) ))
618 {
619 q = ZwMapViewOfSection(SectionHandle, NtCurrentProcess(), &BaseAddress, 0, 0, NULL, &Size, ViewShare, MEM_RESERVE, PAGE_READWRITE);
620 if (NT_SUCCESS(q))
621 {
622 KdPrint(("XXX mapped kernel32.dll at BaseAddress %x\n", BaseAddress));
623
624 if (!NT_SUCCESS( ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress) ))
625 {
626 KdPrint(("ZwUnmapViewOfSection failed"));
627 }
628
629 ZwClose(SectionHandle);
630 }
631 else
632 {
633 KdPrint(("ZwMapViewOfSection failed with status %x", q));
634 }
635 }
636 else
637 {
638 KdPrint(("ZwOpenSection failed"));
639 }
640
641 return Kernel32;
642}
643#endif
644
645
646/*
647 * FindFunctionBase()
648 *
649 * Description:
650 * Finds the address where a function is mapped at.
651 *
652 * NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
653 *
654 * Parameters:
655 * Base - Mapped address of a DLL exporting the function.
656 * Name - Function name.
657 *
658 * Returns:
659 * Address where a function is mapped at (NULL if not found).
660 */
661
662/* macro shortcut for bailing out of FindFunctionBase in case of an error */
663
664#define ABORT_FindFunctionBase(msg) { \
665 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionBase():")); \
666 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \
667 return NULL; \
668 }
669
670PVOID
671FindFunctionBase(PCHAR ImageBase, PCSTR Name)
672{
673 PIMAGE_DOS_HEADER DosHeader;
674 PIMAGE_NT_HEADERS PeHeader;
675 PIMAGE_DATA_DIRECTORY ImageExportDirectoryEntry;
676 ULONG ExportDirectorySize, ExportDirectoryOffset, i;
677 PIMAGE_EXPORT_DIRECTORY ExportDirectory;
678 PULONG ExportAddressTable;
679 PSHORT ExportOrdinalTable;
680 PULONG ExportNameTable;
681
682
683 if ( (DosHeader = (PIMAGE_DOS_HEADER) ImageBase) == NULL)
684
685 ABORT_FindFunctionBase(("Base pointer is NULL (name = %s)\n", Name));
686
687
688 if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
689
690 ABORT_FindFunctionBase(("DOS Signature not found! (%x %x)\n", DosHeader, DosHeader->e_magic));
691
692
693 if (DosHeader->e_lfanew > 1024*1024)
694
695 ABORT_FindFunctionBase(("Invalid e_lfanew value %x\n", DosHeader->e_lfanew));
696
697
698 if ( (PeHeader = (PIMAGE_NT_HEADERS) (ImageBase + DosHeader->e_lfanew)) == NULL)
699
700 ABORT_FindFunctionBase(("NT header pointer is NULL (name = %s)\n", Name));
701
702
703 if (PeHeader->Signature != IMAGE_PE_SIGNATURE)
704
705 ABORT_FindFunctionBase(("PE Signature not found! (%x %x)\n", PeHeader, PeHeader->Signature));
706
707
708 if ( (ImageExportDirectoryEntry = PeHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT) == NULL)
709
710 ABORT_FindFunctionBase(("Export directory pointer is NULL (name = %s)\n", Name));
711
712
713 ExportDirectorySize = ImageExportDirectoryEntry->Size;
714 ExportDirectoryOffset = ImageExportDirectoryEntry->VirtualAddress;
715
716 if ( (ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) (ImageBase + ExportDirectoryOffset)) == NULL)
717
718 ABORT_FindFunctionBase(("Exports pointer is NULL (name = %s)\n", Name));
719
720
721 ExportAddressTable = (PULONG) (ImageBase + ExportDirectory->AddressOfFunctions);
722 ExportOrdinalTable = (PSHORT) (ImageBase + ExportDirectory->AddressOfNameOrdinals);
723 ExportNameTable = (PULONG) (ImageBase + ExportDirectory->AddressOfNames);
724
725//XXX "AcceptConnectPort\0" \0 necessary to make sure ZwCreateProcess does not match ZwCreateProcessEx ?
726
727 for (i = 0; i < ExportDirectory->NumberOfNames; i++)
728 {
729 ULONG ord = ExportOrdinalTable[i];
730
731 if (ExportAddressTable[ord] < ExportDirectoryOffset ||
732 ExportAddressTable[ord] >= ExportDirectoryOffset + ExportDirectorySize)
733 {
734 //XXX windows loader uses binary search?
735 if (strcmp(ImageBase + ExportNameTable[i], Name) == 0)
736 {
737 return ImageBase + ExportAddressTable[ord];
738 }
739 }
740 }
741
742 return NULL;
743}
744
745
746
747/*
748 * FindZwFunctionIndex()
749 *
750 * Description:
751 * Finds a system service table index of a Zw* system service.
752 *
753 * NOTE: Based on "Windows NT/2000 Native API Reference" implementation.
754 *
755 * Parameters:
756 * Name - Zw* service name.
757 *
758 * Returns:
759 * Zw* service index in a system service table (-1 if not found).
760 */
761
762int
763FindZwFunctionIndex(PCSTR Name)
764{
765 PULONG_PTR FunctionBase;
766
767
768 if (NTDLL_Base == NULL)
769 if ( (NTDLL_Base = Find_NTDLL_Base()) == NULL)
770 return -1;
771
772
773 if ( (FunctionBase = FindFunctionBase(NTDLL_Base, Name)) == NULL)
774 {
775// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindZwFunctionIndex: FindZwFunctionBase(%s) returned NULL", Name));
776 return -1;
777 }
778
779
780 return FindFunctionOffset(FunctionBase);
781}
782
783
784
785/*
786 * ZwCalls structure describes all known system services.
787 * Part of the structure (i.e. system call table offset and system call address)
788 * is filled in at runtime.
789 *
790 * Automatically generated with
791 * dumpbin /exports c:\windows2003\system32\ntdll.dll|grep Zw|
792 * perl -wnle "print qq{\t{ \"$1\", NULL, (PULONG_PTR) SystemCallHandler$i, NULL, FALSE },} if /(Zw.*)/; ++$i" > win2k3_syscalls
793 *
794 * perl -wne "if (/\"Zw(.*?)\"/) { $q=length $1; s/\"Zw(.*?)\"/\"Zw$1\", $q/} print" q.txt > q2.txt
795 */
796
797struct _ZwCalls /* {
798 PCHAR ZwName; // System call name
799 USHORT ZwNameLength; // System call name length
800 USHORT ServiceIDNumber; // System call index (filled in at runtime)
801 PULONG_PTR HookFunction; // Address of the hijacking function (function that will be called instead of the original system call)
802 PULONG_PTR OriginalFunction; // PlaceHolder for the address of the original syscall address
803 BOOLEAN Hijacked; // Flag indicating whether we already hijacked this system call
804 // or whether this is a special system service that needs to be hijacked initially
805} */ ZwCalls[] =
806{
807 { "ZwAcceptConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler0, NULL, FALSE },
808 { "ZwAccessCheck", 11, -1, (PULONG_PTR) SystemCallHandler1, NULL, FALSE },
809 { "ZwAccessCheckAndAuditAlarm", 24, -1, (PULONG_PTR) SystemCallHandler2, NULL, FALSE },
810 { "ZwAccessCheckByType", 17, -1, (PULONG_PTR) SystemCallHandler3, NULL, FALSE },
811 { "ZwAccessCheckByTypeAndAuditAlarm", 30, -1, (PULONG_PTR) SystemCallHandler4, NULL, FALSE },
812 { "ZwAccessCheckByTypeResultList", 27, -1, (PULONG_PTR) SystemCallHandler5, NULL, FALSE },
813 { "ZwAccessCheckByTypeResultListAndAuditAlarm", 40, -1, (PULONG_PTR) SystemCallHandler6, NULL, FALSE },
814 { "ZwAccessCheckByTypeResultListAndAuditAlarmByHandle", 48, -1, (PULONG_PTR) SystemCallHandler7, NULL, FALSE },
815
816
817#if HOOK_ATOM
818 { "ZwAddAtom", 7, -1, (PULONG_PTR) HookedNtAddAtom, NULL, TRUE },
819#else
820 { "ZwAddAtom", 7, -1, (PULONG_PTR) SystemCallHandler8, NULL, FALSE },
821#endif
822
823
824//XXX
825 { "ZwAddBootEntry", 12, -1, (PULONG_PTR) SystemCallHandler9, NULL, FALSE },
826 { "ZwAddDriverEntry", 14, -1, (PULONG_PTR) SystemCallHandler10, NULL, FALSE },
827
828
829#if HOOK_TOKEN_ZZZ
830 { "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) HookedNtAdjustGroupsToken, NULL, TRUE },
831#else
832 { "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) SystemCallHandler11, NULL, FALSE },
833#endif
834
835#if HOOK_TOKEN
836 { "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) HookedNtAdjustPrivilegesToken, NULL, TRUE },
837#else
838 { "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) SystemCallHandler12, NULL, FALSE },
839#endif
840
841
842 { "ZwAlertResumeThread", 17, -1, (PULONG_PTR) SystemCallHandler13, NULL, FALSE },
843 { "ZwAlertThread", 11, -1, (PULONG_PTR) SystemCallHandler14, NULL, FALSE },
844 { "ZwAllocateLocallyUniqueId", 23, -1, (PULONG_PTR) SystemCallHandler15, NULL, FALSE },
845 { "ZwAllocateUserPhysicalPages", 25, -1, (PULONG_PTR) SystemCallHandler16, NULL, FALSE },
846 { "ZwAllocateUuids", 13, -1, (PULONG_PTR) SystemCallHandler17, NULL, FALSE },
847 { "ZwAllocateVirtualMemory", 21, -1, (PULONG_PTR) SystemCallHandler18, NULL, FALSE },
848 { "ZwApphelpCacheControl", 19, -1, (PULONG_PTR) SystemCallHandler19, NULL, FALSE },
849 { "ZwAreMappedFilesTheSame", 21, -1, (PULONG_PTR) SystemCallHandler20, NULL, FALSE },
850 { "ZwAssignProcessToJobObject", 24, -1, (PULONG_PTR) SystemCallHandler21, NULL, FALSE },
851 { "ZwCallbackReturn", 14, -1, (PULONG_PTR) SystemCallHandler22, NULL, FALSE },
852 { "ZwCancelDeviceWakeupRequest", 25, -1, (PULONG_PTR) SystemCallHandler23, NULL, FALSE },
853 { "ZwCancelIoFile", 12, -1, (PULONG_PTR) SystemCallHandler24, NULL, FALSE },
854 { "ZwCancelTimer", 11, -1, (PULONG_PTR) SystemCallHandler25, NULL, FALSE },
855 { "ZwClearEvent", 10, -1, (PULONG_PTR) SystemCallHandler26, NULL, FALSE },
856
857 /* don't mediate for performance reasons, requires a valid handle anyway */
858 { "ZwClose", 5, -1, NULL, NULL, FALSE },
859
860 { "ZwCloseObjectAuditAlarm", 21, -1, (PULONG_PTR) SystemCallHandler28, NULL, FALSE },
861 { "ZwCompactKeys", 11, -1, (PULONG_PTR) SystemCallHandler29, NULL, FALSE },
862 { "ZwCompareTokens", 13, -1, (PULONG_PTR) SystemCallHandler30, NULL, FALSE },
863 { "ZwCompleteConnectPort", 19, -1, (PULONG_PTR) SystemCallHandler31, NULL, FALSE },
864 { "ZwCompressKey", 11, -1, (PULONG_PTR) SystemCallHandler32, NULL, FALSE },
865
866
867#if HOOK_PORT
868 { "ZwConnectPort", 11, -1, (PULONG_PTR) HookedNtConnectPort, NULL, TRUE },
869#else
870 { "ZwConnectPort", 11, -1, (PULONG_PTR) SystemCallHandler33, NULL, FALSE },
871#endif
872
873
874 { "ZwContinue", 8, -1, (PULONG_PTR) SystemCallHandler34, NULL, FALSE },
875
876
877#if HOOK_DEBUG_ZZZ
878 { "ZwCreateDebugObject", 17, -1, (PULONG_PTR) HookedNtCreateDebugObject, NULL, TRUE },
879#else
880 { "ZwCreateDebugObject", 17, -1, (PULONG_PTR) SystemCallHandler35, NULL, FALSE },
881#endif
882
883
884#if HOOK_DIROBJ
885 { "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) HookedNtCreateDirectoryObject, NULL, TRUE },
886#else
887 { "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) SystemCallHandler36, NULL, FALSE },
888#endif
889
890
891#if HOOK_EVENT
892 { "ZwCreateEvent", 11, -1, (PULONG_PTR) HookedNtCreateEvent, NULL, TRUE },
893 { "ZwCreateEventPair", 15, -1, (PULONG_PTR) HookedNtCreateEventPair, NULL, TRUE },
894#else
895 { "ZwCreateEvent", 11, -1, (PULONG_PTR) SystemCallHandler37, NULL, FALSE },
896 { "ZwCreateEventPair", 15, -1, (PULONG_PTR) SystemCallHandler38, NULL, FALSE },
897#endif
898
899
900#if HOOK_FILE
901 { "ZwCreateFile", 10, -1, (PULONG_PTR) HookedNtCreateFile, NULL, TRUE },
902#else
903 { "ZwCreateFile", 10, -1, (PULONG_PTR) SystemCallHandler39, NULL, FALSE },
904#endif
905
906
907 { "ZwCreateIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler40, NULL, FALSE },
908
909
910#if HOOK_JOB
911 { "ZwCreateJobObject", 15, -1, (PULONG_PTR) HookedNtCreateJobObject, NULL, TRUE },
912#else
913 { "ZwCreateJobObject", 15, -1, (PULONG_PTR) SystemCallHandler41, NULL, FALSE },
914#endif
915
916
917//XXX ???
918 { "ZwCreateJobSet", 12, -1, (PULONG_PTR) SystemCallHandler42, NULL, FALSE },
919
920
921#if HOOK_REGISTRY
922 { "ZwCreateKey", 9, -1, (PULONG_PTR) HookedNtCreateKey, NULL, TRUE },
923#else
924 { "ZwCreateKey", 9, -1, (PULONG_PTR) SystemCallHandler43, NULL, FALSE },
925#endif
926
927
928 { "ZwCreateKeyedEvent", 16, -1, (PULONG_PTR) SystemCallHandler44, NULL, FALSE },
929
930
931#if HOOK_FILE
932 { "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) HookedNtCreateMailslotFile, NULL, TRUE },
933#else
934 { "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) SystemCallHandler45, NULL, FALSE },
935#endif
936
937
938#if HOOK_MUTANT
939 { "ZwCreateMutant", 12, -1, (PULONG_PTR) HookedNtCreateMutant, NULL, TRUE },
940#else
941 { "ZwCreateMutant", 12, -1, (PULONG_PTR) SystemCallHandler46, NULL, FALSE },
942#endif
943
944
945#if HOOK_FILE
946 { "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) HookedNtCreateNamedPipeFile, NULL, TRUE },
947#else
948 { "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) SystemCallHandler47, NULL, FALSE },
949#endif
950
951
952 { "ZwCreatePagingFile", 16, -1, (PULONG_PTR) SystemCallHandler48, NULL, FALSE },
953
954
955#if HOOK_PORT
956 { "ZwCreatePort", 10, -1, (PULONG_PTR) HookedNtCreatePort, NULL, TRUE },
957#else
958 { "ZwCreatePort", 10, -1, (PULONG_PTR) SystemCallHandler49, NULL, FALSE },
959#endif
960
961
962#if HOOK_PROCESS
963 { "ZwCreateProcess", 13, -1, (PULONG_PTR) HookedNtCreateProcess, NULL, TRUE },
964 { "ZwCreateProcessEx", 15, -1, (PULONG_PTR) HookedNtCreateProcessEx, NULL, TRUE },
965#else
966 { "ZwCreateProcess", 13, -1, (PULONG_PTR) SystemCallHandler50, NULL, FALSE },
967 { "ZwCreateProcessEx", 15, -1, (PULONG_PTR) SystemCallHandler51, NULL, FALSE },
968#endif
969
970
971 { "ZwCreateProfile", 13, -1, (PULONG_PTR) SystemCallHandler52, NULL, FALSE },
972
973
974#if HOOK_SECTION
975 { "ZwCreateSection", 13, -1, (PULONG_PTR) HookedNtCreateSection, NULL, TRUE },
976#else
977 { "ZwCreateSection", 13, -1, (PULONG_PTR) SystemCallHandler53, NULL, FALSE },
978#endif
979
980
981#if HOOK_SEMAPHORE
982 { "ZwCreateSemaphore", 15, -1, (PULONG_PTR) HookedNtCreateSemaphore, NULL, TRUE },
983#else
984 { "ZwCreateSemaphore", 15, -1, (PULONG_PTR) SystemCallHandler54, NULL, FALSE },
985#endif
986
987
988#if HOOK_SYMLINK
989 { "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) HookedNtCreateSymbolicLinkObject, NULL, TRUE },
990#else
991 { "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) SystemCallHandler55, NULL, FALSE },
992#endif
993
994
995#if HOOK_PROCESS
996 { "ZwCreateThread", 12, -1, (PULONG_PTR) HookedNtCreateThread, NULL, TRUE },
997#else
998 { "ZwCreateThread", 12, -1, (PULONG_PTR) SystemCallHandler56, NULL, FALSE },
999#endif
1000
1001
1002#if HOOK_TIMER
1003 { "ZwCreateTimer", 11, -1, (PULONG_PTR) HookedNtCreateTimer, NULL, TRUE },
1004#else
1005 { "ZwCreateTimer", 11, -1, (PULONG_PTR) SystemCallHandler57, NULL, FALSE },
1006#endif
1007
1008
1009#if HOOK_TOKEN_ZZZ
1010 { "ZwCreateToken", 11, -1, (PULONG_PTR) HookedNtCreateToken, NULL, TRUE },
1011#else
1012 { "ZwCreateToken", 11, -1, (PULONG_PTR) SystemCallHandler58, NULL, FALSE },
1013#endif
1014
1015
1016#if HOOK_PORT
1017 { "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) HookedNtCreateWaitablePort, NULL, TRUE },
1018#else
1019 { "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) SystemCallHandler59, NULL, FALSE },
1020#endif
1021
1022
1023#if HOOK_DEBUG
1024 { "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) HookedNtDebugActiveProcess, NULL, TRUE },
1025#else
1026 { "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) SystemCallHandler60, NULL, FALSE },
1027#endif
1028
1029
1030 { "ZwDebugContinue", 13, -1, (PULONG_PTR) SystemCallHandler61, NULL, FALSE },
1031 { "ZwDelayExecution", 14, -1, (PULONG_PTR) SystemCallHandler62, NULL, FALSE },
1032 { "ZwDeleteAtom", 10, -1, (PULONG_PTR) SystemCallHandler63, NULL, FALSE },
1033 { "ZwDeleteBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler64, NULL, FALSE },
1034 { "ZwDeleteDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler65, NULL, FALSE },
1035
1036
1037#if HOOK_FILE
1038 { "ZwDeleteFile", 10, -1, (PULONG_PTR) HookedNtDeleteFile, NULL, TRUE },
1039#else
1040 { "ZwDeleteFile", 10, -1, (PULONG_PTR) SystemCallHandler66, NULL, FALSE },
1041#endif
1042
1043
1044#if HOOK_REGISTRY
1045 { "ZwDeleteKey", 9, -1, (PULONG_PTR) HookedNtDeleteKey, NULL, TRUE },
1046#else
1047 { "ZwDeleteKey", 9, -1, (PULONG_PTR) SystemCallHandler67, NULL, FALSE },
1048#endif
1049
1050 { "ZwDeleteObjectAuditAlarm", 22, -1, (PULONG_PTR) SystemCallHandler68, NULL, FALSE },
1051 { "ZwDeleteValueKey", 14, -1, (PULONG_PTR) SystemCallHandler69, NULL, FALSE },
1052//XXX
1053
1054 { "ZwDeviceIoControlFile", 19, -1, NULL, NULL, FALSE },
1055 { "ZwDisplayString", 13, -1, (PULONG_PTR) SystemCallHandler71, NULL, FALSE },
1056 { "ZwDuplicateObject", 15, -1, (PULONG_PTR) SystemCallHandler72, NULL, FALSE },
1057 { "ZwDuplicateToken", 14, -1, (PULONG_PTR) SystemCallHandler73, NULL, FALSE },
1058 { "ZwEnumerateBootEntries", 20, -1, (PULONG_PTR) SystemCallHandler74, NULL, FALSE },
1059 { "ZwEnumerateDriverEntries", 22, -1, (PULONG_PTR) SystemCallHandler75, NULL, FALSE },
1060 { "ZwEnumerateKey", 12, -1, (PULONG_PTR) SystemCallHandler76, NULL, FALSE },
1061 { "ZwEnumerateSystemEnvironmentValuesEx", 34, -1, (PULONG_PTR) SystemCallHandler77, NULL, FALSE },
1062 { "ZwEnumerateValueKey", 17, -1, (PULONG_PTR) SystemCallHandler78, NULL, FALSE },
1063//XXX
1064
1065
1066 { "ZwExtendSection", 13, -1, (PULONG_PTR) SystemCallHandler79, NULL, FALSE },
1067 { "ZwFilterToken", 11, -1, (PULONG_PTR) SystemCallHandler80, NULL, FALSE },
1068
1069
1070#if HOOK_ATOM
1071 { "ZwFindAtom", 8, -1, (PULONG_PTR) HookedNtFindAtom, NULL, TRUE },
1072#else
1073 { "ZwFindAtom", 8, -1, (PULONG_PTR) SystemCallHandler81, NULL, FALSE },
1074#endif
1075
1076
1077 { "ZwFlushBuffersFile", 16, -1, (PULONG_PTR) SystemCallHandler82, NULL, FALSE },
1078 { "ZwFlushInstructionCache", 21, -1, (PULONG_PTR) SystemCallHandler83, NULL, FALSE },
1079 { "ZwFlushKey", 8, -1, (PULONG_PTR) SystemCallHandler84, NULL, FALSE },
1080 { "ZwFlushVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler85, NULL, FALSE },
1081 { "ZwFlushWriteBuffer", 16, -1, (PULONG_PTR) SystemCallHandler86, NULL, FALSE },
1082 { "ZwFreeUserPhysicalPages", 21, -1, (PULONG_PTR) SystemCallHandler87, NULL, FALSE },
1083 { "ZwFreeVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler88, NULL, FALSE },
1084 { "ZwFsControlFile", 13, -1, (PULONG_PTR) SystemCallHandler89, NULL, FALSE },
1085 { "ZwGetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler90, NULL, FALSE },
1086 { "ZwGetCurrentProcessorNumber", 25, -1, (PULONG_PTR) SystemCallHandler91, NULL, FALSE },
1087 { "ZwGetDevicePowerState", 19, -1, (PULONG_PTR) SystemCallHandler92, NULL, FALSE },
1088 { "ZwGetPlugPlayEvent", 16, -1, (PULONG_PTR) SystemCallHandler93, NULL, FALSE },
1089 { "ZwGetWriteWatch", 13, -1, (PULONG_PTR) SystemCallHandler94, NULL, FALSE },
1090
1091//XXX
1092 { "ZwImpersonateAnonymousToken", 25, -1, (PULONG_PTR) SystemCallHandler95, NULL, FALSE },
1093 { "ZwImpersonateClientOfPort", 23, -1, (PULONG_PTR) SystemCallHandler96, NULL, FALSE },
1094 { "ZwImpersonateThread", 17, -1, (PULONG_PTR) SystemCallHandler97, NULL, FALSE },
1095
1096 { "ZwInitializeRegistry", 18, -1, (PULONG_PTR) SystemCallHandler98, NULL, FALSE },
1097 { "ZwInitiatePowerAction", 19, -1, (PULONG_PTR) SystemCallHandler99, NULL, FALSE },
1098 { "ZwIsProcessInJob", 14, -1, (PULONG_PTR) SystemCallHandler100, NULL, FALSE },
1099 { "ZwIsSystemResumeAutomatic", 23, -1, (PULONG_PTR) SystemCallHandler101, NULL, FALSE },
1100 { "ZwListenPort", 10, -1, (PULONG_PTR) SystemCallHandler102, NULL, FALSE },
1101
1102
1103#if HOOK_DRIVEROBJ
1104 { "ZwLoadDriver", 10, -1, (PULONG_PTR) HookedNtLoadDriver, NULL, TRUE },
1105#else
1106 { "ZwLoadDriver", 10, -1, (PULONG_PTR) SystemCallHandler103, NULL, FALSE },
1107#endif
1108
1109
1110 { "ZwLoadKey", 7, -1, (PULONG_PTR) SystemCallHandler104, NULL, FALSE },
1111 { "ZwLoadKey2", 8, -1, (PULONG_PTR) SystemCallHandler105, NULL, FALSE },
1112 { "ZwLoadKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler106, NULL, FALSE },
1113 { "ZwLockFile", 8, -1, (PULONG_PTR) SystemCallHandler107, NULL, FALSE },
1114 { "ZwLockProductActivationKeys", 25, -1, (PULONG_PTR) SystemCallHandler108, NULL, FALSE },
1115 { "ZwLockRegistryKey", 15, -1, (PULONG_PTR) SystemCallHandler109, NULL, FALSE },
1116 { "ZwLockVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler110, NULL, FALSE },
1117 { "ZwMakePermanentObject", 19, -1, (PULONG_PTR) SystemCallHandler111, NULL, FALSE },
1118 { "ZwMakeTemporaryObject", 19, -1, (PULONG_PTR) SystemCallHandler112, NULL, FALSE },
1119 { "ZwMapUserPhysicalPages", 20, -1, (PULONG_PTR) SystemCallHandler113, NULL, FALSE },
1120 { "ZwMapUserPhysicalPagesScatter", 27, -1, (PULONG_PTR) SystemCallHandler114, NULL, FALSE },
1121
1122
1123#if HOOK_SECTION_ZZZ
1124 { "ZwMapViewOfSection", 16, -1, (PULONG_PTR) HookedNtMapViewOfSection, NULL, TRUE },
1125#else
1126 { "ZwMapViewOfSection", 16, -1, (PULONG_PTR) SystemCallHandler115, NULL, FALSE },
1127#endif
1128
1129
1130 { "ZwModifyBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler116, NULL, FALSE },
1131 { "ZwModifyDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler117, NULL, FALSE },
1132 { "ZwNotifyChangeDirectoryFile", 25, -1, (PULONG_PTR) SystemCallHandler118, NULL, FALSE },
1133 { "ZwNotifyChangeKey", 15, -1, (PULONG_PTR) SystemCallHandler119, NULL, FALSE },
1134 { "ZwNotifyChangeMultipleKeys", 24, -1, (PULONG_PTR) SystemCallHandler120, NULL, FALSE },
1135
1136
1137#if HOOK_DIROBJ
1138 { "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) HookedNtOpenDirectoryObject, NULL, TRUE },
1139#else
1140 { "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) SystemCallHandler121, NULL, FALSE },
1141#endif
1142
1143
1144#if HOOK_EVENT
1145 { "ZwOpenEvent", 9, -1, (PULONG_PTR) HookedNtOpenEvent, NULL, TRUE },
1146 { "ZwOpenEventPair", 13, -1, (PULONG_PTR) HookedNtOpenEventPair, NULL, TRUE },
1147#else
1148 { "ZwOpenEvent", 9, -1, (PULONG_PTR) SystemCallHandler122, NULL, FALSE },
1149 { "ZwOpenEventPair", 13, -1, (PULONG_PTR) SystemCallHandler123, NULL, FALSE },
1150#endif
1151
1152
1153#if HOOK_FILE
1154 { "ZwOpenFile", 8, -1, (PULONG_PTR) HookedNtOpenFile, NULL, TRUE },
1155#else
1156 { "ZwOpenFile", 8, -1, (PULONG_PTR) SystemCallHandler124, NULL, FALSE },
1157#endif
1158
1159 { "ZwOpenIoCompletion", 16, -1, (PULONG_PTR) SystemCallHandler125, NULL, FALSE },
1160
1161
1162#if HOOK_JOB
1163 { "ZwOpenJobObject", 13, -1, (PULONG_PTR) HookedNtOpenJobObject, NULL, TRUE },
1164#else
1165 { "ZwOpenJobObject", 13, -1, (PULONG_PTR) SystemCallHandler126, NULL, FALSE },
1166#endif
1167
1168
1169#if HOOK_REGISTRY
1170 { "ZwOpenKey", 7, -1, (PULONG_PTR) HookedNtOpenKey, NULL, TRUE },
1171#else
1172 { "ZwOpenKey", 7, -1, (PULONG_PTR) SystemCallHandler127, NULL, FALSE },
1173#endif
1174
1175
1176 { "ZwOpenKeyedEvent", 14, -1, (PULONG_PTR) SystemCallHandler128, NULL, FALSE },
1177
1178
1179#if HOOK_MUTANT
1180 { "ZwOpenMutant", 10, -1, (PULONG_PTR) HookedNtOpenMutant, NULL, TRUE },
1181#else
1182 { "ZwOpenMutant", 10, -1, (PULONG_PTR) SystemCallHandler129, NULL, FALSE },
1183#endif
1184
1185
1186 { "ZwOpenObjectAuditAlarm", 20, -1, (PULONG_PTR) SystemCallHandler130, NULL, FALSE },
1187
1188
1189#if HOOK_PROCESS
1190 { "ZwOpenProcess", 11, -1, (PULONG_PTR) HookedNtOpenProcess, NULL, TRUE },
1191#else
1192 { "ZwOpenProcess", 11, -1, (PULONG_PTR) SystemCallHandler131, NULL, FALSE },
1193#endif
1194
1195
1196#if HOOK_TOKEN_ZZZ
1197 { "ZwOpenProcessToken", 16, -1, (PULONG_PTR) HookedNtOpenProcessToken, NULL, TRUE },
1198 { "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) HookedNtOpenProcessTokenEx, NULL, TRUE },
1199#else
1200 { "ZwOpenProcessToken", 16, -1, (PULONG_PTR) SystemCallHandler132, NULL, FALSE },
1201 { "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) SystemCallHandler133, NULL, FALSE },
1202#endif
1203
1204
1205#if HOOK_SECTION
1206 { "ZwOpenSection", 11, -1, (PULONG_PTR) HookedNtOpenSection, NULL, TRUE },
1207#else
1208 { "ZwOpenSection", 11, -1, (PULONG_PTR) SystemCallHandler134, NULL, FALSE },
1209#endif
1210
1211
1212#if HOOK_SEMAPHORE
1213 { "ZwOpenSemaphore", 13, -1, (PULONG_PTR) HookedNtOpenSemaphore, NULL, TRUE },
1214#else
1215 { "ZwOpenSemaphore", 13, -1, (PULONG_PTR) SystemCallHandler135, NULL, FALSE },
1216#endif
1217
1218
1219#if HOOK_SYMLINK_ZZZ
1220 { "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) HookedNtOpenSymbolicLinkObject, NULL, TRUE },
1221#else
1222 { "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) SystemCallHandler136, NULL, FALSE },
1223#endif
1224
1225
1226#if HOOK_PROCESS
1227 { "ZwOpenThread", 10, -1, (PULONG_PTR) HookedNtOpenThread, NULL, TRUE },
1228#else
1229 { "ZwOpenThread", 10, -1, (PULONG_PTR) SystemCallHandler137, NULL, FALSE },
1230#endif
1231
1232
1233#if HOOK_TOKEN_ZZZ
1234 { "ZwOpenThreadToken", 15, -1, (PULONG_PTR) HookedNtOpenThreadToken, NULL, TRUE },
1235 { "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) HookedNtOpenThreadTokenEx, NULL, TRUE },
1236#else
1237 { "ZwOpenThreadToken", 15, -1, (PULONG_PTR) SystemCallHandler138, NULL, FALSE },
1238 { "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) SystemCallHandler139, NULL, FALSE },
1239#endif
1240
1241
1242#if HOOK_TIMER
1243 { "ZwOpenTimer", 9, -1, (PULONG_PTR) HookedNtOpenTimer, NULL, TRUE },
1244#else
1245 { "ZwOpenTimer", 9, -1, (PULONG_PTR) SystemCallHandler140, NULL, FALSE },
1246#endif
1247
1248
1249 { "ZwPlugPlayControl", 15, -1, (PULONG_PTR) SystemCallHandler141, NULL, FALSE },
1250 { "ZwPowerInformation", 16, -1, (PULONG_PTR) SystemCallHandler142, NULL, FALSE },
1251 { "ZwPrivilegeCheck", 14, -1, (PULONG_PTR) SystemCallHandler143, NULL, FALSE },
1252 { "ZwPrivilegeObjectAuditAlarm", 25, -1, (PULONG_PTR) SystemCallHandler144, NULL, FALSE },
1253 { "ZwPrivilegedServiceAuditAlarm", 27, -1, (PULONG_PTR) SystemCallHandler145, NULL, FALSE },
1254 { "ZwProtectVirtualMemory", 20, -1, (PULONG_PTR) SystemCallHandler146, NULL, FALSE },
1255 { "ZwPulseEvent", 10, -1, (PULONG_PTR) SystemCallHandler147, NULL, FALSE },
1256
1257
1258#if HOOK_FILE
1259 { "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) HookedNtQueryAttributesFile, NULL, TRUE },
1260#else
1261 { "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) SystemCallHandler148, NULL, FALSE },
1262#endif
1263
1264
1265 { "ZwQueryBootEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler149, NULL, FALSE },
1266 { "ZwQueryBootOptions", 16, -1, (PULONG_PTR) SystemCallHandler150, NULL, FALSE },
1267 { "ZwQueryDebugFilterState", 21, -1, (PULONG_PTR) SystemCallHandler151, NULL, FALSE },
1268 { "ZwQueryDefaultLocale", 18, -1, (PULONG_PTR) SystemCallHandler152, NULL, FALSE },
1269 { "ZwQueryDefaultUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler153, NULL, FALSE },
1270
1271
1272#if FILE_HOOK_ZZZ
1273 { "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) HookedNtQueryDirectoryFile, NULL, TRUE },
1274#else
1275 { "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) SystemCallHandler154, NULL, FALSE },
1276#endif
1277
1278
1279 { "ZwQueryDirectoryObject", 20, -1, (PULONG_PTR) SystemCallHandler155, NULL, FALSE },
1280 { "ZwQueryDriverEntryOrder", 21, -1, (PULONG_PTR) SystemCallHandler156, NULL, FALSE },
1281 { "ZwQueryEaFile", 11, -1, (PULONG_PTR) SystemCallHandler157, NULL, FALSE },
1282 { "ZwQueryEvent", 10, -1, (PULONG_PTR) SystemCallHandler158, NULL, FALSE },
1283
1284
1285#if HOOK_FILE
1286 { "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) HookedNtQueryFullAttributesFile, NULL, TRUE },
1287#else
1288 { "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) SystemCallHandler159, NULL, FALSE },
1289#endif
1290
1291
1292 { "ZwQueryInformationAtom", 20, -1, (PULONG_PTR) SystemCallHandler160, NULL, FALSE },
1293 { "ZwQueryInformationFile", 20, -1, (PULONG_PTR) SystemCallHandler161, NULL, FALSE },
1294 { "ZwQueryInformationJobObject", 25, -1, (PULONG_PTR) SystemCallHandler162, NULL, FALSE },
1295 { "ZwQueryInformationPort", 20, -1, (PULONG_PTR) SystemCallHandler163, NULL, FALSE },
1296 { "ZwQueryInformationProcess", 23, -1, (PULONG_PTR) SystemCallHandler164, NULL, FALSE },
1297 { "ZwQueryInformationThread", 22, -1, (PULONG_PTR) SystemCallHandler165, NULL, FALSE },
1298 { "ZwQueryInformationToken", 21, -1, (PULONG_PTR) SystemCallHandler166, NULL, FALSE },
1299 { "ZwQueryInstallUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler167, NULL, FALSE },
1300 { "ZwQueryIntervalProfile", 20, -1, (PULONG_PTR) SystemCallHandler168, NULL, FALSE },
1301 { "ZwQueryIoCompletion", 17, -1, (PULONG_PTR) SystemCallHandler169, NULL, FALSE },
1302 { "ZwQueryKey", 8, -1, (PULONG_PTR) SystemCallHandler170, NULL, FALSE },
1303 { "ZwQueryMultipleValueKey", 21, -1, (PULONG_PTR) SystemCallHandler171, NULL, FALSE },
1304 { "ZwQueryMutant", 11, -1, (PULONG_PTR) SystemCallHandler172, NULL, FALSE },
1305 { "ZwQueryObject", 11, -1, (PULONG_PTR) SystemCallHandler173, NULL, FALSE },
1306 { "ZwQueryOpenSubKeys", 16, -1, (PULONG_PTR) SystemCallHandler174, NULL, FALSE },
1307 { "ZwQueryOpenSubKeysEx", 18, -1, (PULONG_PTR) SystemCallHandler175, NULL, FALSE },
1308 { "ZwQueryPerformanceCounter", 23, -1, (PULONG_PTR) SystemCallHandler176, NULL, FALSE },
1309 { "ZwQueryPortInformationProcess", 27, -1, (PULONG_PTR) SystemCallHandler177, NULL, FALSE },
1310 { "ZwQueryQuotaInformationFile", 25, -1, (PULONG_PTR) SystemCallHandler178, NULL, FALSE },
1311 { "ZwQuerySection", 12, -1, (PULONG_PTR) SystemCallHandler179, NULL, FALSE },
1312 { "ZwQuerySecurityObject", 19, -1, (PULONG_PTR) SystemCallHandler180, NULL, FALSE },
1313 { "ZwQuerySemaphore", 14, -1, (PULONG_PTR) SystemCallHandler181, NULL, FALSE },
1314 { "ZwQuerySymbolicLinkObject", 23, -1, (PULONG_PTR) SystemCallHandler182, NULL, FALSE },
1315 { "ZwQuerySystemEnvironmentValue", 27, -1, (PULONG_PTR) SystemCallHandler183, NULL, FALSE },
1316 { "ZwQuerySystemEnvironmentValueEx", 29, -1, (PULONG_PTR) SystemCallHandler184, NULL, FALSE },
1317 { "ZwQuerySystemInformation", 22, -1, (PULONG_PTR) SystemCallHandler185, NULL, FALSE },
1318 { "ZwQuerySystemTime", 15, -1, (PULONG_PTR) SystemCallHandler186, NULL, FALSE },
1319 { "ZwQueryTimer", 10, -1, (PULONG_PTR) SystemCallHandler187, NULL, FALSE },
1320 { "ZwQueryTimerResolution", 20, -1, (PULONG_PTR) SystemCallHandler188, NULL, FALSE },
1321
1322
1323#if HOOK_REGISTRY_ZZZ
1324 { "ZwQueryValueKey", 13, -1, (PULONG_PTR) HookedNtQueryValueKey, NULL, TRUE },
1325#else
1326 { "ZwQueryValueKey", 13, -1, (PULONG_PTR) SystemCallHandler189, NULL, FALSE },
1327#endif
1328
1329
1330 { "ZwQueryVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler190, NULL, FALSE },
1331 { "ZwQueryVolumeInformationFile", 26, -1, (PULONG_PTR) SystemCallHandler191, NULL, FALSE },
1332 { "ZwQueueApcThread", 14, -1, (PULONG_PTR) SystemCallHandler192, NULL, FALSE },
1333
1334
1335//XXX should we not mediate these calls? they are only raised during an error and we might
1336// not encounter them during "learning" phase? can these be abused otherwise?
1337 { "ZwRaiseException", 14, -1, (PULONG_PTR) SystemCallHandler193, NULL, FALSE },
1338 { "ZwRaiseHardError", 14, -1, (PULONG_PTR) SystemCallHandler194, NULL, FALSE },
1339
1340 /* don't mediate for performance reasons, requires a valid handle anyway */
1341 { "ZwReadFile", 8, -1, NULL, NULL, FALSE },
1342 { "ZwReadFileScatter", 15, -1, NULL, NULL, FALSE },
1343 { "ZwReadRequestData", 15, -1, NULL, NULL, FALSE },
1344 { "ZwReadVirtualMemory", 17, -1, NULL, NULL, FALSE },
1345
1346 { "ZwRegisterThreadTerminatePort", 27, -1, (PULONG_PTR) SystemCallHandler199, NULL, FALSE },
1347 { "ZwReleaseKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler200, NULL, FALSE },
1348 { "ZwReleaseMutant", 13, -1, (PULONG_PTR) SystemCallHandler201, NULL, FALSE },
1349 { "ZwReleaseSemaphore", 16, -1, (PULONG_PTR) SystemCallHandler202, NULL, FALSE },
1350 { "ZwRemoveIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler203, NULL, FALSE },
1351 { "ZwRemoveProcessDebug", 18, -1, (PULONG_PTR) SystemCallHandler204, NULL, FALSE },
1352
1353//XXX
1354 { "ZwRenameKey", 9, -1, (PULONG_PTR) SystemCallHandler205, NULL, FALSE },
1355 { "ZwReplaceKey", 10, -1, (PULONG_PTR) SystemCallHandler206, NULL, FALSE },
1356
1357
1358 { "ZwReplyPort", 9, -1, (PULONG_PTR) SystemCallHandler207, NULL, FALSE },
1359 { "ZwReplyWaitReceivePort", 20, -1, (PULONG_PTR) SystemCallHandler208, NULL, FALSE },
1360 { "ZwReplyWaitReceivePortEx", 22, -1, (PULONG_PTR) SystemCallHandler209, NULL, FALSE },
1361 { "ZwReplyWaitReplyPort", 18, -1, (PULONG_PTR) SystemCallHandler210, NULL, FALSE },
1362 { "ZwRequestDeviceWakeup", 19, -1, (PULONG_PTR) SystemCallHandler211, NULL, FALSE },
1363 { "ZwRequestPort", 11, -1, (PULONG_PTR) SystemCallHandler212, NULL, FALSE },
1364 { "ZwRequestWaitReplyPort", 20, -1, (PULONG_PTR) SystemCallHandler213, NULL, FALSE },
1365 { "ZwRequestWakeupLatency", 20, -1, (PULONG_PTR) SystemCallHandler214, NULL, FALSE },
1366 { "ZwResetEvent", 10, -1, (PULONG_PTR) SystemCallHandler215, NULL, FALSE },
1367 { "ZwResetWriteWatch", 15, -1, (PULONG_PTR) SystemCallHandler216, NULL, FALSE },
1368 { "ZwRestoreKey", 10, -1, (PULONG_PTR) SystemCallHandler217, NULL, FALSE },
1369 { "ZwResumeProcess", 13, -1, (PULONG_PTR) SystemCallHandler218, NULL, FALSE },
1370 { "ZwResumeThread", 12, -1, (PULONG_PTR) SystemCallHandler219, NULL, FALSE },
1371 { "ZwSaveKey", 7, -1, (PULONG_PTR) SystemCallHandler220, NULL, FALSE },
1372 { "ZwSaveKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler221, NULL, FALSE },
1373 { "ZwSaveMergedKeys", 14, -1, (PULONG_PTR) SystemCallHandler222, NULL, FALSE },
1374
1375
1376#if HOOK_PORT
1377 { "ZwSecureConnectPort", 17, -1, (PULONG_PTR) HookedNtSecureConnectPort, NULL, TRUE },
1378#else
1379 { "ZwSecureConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler223, NULL, FALSE },
1380#endif
1381
1382
1383 { "ZwSetBootEntryOrder", 17, -1, (PULONG_PTR) SystemCallHandler224, NULL, FALSE },
1384 { "ZwSetBootOptions", 14, -1, (PULONG_PTR) SystemCallHandler225, NULL, FALSE },
1385
1386//XXX
1387 { "ZwSetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler226, NULL, FALSE },
1388
1389 { "ZwSetDebugFilterState", 19, -1, (PULONG_PTR) SystemCallHandler227, NULL, FALSE },
1390 { "ZwSetDefaultHardErrorPort", 23, -1, (PULONG_PTR) SystemCallHandler228, NULL, FALSE },
1391 { "ZwSetDefaultLocale", 16, -1, (PULONG_PTR) SystemCallHandler229, NULL, FALSE },
1392 { "ZwSetDefaultUILanguage", 20, -1, (PULONG_PTR) SystemCallHandler230, NULL, FALSE },
1393 { "ZwSetDriverEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler231, NULL, FALSE },
1394 { "ZwSetEaFile", 9, -1, (PULONG_PTR) SystemCallHandler232, NULL, FALSE },
1395 { "ZwSetEvent", 8, -1, (PULONG_PTR) SystemCallHandler233, NULL, FALSE },
1396 { "ZwSetEventBoostPriority", 21, -1, (PULONG_PTR) SystemCallHandler234, NULL, FALSE },
1397 { "ZwSetHighEventPair", 16, -1, (PULONG_PTR) SystemCallHandler235, NULL, FALSE },
1398 { "ZwSetHighWaitLowEventPair", 23, -1, (PULONG_PTR) SystemCallHandler236, NULL, FALSE },
1399 { "ZwSetInformationDebugObject", 25, -1, (PULONG_PTR) SystemCallHandler237, NULL, FALSE },
1400
1401#if HOOK_FILE
1402 { "ZwSetInformationFile", 18, -1, (PULONG_PTR) HookedNtSetInformationFile, NULL, TRUE },
1403#else
1404 { "ZwSetInformationFile", 18, -1, (PULONG_PTR) SystemCallHandler238, NULL, FALSE },
1405#endif
1406
1407 { "ZwSetInformationJobObject", 23, -1, (PULONG_PTR) SystemCallHandler239, NULL, FALSE },
1408 { "ZwSetInformationKey", 17, -1, (PULONG_PTR) SystemCallHandler240, NULL, FALSE },
1409 { "ZwSetInformationObject", 20, -1, (PULONG_PTR) SystemCallHandler241, NULL, FALSE },
1410 { "ZwSetInformationProcess", 21, -1, (PULONG_PTR) SystemCallHandler242, NULL, FALSE },
1411 { "ZwSetInformationThread", 20, -1, (PULONG_PTR) SystemCallHandler243, NULL, FALSE },
1412
1413
1414#if HOOK_TOKEN
1415 { "ZwSetInformationToken", 19, -1, (PULONG_PTR) HookedNtSetInformationToken, NULL, TRUE },
1416#else
1417 { "ZwSetInformationToken", 19, -1, (PULONG_PTR) SystemCallHandler244, NULL, FALSE },
1418#endif
1419
1420
1421 { "ZwSetIntervalProfile", 18, -1, (PULONG_PTR) SystemCallHandler245, NULL, FALSE },
1422 { "ZwSetIoCompletion", 15, -1, (PULONG_PTR) SystemCallHandler246, NULL, FALSE },
1423
1424
1425#if HOOK_VDM
1426 { "ZwSetLdtEntries", 13, -1, (PULONG_PTR) HookedNtSetLdtEntries, NULL, TRUE },
1427#else
1428 { "ZwSetLdtEntries", 13, -1, (PULONG_PTR) SystemCallHandler247, NULL, FALSE },
1429#endif
1430
1431
1432 { "ZwSetLowEventPair", 15, -1, (PULONG_PTR) SystemCallHandler248, NULL, FALSE },
1433 { "ZwSetLowWaitHighEventPair", 23, -1, (PULONG_PTR) SystemCallHandler249, NULL, FALSE },
1434 { "ZwSetQuotaInformationFile", 23, -1, (PULONG_PTR) SystemCallHandler250, NULL, FALSE },
1435 { "ZwSetSecurityObject", 17, -1, (PULONG_PTR) SystemCallHandler251, NULL, FALSE },
1436 { "ZwSetSystemEnvironmentValue", 25, -1, (PULONG_PTR) SystemCallHandler252, NULL, FALSE }, // XXX intel hal supports only 1 variable LastKnownGood
1437 { "ZwSetSystemEnvironmentValueEx", 27, -1, (PULONG_PTR) SystemCallHandler253, NULL, FALSE },
1438
1439
1440#if HOOK_SYSINFO
1441 { "ZwSetSystemInformation", 20, -1, (PULONG_PTR) HookedNtSetSystemInformation, NULL, TRUE },
1442#else
1443 { "ZwSetSystemInformation", 20, -1, (PULONG_PTR) SystemCallHandler254, NULL, FALSE },
1444#endif
1445
1446
1447 { "ZwSetSystemPowerState", 19, -1, (PULONG_PTR) SystemCallHandler255, NULL, FALSE },
1448
1449
1450#if HOOK_TIME
1451 { "ZwSetSystemTime", 13, -1, (PULONG_PTR) HookedNtSetSystemTime, NULL, TRUE },
1452#else
1453 { "ZwSetSystemTime", 13, -1, (PULONG_PTR) SystemCallHandler256, NULL, FALSE },
1454#endif
1455
1456
1457 { "ZwSetThreadExecutionState", 23, -1, (PULONG_PTR) SystemCallHandler257, NULL, FALSE },
1458 { "ZwSetTimer", 8, -1, (PULONG_PTR) SystemCallHandler258, NULL, FALSE },
1459
1460
1461#if 0 //HOOK_TIME
1462 { "ZwSetTimerResolution", 18, -1, (PULONG_PTR) HookedNtSetTimerResolution, NULL, TRUE },
1463#else
1464 { "ZwSetTimerResolution", 18, -1, (PULONG_PTR) SystemCallHandler259, NULL, FALSE },
1465#endif
1466
1467
1468 { "ZwSetUuidSeed", 11, -1, (PULONG_PTR) SystemCallHandler260, NULL, FALSE },
1469
1470
1471#if HOOK_REGISTRY_ZZZ
1472 { "ZwSetValueKey", 11, -1, (PULONG_PTR) HookedNtSetValueKey, NULL, TRUE },
1473#else
1474 { "ZwSetValueKey", 11, -1, (PULONG_PTR) SystemCallHandler261, NULL, FALSE },
1475#endif
1476
1477
1478 { "ZwSetVolumeInformationFile", 24, -1, (PULONG_PTR) SystemCallHandler262, NULL, FALSE },
1479
1480//XXX
1481 { "ZwShutdownSystem", 14, -1, (PULONG_PTR) SystemCallHandler263, NULL, FALSE },
1482
1483 { "ZwSignalAndWaitForSingleObject", 28, -1, (PULONG_PTR) SystemCallHandler264, NULL, FALSE },
1484 { "ZwStartProfile", 12, -1, (PULONG_PTR) SystemCallHandler265, NULL, FALSE },
1485 { "ZwStopProfile", 11, -1, (PULONG_PTR) SystemCallHandler266, NULL, FALSE },
1486 { "ZwSuspendProcess", 14, -1, (PULONG_PTR) SystemCallHandler267, NULL, FALSE },
1487 { "ZwSuspendThread", 13, -1, (PULONG_PTR) SystemCallHandler268, NULL, FALSE },
1488 { "ZwSystemDebugControl", 18, -1, (PULONG_PTR) SystemCallHandler269, NULL, FALSE },
1489
1490//XXX
1491 { "ZwTerminateJobObject", 18, -1, (PULONG_PTR) SystemCallHandler270, NULL, FALSE },
1492 { "ZwTerminateProcess", 16, -1, (PULONG_PTR) SystemCallHandler271, NULL, FALSE },
1493 { "ZwTerminateThread", 15, -1, (PULONG_PTR) SystemCallHandler272, NULL, FALSE },
1494
1495 { "ZwTestAlert", 9, -1, (PULONG_PTR) SystemCallHandler273, NULL, FALSE },
1496 { "ZwTraceEvent", 10, -1, (PULONG_PTR) SystemCallHandler274, NULL, FALSE },
1497 { "ZwTranslateFilePath", 17, -1, (PULONG_PTR) SystemCallHandler275, NULL, FALSE },
1498
1499
1500#if HOOK_DRIVEROBJ_ZZZ
1501 { "ZwUnloadDriver", 12, -1, (PULONG_PTR) HookedNtUnloadDriver, NULL, TRUE },
1502#else
1503 { "ZwUnloadDriver", 12, -1, (PULONG_PTR) SystemCallHandler276, NULL, FALSE },
1504#endif
1505
1506
1507 { "ZwUnloadKey", 9, -1, (PULONG_PTR) SystemCallHandler277, NULL, FALSE },
1508 { "ZwUnloadKey2", 10, -1, (PULONG_PTR) SystemCallHandler278, NULL, FALSE },
1509 { "ZwUnloadKeyEx", 11, -1, (PULONG_PTR) SystemCallHandler279, NULL, FALSE },
1510 { "ZwUnlockFile", 10, -1, (PULONG_PTR) SystemCallHandler280, NULL, FALSE },
1511 { "ZwUnlockVirtualMemory", 19, -1, (PULONG_PTR) SystemCallHandler281, NULL, FALSE },
1512 { "ZwUnmapViewOfSection", 18, -1, (PULONG_PTR) SystemCallHandler282, NULL, FALSE },
1513
1514
1515#if HOOK_VDM
1516 { "ZwVdmControl", 10, -1, (PULONG_PTR) HookedNtVdmControl, NULL, TRUE },
1517#else
1518 { "ZwVdmControl", 10, -1, (PULONG_PTR) SystemCallHandler283, NULL, FALSE },
1519#endif
1520
1521
1522 { "ZwWaitForDebugEvent", 17, -1, (PULONG_PTR) SystemCallHandler284, NULL, FALSE },
1523 { "ZwWaitForKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler285, NULL, FALSE },
1524 { "ZwWaitForMultipleObjects", 22, -1, (PULONG_PTR) SystemCallHandler286, NULL, FALSE },
1525 { "ZwWaitForSingleObject", 19, -1, (PULONG_PTR) SystemCallHandler287, NULL, FALSE },
1526 { "ZwWaitHighEventPair", 17, -1, (PULONG_PTR) SystemCallHandler288, NULL, FALSE },
1527 { "ZwWaitLowEventPair", 16, -1, (PULONG_PTR) SystemCallHandler289, NULL, FALSE },
1528
1529 /* don't mediate for performance reasons, requires a valid handle anyway */
1530 { "ZwWriteFile", 9, -1, NULL, NULL, FALSE },
1531 { "ZwWriteFileGather", 15, -1, NULL, NULL, FALSE },
1532 { "ZwWriteRequestData", 16, -1, NULL, NULL, FALSE },
1533 { "ZwWriteVirtualMemory", 18, -1, NULL, NULL, FALSE },
1534 { "ZwYieldExecution", 14, -1, NULL, NULL, FALSE },
1535};
1536
1537
1538
1539ACTION_TYPE
1540VerifySystemServiceCall(USHORT SystemServiceNumber)
1541{
1542 ACTION_TYPE Action = ACTION_NONE;
1543 PIMAGE_PID_ENTRY p;
1544 PPOLICY_RULE PolicyRule;
1545
1546
1547// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("system call %x %x %s. irql %d", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName, KeGetCurrentIrql()));
1548
1549
1550 if (KeGetCurrentIrql() != PASSIVE_LEVEL)
1551 return ACTION_NONE;
1552
1553
1554 if (LearningMode)
1555 {
1556 AddRule(RULE_SYSCALL, ZwCalls[SystemServiceNumber].ZwName, 0);
1557 return ACTION_NONE;
1558 }
1559
1560
1561 /* verify policy and user return address? */
1562
1563 p = FindImagePidEntry(CURRENT_PROCESS_PID, 0);
1564
1565 if (p == NULL)
1566 {
1567 LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("VerifySystemServiceCall: FindImagePidEntry(%d) failed\n", CURRENT_PROCESS_PID));
1568 return ACTION_NONE;
1569 }
1570//XXX p->SecPolicy spinlock is not acquired
1571 PolicyRule = p->SecPolicy.RuleList[ RULE_SYSCALL ];
1572 if (PolicyRule)
1573 {
1574 /* Calculate the bit array ULONG we need to read (bit array consists of a bunch of ULONGs) */
1575 ULONG UlongCount = SystemServiceNumber >> UlongBitShift;
1576
1577 /* Choose the correct bit array ULONG */
1578 PULONG BitArray = &PolicyRule->ServiceBitArray[0] + UlongCount;
1579
1580 ULONG BitOffset = SystemServiceNumber - (UlongCount << UlongBitShift);
1581
1582 /* read the bit */
1583 Action = *BitArray & ( 1 << BitOffset ) ? ACTION_PERMIT : ACTION_DENY;
1584
1585 if (Action == ACTION_DENY)
1586 {
1587 LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("denying system call %x %x %s\n", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName));
1588 Action = ACTION_PERMIT;
1589 }
1590 }
1591
1592 return Action;
1593}
1594
1595
1596//XXX can we get rid of pushfd / popfd ?
1597//XXX move to i386.c?
1598#define SYSCALL_HANDLER(num) \
1599 __declspec(naked) void SystemCallHandler##num() \
1600 { \
1601 _asm pushad \
1602 _asm { pushfd } \
1603 if (0 && VerifySystemServiceCall(num) == ACTION_DENY)\
1604 { \
1605 _asm popfd \
1606 _asm popad \
1607 _asm mov eax, 0xC0000022 /*STATUS_ACCESS_DENIED*/ \
1608 _asm ret \
1609 } \
1610 _asm popfd \
1611 _asm popad \
1612 _asm jmp dword ptr [ ZwCalls + num*20 + 12 ] \
1613/* _asm jmp ZwCalls[num].OriginalFunction */\
1614 }
1615
1616/*
1617//XXX can find out dynamically the amount of stack space to clean up by looking at Zw* ret instruction
1618 if (PolicyCheck(RULE_SYSCALL, NULL, 0) == ACTION_DENY) \
1619 { \
1620 _asm mov eax, 0xC0000022 \
1621 _asm ret \
1622 } \
1623*/
1624
1625
1626SYSCALL_HANDLER(0) SYSCALL_HANDLER(1) SYSCALL_HANDLER(2) SYSCALL_HANDLER(3) SYSCALL_HANDLER(4)
1627SYSCALL_HANDLER(5) SYSCALL_HANDLER(6) SYSCALL_HANDLER(7) SYSCALL_HANDLER(8) SYSCALL_HANDLER(9)
1628SYSCALL_HANDLER(10) SYSCALL_HANDLER(11) SYSCALL_HANDLER(12) SYSCALL_HANDLER(13) SYSCALL_HANDLER(14)
1629SYSCALL_HANDLER(15) SYSCALL_HANDLER(16) SYSCALL_HANDLER(17) SYSCALL_HANDLER(18) SYSCALL_HANDLER(19)
1630SYSCALL_HANDLER(20) SYSCALL_HANDLER(21) SYSCALL_HANDLER(22) SYSCALL_HANDLER(23) SYSCALL_HANDLER(24)
1631SYSCALL_HANDLER(25) SYSCALL_HANDLER(26) SYSCALL_HANDLER(27) SYSCALL_HANDLER(28) SYSCALL_HANDLER(29)
1632SYSCALL_HANDLER(30) SYSCALL_HANDLER(31) SYSCALL_HANDLER(32) SYSCALL_HANDLER(33) SYSCALL_HANDLER(34)
1633SYSCALL_HANDLER(35) SYSCALL_HANDLER(36) SYSCALL_HANDLER(37) SYSCALL_HANDLER(38) SYSCALL_HANDLER(39)
1634SYSCALL_HANDLER(40) SYSCALL_HANDLER(41) SYSCALL_HANDLER(42) SYSCALL_HANDLER(43) SYSCALL_HANDLER(44)
1635SYSCALL_HANDLER(45) SYSCALL_HANDLER(46) SYSCALL_HANDLER(47) SYSCALL_HANDLER(48) SYSCALL_HANDLER(49)
1636SYSCALL_HANDLER(50) SYSCALL_HANDLER(51) SYSCALL_HANDLER(52) SYSCALL_HANDLER(53) SYSCALL_HANDLER(54)
1637SYSCALL_HANDLER(55) SYSCALL_HANDLER(56) SYSCALL_HANDLER(57) SYSCALL_HANDLER(58) SYSCALL_HANDLER(59)
1638SYSCALL_HANDLER(60) SYSCALL_HANDLER(61) SYSCALL_HANDLER(62) SYSCALL_HANDLER(63) SYSCALL_HANDLER(64)
1639SYSCALL_HANDLER(65) SYSCALL_HANDLER(66) SYSCALL_HANDLER(67) SYSCALL_HANDLER(68) SYSCALL_HANDLER(69)
1640SYSCALL_HANDLER(70) SYSCALL_HANDLER(71) SYSCALL_HANDLER(72) SYSCALL_HANDLER(73) SYSCALL_HANDLER(74)
1641SYSCALL_HANDLER(75) SYSCALL_HANDLER(76) SYSCALL_HANDLER(77) SYSCALL_HANDLER(78) SYSCALL_HANDLER(79)
1642SYSCALL_HANDLER(80) SYSCALL_HANDLER(81) SYSCALL_HANDLER(82) SYSCALL_HANDLER(83) SYSCALL_HANDLER(84)
1643SYSCALL_HANDLER(85) SYSCALL_HANDLER(86) SYSCALL_HANDLER(87) SYSCALL_HANDLER(88) SYSCALL_HANDLER(89)
1644SYSCALL_HANDLER(90) SYSCALL_HANDLER(91) SYSCALL_HANDLER(92) SYSCALL_HANDLER(93) SYSCALL_HANDLER(94)
1645SYSCALL_HANDLER(95) SYSCALL_HANDLER(96) SYSCALL_HANDLER(97) SYSCALL_HANDLER(98) SYSCALL_HANDLER(99)
1646SYSCALL_HANDLER(100) SYSCALL_HANDLER(101) SYSCALL_HANDLER(102) SYSCALL_HANDLER(103) SYSCALL_HANDLER(104)
1647SYSCALL_HANDLER(105) SYSCALL_HANDLER(106) SYSCALL_HANDLER(107) SYSCALL_HANDLER(108) SYSCALL_HANDLER(109)
1648SYSCALL_HANDLER(110) SYSCALL_HANDLER(111) SYSCALL_HANDLER(112) SYSCALL_HANDLER(113) SYSCALL_HANDLER(114)
1649SYSCALL_HANDLER(115) SYSCALL_HANDLER(116) SYSCALL_HANDLER(117) SYSCALL_HANDLER(118) SYSCALL_HANDLER(119)
1650SYSCALL_HANDLER(120) SYSCALL_HANDLER(121) SYSCALL_HANDLER(122) SYSCALL_HANDLER(123) SYSCALL_HANDLER(124)
1651SYSCALL_HANDLER(125) SYSCALL_HANDLER(126) SYSCALL_HANDLER(127) SYSCALL_HANDLER(128) SYSCALL_HANDLER(129)
1652SYSCALL_HANDLER(130) SYSCALL_HANDLER(131) SYSCALL_HANDLER(132) SYSCALL_HANDLER(133) SYSCALL_HANDLER(134)
1653SYSCALL_HANDLER(135) SYSCALL_HANDLER(136) SYSCALL_HANDLER(137) SYSCALL_HANDLER(138) SYSCALL_HANDLER(139)
1654SYSCALL_HANDLER(140) SYSCALL_HANDLER(141) SYSCALL_HANDLER(142) SYSCALL_HANDLER(143) SYSCALL_HANDLER(144)
1655SYSCALL_HANDLER(145) SYSCALL_HANDLER(146) SYSCALL_HANDLER(147) SYSCALL_HANDLER(148) SYSCALL_HANDLER(149)
1656SYSCALL_HANDLER(150) SYSCALL_HANDLER(151) SYSCALL_HANDLER(152) SYSCALL_HANDLER(153) SYSCALL_HANDLER(154)
1657SYSCALL_HANDLER(155) SYSCALL_HANDLER(156) SYSCALL_HANDLER(157) SYSCALL_HANDLER(158) SYSCALL_HANDLER(159)
1658SYSCALL_HANDLER(160) SYSCALL_HANDLER(161) SYSCALL_HANDLER(162) SYSCALL_HANDLER(163) SYSCALL_HANDLER(164)
1659SYSCALL_HANDLER(165) SYSCALL_HANDLER(166) SYSCALL_HANDLER(167) SYSCALL_HANDLER(168) SYSCALL_HANDLER(169)
1660SYSCALL_HANDLER(170) SYSCALL_HANDLER(171) SYSCALL_HANDLER(172) SYSCALL_HANDLER(173) SYSCALL_HANDLER(174)
1661SYSCALL_HANDLER(175) SYSCALL_HANDLER(176) SYSCALL_HANDLER(177) SYSCALL_HANDLER(178) SYSCALL_HANDLER(179)
1662SYSCALL_HANDLER(180) SYSCALL_HANDLER(181) SYSCALL_HANDLER(182) SYSCALL_HANDLER(183) SYSCALL_HANDLER(184)
1663SYSCALL_HANDLER(185) SYSCALL_HANDLER(186) SYSCALL_HANDLER(187) SYSCALL_HANDLER(188) SYSCALL_HANDLER(189)
1664SYSCALL_HANDLER(190) SYSCALL_HANDLER(191) SYSCALL_HANDLER(192) SYSCALL_HANDLER(193) SYSCALL_HANDLER(194)
1665SYSCALL_HANDLER(195) SYSCALL_HANDLER(196) SYSCALL_HANDLER(197) SYSCALL_HANDLER(198) SYSCALL_HANDLER(199)
1666SYSCALL_HANDLER(200) SYSCALL_HANDLER(201) SYSCALL_HANDLER(202) SYSCALL_HANDLER(203) SYSCALL_HANDLER(204)
1667SYSCALL_HANDLER(205) SYSCALL_HANDLER(206) SYSCALL_HANDLER(207) SYSCALL_HANDLER(208) SYSCALL_HANDLER(209)
1668SYSCALL_HANDLER(210) SYSCALL_HANDLER(211) SYSCALL_HANDLER(212) SYSCALL_HANDLER(213) SYSCALL_HANDLER(214)
1669SYSCALL_HANDLER(215) SYSCALL_HANDLER(216) SYSCALL_HANDLER(217) SYSCALL_HANDLER(218) SYSCALL_HANDLER(219)
1670SYSCALL_HANDLER(220) SYSCALL_HANDLER(221) SYSCALL_HANDLER(222) SYSCALL_HANDLER(223) SYSCALL_HANDLER(224)
1671SYSCALL_HANDLER(225) SYSCALL_HANDLER(226) SYSCALL_HANDLER(227) SYSCALL_HANDLER(228) SYSCALL_HANDLER(229)
1672SYSCALL_HANDLER(230) SYSCALL_HANDLER(231) SYSCALL_HANDLER(232) SYSCALL_HANDLER(233) SYSCALL_HANDLER(234)
1673SYSCALL_HANDLER(235) SYSCALL_HANDLER(236) SYSCALL_HANDLER(237) SYSCALL_HANDLER(238) SYSCALL_HANDLER(239)
1674SYSCALL_HANDLER(240) SYSCALL_HANDLER(241) SYSCALL_HANDLER(242) SYSCALL_HANDLER(243) SYSCALL_HANDLER(244)
1675SYSCALL_HANDLER(245) SYSCALL_HANDLER(246) SYSCALL_HANDLER(247) SYSCALL_HANDLER(248) SYSCALL_HANDLER(249)
1676SYSCALL_HANDLER(250) SYSCALL_HANDLER(251) SYSCALL_HANDLER(252) SYSCALL_HANDLER(253) SYSCALL_HANDLER(254)
1677SYSCALL_HANDLER(255) SYSCALL_HANDLER(256) SYSCALL_HANDLER(257) SYSCALL_HANDLER(258) SYSCALL_HANDLER(259)
1678SYSCALL_HANDLER(260) SYSCALL_HANDLER(261) SYSCALL_HANDLER(262) SYSCALL_HANDLER(263) SYSCALL_HANDLER(264)
1679SYSCALL_HANDLER(265) SYSCALL_HANDLER(266) SYSCALL_HANDLER(267) SYSCALL_HANDLER(268) SYSCALL_HANDLER(269)
1680SYSCALL_HANDLER(270) SYSCALL_HANDLER(271) SYSCALL_HANDLER(272) SYSCALL_HANDLER(273) SYSCALL_HANDLER(274)
1681SYSCALL_HANDLER(275) SYSCALL_HANDLER(276) SYSCALL_HANDLER(277) SYSCALL_HANDLER(278) SYSCALL_HANDLER(279)
1682SYSCALL_HANDLER(280) SYSCALL_HANDLER(281) SYSCALL_HANDLER(282) SYSCALL_HANDLER(283) SYSCALL_HANDLER(284)
1683SYSCALL_HANDLER(285) SYSCALL_HANDLER(286) SYSCALL_HANDLER(287) SYSCALL_HANDLER(288) SYSCALL_HANDLER(289)
1684SYSCALL_HANDLER(290) SYSCALL_HANDLER(291) SYSCALL_HANDLER(292) SYSCALL_HANDLER(293) SYSCALL_HANDLER(294)
1685
1686
1687
1688/*
1689 * InitSyscallsHooks()
1690 *
1691 * Description:
1692 * Find the correct global syscall table indeces for all system calls
1693 * (initialize "OriginalFunction" pointers). Must be called at PASSIVE_LEVEL IRQL
1694 * in order to access pageable memory.
1695 *
1696 * NOTE: Called once during driver initialization (DriverEntry()).
1697 *
1698 * Parameters:
1699 * None.
1700 *
1701 * Returns:
1702 * TRUE to indicate success, FALSE if failed.
1703 */
1704
1705BOOLEAN
1706InitSyscallsHooks()
1707{
1708 int i;
1709
1710
1711 ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]);
1712
1713 for (i = 0; i < ZwCallsNumber; i++)
1714 {
1715 //XXX this can be optimized to return index directly?! this way when we restore syscalls back we don't have to do the same process again??!?!
1716 ZwCalls[i].ServiceIDNumber = (USHORT) FindZwFunctionIndex(ZwCalls[i].ZwName);
1717 }
1718
1719
1720 return TRUE;
1721}
1722
1723
1724
1725/*
1726 * InstallSyscallsHooks()
1727 *
1728 * Description:
1729 * Mediate various system services. Called at DISPATCH_LEVEL IRQL.
1730 *
1731 * NOTE: Called once during driver initialization (DriverEntry()).
1732 *
1733 * Parameters:
1734 * None.
1735 *
1736 * Returns:
1737 * TRUE to indicate success, FALSE if failed.
1738 */
1739
1740BOOLEAN
1741InstallSyscallsHooks()
1742{
1743 int i;
1744
1745
1746 ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]);
1747
1748 for (i = 0; i < ZwCallsNumber; i++)
1749 {
1750 if (ZwCalls[i].HookFunction != NULL &&
1751 (HOOK_SYSCALLS || LearningMode || ZwCalls[i].Hijacked == TRUE))
1752 {
1753 if (ZwCalls[i].ServiceIDNumber != (USHORT) -1)
1754 {
1755 ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber,
1756 ZwCalls[i].HookFunction);
1757 ZwCalls[i].Hijacked = TRUE;
1758 }
1759 }
1760 }
1761
1762
1763 return TRUE;
1764}
1765
1766
1767
1768/*
1769 * RemoveSyscallsHooks()
1770 *
1771 * Description:
1772 * Restores all the original system service function pointers.
1773 *
1774 * NOTE: Called once during driver unload (DriverUnload()).
1775 *
1776 * Parameters:
1777 * None.
1778 *
1779 * Returns:
1780 * Nothing.
1781 */
1782
1783void
1784RemoveSyscallsHooks()
1785{
1786 int i;
1787
1788
1789 for (i = 0; i < ZwCallsNumber; i++)
1790 {
1791 // restore hijacked system calls
1792 if (ZwCalls[i].Hijacked == TRUE && ZwCalls[i].OriginalFunction != NULL && ZwCalls[i].ServiceIDNumber != -1)
1793 {
1794// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Restoring syscall %d %x\n", i, i));
1795
1796 HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber, ZwCalls[i].OriginalFunction);
1797 }
1798 }
1799}