From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001 From: tumagonx Date: Tue, 8 Aug 2017 10:54:53 +0700 Subject: initial commit --- hookproc.c | 1799 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1799 insertions(+) create mode 100644 hookproc.c (limited to 'hookproc.c') diff --git a/hookproc.c b/hookproc.c new file mode 100644 index 0000000..cba59d5 --- /dev/null +++ b/hookproc.c @@ -0,0 +1,1799 @@ +/* + * Copyright (c) 2004 Security Architects Corporation. All rights reserved. + * + * Module Name: + * + * hookproc.c + * + * Abstract: + * + * This module implements various service operation (system call) hooking routines. + * + * Since not all the Zw* services are exported, we use a hack to find the required information. + * ntdll.dll contains stubs for calling all the system services. All stubs start with + * "mov eax, function_index" instruction where function_index is an index into a global + * system call table. By parsing ntdll.dll and extracting all the function indeces + * we can map all the Zw* names to their appropriate system call table indeces. + * + * Author: + * + * Eugene Tsyrklevich 16-Feb-2004 + * + * Revision History: + * + * None. + */ + +#include +#include "hookproc.h" +#include "sysinfo.h" +#include "ntproto.h" +#include "learn.h" +#include "file.h" +#include "registry.h" +#include "section.h" +#include "sysinfo.h" +#include "semaphore.h" +#include "dirobj.h" +#include "symlink.h" +#include "mutant.h" +#include "event.h" +#include "port.h" +#include "job.h" +#include "token.h" +#include "timer.h" +#include "driverobj.h" +#include "process.h" +#include "procname.h" +#include "time.h" +#include "atom.h" +#include "vdm.h" +#include "debug.h" +#include "i386.h" +#include "misc.h" +#include "log.h" + + +#ifdef ALLOC_PRAGMA +#pragma alloc_text (INIT, InitSyscallsHooks) +#pragma alloc_text (INIT, InstallSyscallsHooks) +#pragma alloc_text (PAGE, RemoveSyscallsHooks) +#endif + + +#if DBG +int HookedRoutineRunning = 0; +#endif + +PCHAR NTDLL_Base; + +int ZwCallsNumber = 0; + + + +/* + * FindFunctionOffset() + * + * Description: + * Finds a Zw* system call offset in a system service table. + * + * Implementation of all the Zw* system services (such as ZwOpenFile or ZwCreateProcess()) + * start with a "mov eax, function_offset" instruction. Function offset is extracted from + * the first instruction. + * + * Parameters: + * Function - Pointer to the function code. + * + * Returns: + * Integer function offset (-1 in case of a failure). + */ + +/* "MOV EAX,IMM32" opcode */ +#define OPCODE_MOV 0xB8 + +/* macro shortcut for bailing out of FindFunctionOffset in case of an error */ + +#define ABORT_FindFunctionOffset(msg) { \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionOffset():")); \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \ + return -1; \ + } + +int +FindFunctionOffset(PULONG_PTR Function) +{ + PUCHAR Instruction; + ULONG num, ServiceIDNumber, ServiceTableIndex; + + + /* + * Make sure that the service code starts with a MOV EAX,IMM32 instruction: + * + * lkd> u ZwCreateFile + * nt!ZwCreateFile: + * 804f86f4 b825000000 mov eax,0x25 + */ + + Instruction = (PUCHAR) Function; + + if (*Instruction != OPCODE_MOV) + + ABORT_FindFunctionOffset(("Invalid opcode %x\n", *Instruction)); + + + /* + * Extract the Service Descriptor Table index (4 bytes following the mov opcode) + * + * The index format is as follows: + * + * Leading 18 bits are all zeroes + * Following 2 bits are system service table index (3 bits on Win64) + * Following 12 bits are service number + */ + + num = * (PULONG) ++Instruction; + + + /* only SERVICE_TABLE_INDEX_BITS LSB bits should be set */ + + ServiceTableIndex = num >> SERVICE_ID_NUMBER_BITS; + + if (ServiceTableIndex >= NUMBER_SERVICE_TABLES) + + ABORT_FindFunctionOffset(("Invalid SSDT index: %x (%x)\n", ServiceTableIndex, num)); + + + /* XXX temporary? There exist 4 (8 on IA64) service tables. All the Zw* system services are in table 0 */ + if (ServiceTableIndex != 0) + + ABORT_FindFunctionOffset(("Invalid SSDT index2: %x (%x)\n", ServiceTableIndex, num)); + + + /* Verify Service ID Number is in range */ + + ServiceIDNumber = num & SERVICE_ID_NUMBER_MASK; + +//XXX shouldn't we be using the shadow table instead?? +//shadow table Zw* base address is the same in addition to GUI table + if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices) + + ABORT_FindFunctionOffset(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)); + + + return ServiceIDNumber; +} + + + +#if 0 + +/* + * HookSystemService() + * + * Description: + * Replaces an existing sytem service pointer (n a global system service table) with another function pointer. + * + * Parameters: + * OldService - Pointer to the service code to mediate. + * NewService - Pointer to the new function code. + * + * Returns: + * Current OldService indexed system service function pointer. + */ + +/* macro shortcut for bailing out of HookSystemService in case of an error */ + +#define ABORT_HookSystemService(msg) { \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemService():")); \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, (msg)); \ + return NULL; \ + } + +PVOID +HookSystemService(PVOID OldService, PVOID NewService) +{ + PULONG_PTR ssdt; + PULONG_PTR retptr = NULL; + ULONG ServiceIDNumber; + + + if (OldService == NULL || NewService == NULL) + + ABORT_HookSystemService(("NULL detected. OldService=%x NewService=%x", OldService, NewService)); + + + ServiceIDNumber = FindFunctionOffset(OldService); + + if (ServiceIDNumber == -1) + + ABORT_HookSystemService(("FindFunctionOffset(%x) failed", OldService)); + + + ssdt = KeServiceDescriptorTable[0].ServiceTableBase; + + + retptr = (PULONG_PTR) ssdt[ServiceIDNumber]; + + if (retptr == NULL) + + ABORT_HookSystemService(("ssdt[index] = NULL\n")); + + + if (((ULONG) retptr & SystemAddressStart) == 0) + + ABORT_HookSystemService(("invalid code instruction specified\n")); + + + retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService); + + + return retptr; +} + +#endif + + + +/* + * HookSystemServiceByIndex() + * + * Description: + * Replaces an existing sytem service (n a global system service table) with another function pointer. + * + * Parameters: + * ServiceIDNumber - Index of a system service to mediate. + * NewService - Pointer to the new function code. + * + * Returns: + * Current ServiceIDNumber indexed system service function pointer. + */ + +/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */ + +#define ABORT_HookSystemServiceByIndex(msg) { \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in HookSystemServiceByIndex():")); \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \ + return NULL; \ + } + +PVOID +HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService) +{ + PULONG_PTR ssdt; + PULONG_PTR retptr = NULL; + ULONG ServiceTableIndex = 0; + + + ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase; + + + /* Verify Service ID Number is in range */ + +//XXX shouldn't we be using the shadow table instead?? + if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices) + + ABORT_HookSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)); + + + retptr = (PULONG_PTR) ssdt[ServiceIDNumber]; + + if (retptr == NULL) + + ABORT_HookSystemServiceByIndex(("ssdt[index] = NULL\n")); + + + if (((ULONG) retptr & SystemAddressStart) == 0) + + ABORT_HookSystemServiceByIndex(("invalid code instruction specified\n")); + + + retptr = ExchangeReadOnlyMemoryPointer((PVOID *) &ssdt[ServiceIDNumber], NewService); + + + return retptr; +} + + +#if 0 +/* + * FindSystemServiceByIndex() + * + * Description:XXX + * Replaces an existing sytem service (n a global system service table) with another function pointer. + * + * Parameters: + * ServiceIDNumber - Index of a system service to mediate. + * NewService - Pointer to the new function code. + * + * Returns: + * Current ServiceIDNumber indexed system service function pointer. + */ + +/* macro shortcut for bailing out of HookSystemServiceByIndex in case of an error */ + +#define ABORT_FindSystemServiceByIndex(msg) { LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindSystemServiceByIndex():")); LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); return NULL; } + +PULONG +FindSystemServiceByIndex(ULONG ServiceIDNumber) +{ + PULONG_PTR ssdt; + PULONG_PTR retptr = NULL; + ULONG ServiceTableIndex = 0; + + + ssdt = KeServiceDescriptorTable[ServiceTableIndex].ServiceTableBase; + + + /* Verify Service ID Number is in range */ + +//XXX shouldn't we be using the shadow table instead?? + if (ServiceIDNumber > KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices) + + ABORT_FindSystemServiceByIndex(("Invalid service id number %d (max is %d)\n", ServiceIDNumber, KeServiceDescriptorTable[ServiceTableIndex].NumberOfServices)); + + + retptr = (PULONG_PTR) ssdt[ServiceIDNumber]; + + if (retptr == NULL) + + ABORT_FindSystemServiceByIndex(("ssdt[index] = NULL\n")); + + + if (((ULONG) retptr & SystemAddressStart) == 0) + + ABORT_FindSystemServiceByIndex(("invalid code instruction specified\n")); + + + return (PULONG) ssdt[ServiceIDNumber]; +} +#endif + + +/* + * HookSystemServiceByName() + * + * Description: + * Replaces an existing sytem service (n a global system service table) with another function pointer. + * + * Parameters: + * ServiceName - Name of a Zw* system service to mediate. + * HookFunction - Pointer to the mediator function code. + * + * Returns: + * TRUE to indicate success, FALSE if failed. + */ + +BOOLEAN +HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction) +{ + int i; + + + for (i = 0; i < ZwCallsNumber; i++) + { + if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("HookSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber)); + + // hijack the syscall if not hijacked already + if (ZwCalls[i].Hijacked == FALSE && ZwCalls[i].ServiceIDNumber != -1) + { + if ((ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber, + HookFunction ? HookFunction : ZwCalls[i].HookFunction)) != NULL) + { + ZwCalls[i].Hijacked = TRUE; + } + } + + return TRUE; + } + } + + + return FALSE; +} + + + +#if 0 +/* + * FindSystemServiceIndex() + * + * Description: + * Find a system service index for a specified service name. + * + * Parameters: + * ServiceName - Name of a Zw* system service to find. + * + * Returns: + * System service index if found, -1 otherwise. + */ + +ULONG +FindSystemServiceIndex(PCHAR ServiceName) +{ + int i; + + + for (i = 0; i < ZwCallsNumber; i++) + { + if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber)); + + return ZwCalls[i].ServiceIDNumber; + } + } + + + return -1; +} +#endif + + +/* + * FindSystemServiceNumber() + * + * Description: + * Find a system service number for a specified service name. + * + * Parameters: + * ServiceName - Name of a Zw* system service to find. + * + * Returns: + * System service number if found, -1 otherwise. + */ + +ULONG +FindSystemServiceNumber(PCHAR ServiceName) +{ + int i; + + + for (i = 0; i < ZwCallsNumber; i++) + { + if (strlen(ServiceName) == ZwCalls[i].ZwNameLength && _stricmp(ServiceName, ZwCalls[i].ZwName + 2) == 0) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindSystemServiceByName: Matched rule: %x\n", ZwCalls[i].ServiceIDNumber)); + + return i; + } + } + + + return -1; +} + + + +/* + * Find_NTDLL_Base() + * + * Description: + * Returns the base address of mapped ntdll.dll in a "System" process context. + * + * NOTE: Based on "Windows NT/2000 Native API Reference" implementation. + * + * Parameters: + * None. + * + * Returns: + * ntdll.dll base address (NULL if not found). + */ + +PVOID +Find_NTDLL_Base() +{ + ULONG size, i; + PVOID ntdll = NULL; + PULONG SystemInfo; + PSYSTEM_MODULE_INFORMATION pSMI; + NTSTATUS status; + + + /* + * The data returned to the SystemInformation buffer is a ULONG count of the number of + * modules followed immediately by an array of SYSTEM_MODULE_INFORMATION. + * + * The system modules are the Portable Executable (PE) format files loaded into the + * kernel address space (ntoskrnl.exe, hal.dll, device drivers, and so on) and ntdll.dll. + */ + + + /* first, find out the total amount of module information to be returned */ + + status = ZwQuerySystemInformation(SystemModuleInformation, &size, 0, &size); + if (size == 0 || size > 1024*1024) + { + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: ZwQuerySystemInformation failed. status=%x size=%d\n", status, size)); + return NULL; + } + + + /* second, allocate the required amount of memory */ + + SystemInfo = ExAllocatePoolWithTag(PagedPool, size + 4, _POOL_TAG); + if (SystemInfo == NULL) + { + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: out of memory (requested %d bytes)\n", size + 4)); + return NULL; + } + + + /* third, request the module information */ + + ZwQuerySystemInformation(SystemModuleInformation, SystemInfo, size, &i); + + if (size != ((*SystemInfo * sizeof(SYSTEM_MODULE_INFORMATION)) + 4)) + { + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Find_NTDLL_Base: inconsistent size (%d != %d * %d + 4)\n", size, *SystemInfo, sizeof(SYSTEM_MODULE_INFORMATION))); + return NULL; + } + + + + pSMI = (PSYSTEM_MODULE_INFORMATION) (SystemInfo + 1); + + for (i = 0; i < *SystemInfo; i++) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("comparing '%s' (base 0x%x)\n", pSMI[i].ImageName + pSMI[i].ModuleNameOffset, pSMI[i].Base)); + + if (_stricmp(pSMI[i].ImageName + pSMI[i].ModuleNameOffset, "ntdll.dll") == 0) + { + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_VERBOSE, ("Find_NTDLL_Base: ntdll.dll base address is %x\n", pSMI[i].Base)); + ntdll = pSMI[i].Base; + break; + } + } + + ExFreePoolWithTag(SystemInfo, _POOL_TAG); + + + return ntdll; +} + + +#if 0 +PVOID +Find_Kernel32_Base2() +{ + PVOID Kernel32 = NULL; + NTSTATUS status; + OBJECT_ATTRIBUTES ObjectAttributes; + IO_STATUS_BLOCK isb; + HANDLE FileHandle; + UNICODE_STRING usName; + PVOID BaseAddress = NULL; + SIZE_T Size; + CHAR buffer[256]; + + +// RtlInitUnicodeString(&usName, L"\\SystemRoot\\System32\\kernel32.dll"); + RtlInitUnicodeString(&usName, L"\\??\\c:\\windows\\system32\\kernel32.dll"); + InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + status = ZwCreateFile(&FileHandle, GENERIC_READ, &ObjectAttributes, &isb, NULL, 0, 0, 0, 0, NULL, 0); + if (!NT_SUCCESS(status)) + { + LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("Find_Kernel32_Base: Failed to open file %S (%x)\n", usName.Buffer, status)); + return FALSE; + } + + + status = ZwReadFile(FileHandle, NULL, NULL, NULL, &isb, (PVOID) buffer, sizeof(buffer) - 1, 0, NULL); + + if (! NT_SUCCESS(status)) + { + if (status != STATUS_END_OF_FILE) + { + LOG(LOG_SS_POLICY, LOG_PRIORITY_DEBUG, ("LoadSecurityPolicy: ZwReadFile failed rc=%x\n", status)); + } + } + + ZwClose(FileHandle); + + + return Kernel32; +} + + + +PVOID +Find_Kernel32_Base() +{ + PVOID Kernel32 = NULL; + NTSTATUS status; + OBJECT_ATTRIBUTES ObjectAttributes; + HANDLE SectionHandle; + UNICODE_STRING usName; + PVOID BaseAddress = NULL; + SIZE_T Size; + NTSTATUS q; + + + RtlInitUnicodeString(&usName, L"\\KnownDlls\\kernel32.dll"); + InitializeObjectAttributes(&ObjectAttributes, &usName, OBJ_KERNEL_HANDLE, NULL, NULL); + + if (NT_SUCCESS( ZwOpenSection(&SectionHandle, SECTION_MAP_READ, &ObjectAttributes) )) + { + q = ZwMapViewOfSection(SectionHandle, NtCurrentProcess(), &BaseAddress, 0, 0, NULL, &Size, ViewShare, MEM_RESERVE, PAGE_READWRITE); + if (NT_SUCCESS(q)) + { + KdPrint(("XXX mapped kernel32.dll at BaseAddress %x\n", BaseAddress)); + + if (!NT_SUCCESS( ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress) )) + { + KdPrint(("ZwUnmapViewOfSection failed")); + } + + ZwClose(SectionHandle); + } + else + { + KdPrint(("ZwMapViewOfSection failed with status %x", q)); + } + } + else + { + KdPrint(("ZwOpenSection failed")); + } + + return Kernel32; +} +#endif + + +/* + * FindFunctionBase() + * + * Description: + * Finds the address where a function is mapped at. + * + * NOTE: Based on "Windows NT/2000 Native API Reference" implementation. + * + * Parameters: + * Base - Mapped address of a DLL exporting the function. + * Name - Function name. + * + * Returns: + * Address where a function is mapped at (NULL if not found). + */ + +/* macro shortcut for bailing out of FindFunctionBase in case of an error */ + +#define ABORT_FindFunctionBase(msg) { \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Error occured in FindFunctionBase():")); \ + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, msg); \ + return NULL; \ + } + +PVOID +FindFunctionBase(PCHAR ImageBase, PCSTR Name) +{ + PIMAGE_DOS_HEADER DosHeader; + PIMAGE_NT_HEADERS PeHeader; + PIMAGE_DATA_DIRECTORY ImageExportDirectoryEntry; + ULONG ExportDirectorySize, ExportDirectoryOffset, i; + PIMAGE_EXPORT_DIRECTORY ExportDirectory; + PULONG ExportAddressTable; + PSHORT ExportOrdinalTable; + PULONG ExportNameTable; + + + if ( (DosHeader = (PIMAGE_DOS_HEADER) ImageBase) == NULL) + + ABORT_FindFunctionBase(("Base pointer is NULL (name = %s)\n", Name)); + + + if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE) + + ABORT_FindFunctionBase(("DOS Signature not found! (%x %x)\n", DosHeader, DosHeader->e_magic)); + + + if (DosHeader->e_lfanew > 1024*1024) + + ABORT_FindFunctionBase(("Invalid e_lfanew value %x\n", DosHeader->e_lfanew)); + + + if ( (PeHeader = (PIMAGE_NT_HEADERS) (ImageBase + DosHeader->e_lfanew)) == NULL) + + ABORT_FindFunctionBase(("NT header pointer is NULL (name = %s)\n", Name)); + + + if (PeHeader->Signature != IMAGE_PE_SIGNATURE) + + ABORT_FindFunctionBase(("PE Signature not found! (%x %x)\n", PeHeader, PeHeader->Signature)); + + + if ( (ImageExportDirectoryEntry = PeHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT) == NULL) + + ABORT_FindFunctionBase(("Export directory pointer is NULL (name = %s)\n", Name)); + + + ExportDirectorySize = ImageExportDirectoryEntry->Size; + ExportDirectoryOffset = ImageExportDirectoryEntry->VirtualAddress; + + if ( (ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) (ImageBase + ExportDirectoryOffset)) == NULL) + + ABORT_FindFunctionBase(("Exports pointer is NULL (name = %s)\n", Name)); + + + ExportAddressTable = (PULONG) (ImageBase + ExportDirectory->AddressOfFunctions); + ExportOrdinalTable = (PSHORT) (ImageBase + ExportDirectory->AddressOfNameOrdinals); + ExportNameTable = (PULONG) (ImageBase + ExportDirectory->AddressOfNames); + +//XXX "AcceptConnectPort\0" \0 necessary to make sure ZwCreateProcess does not match ZwCreateProcessEx ? + + for (i = 0; i < ExportDirectory->NumberOfNames; i++) + { + ULONG ord = ExportOrdinalTable[i]; + + if (ExportAddressTable[ord] < ExportDirectoryOffset || + ExportAddressTable[ord] >= ExportDirectoryOffset + ExportDirectorySize) + { + //XXX windows loader uses binary search? + if (strcmp(ImageBase + ExportNameTable[i], Name) == 0) + { + return ImageBase + ExportAddressTable[ord]; + } + } + } + + return NULL; +} + + + +/* + * FindZwFunctionIndex() + * + * Description: + * Finds a system service table index of a Zw* system service. + * + * NOTE: Based on "Windows NT/2000 Native API Reference" implementation. + * + * Parameters: + * Name - Zw* service name. + * + * Returns: + * Zw* service index in a system service table (-1 if not found). + */ + +int +FindZwFunctionIndex(PCSTR Name) +{ + PULONG_PTR FunctionBase; + + + if (NTDLL_Base == NULL) + if ( (NTDLL_Base = Find_NTDLL_Base()) == NULL) + return -1; + + + if ( (FunctionBase = FindFunctionBase(NTDLL_Base, Name)) == NULL) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("FindZwFunctionIndex: FindZwFunctionBase(%s) returned NULL", Name)); + return -1; + } + + + return FindFunctionOffset(FunctionBase); +} + + + +/* + * ZwCalls structure describes all known system services. + * Part of the structure (i.e. system call table offset and system call address) + * is filled in at runtime. + * + * Automatically generated with + * dumpbin /exports c:\windows2003\system32\ntdll.dll|grep Zw| + * perl -wnle "print qq{\t{ \"$1\", NULL, (PULONG_PTR) SystemCallHandler$i, NULL, FALSE },} if /(Zw.*)/; ++$i" > win2k3_syscalls + * + * perl -wne "if (/\"Zw(.*?)\"/) { $q=length $1; s/\"Zw(.*?)\"/\"Zw$1\", $q/} print" q.txt > q2.txt + */ + +struct _ZwCalls /* { + PCHAR ZwName; // System call name + USHORT ZwNameLength; // System call name length + USHORT ServiceIDNumber; // System call index (filled in at runtime) + PULONG_PTR HookFunction; // Address of the hijacking function (function that will be called instead of the original system call) + PULONG_PTR OriginalFunction; // PlaceHolder for the address of the original syscall address + BOOLEAN Hijacked; // Flag indicating whether we already hijacked this system call + // or whether this is a special system service that needs to be hijacked initially +} */ ZwCalls[] = +{ + { "ZwAcceptConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler0, NULL, FALSE }, + { "ZwAccessCheck", 11, -1, (PULONG_PTR) SystemCallHandler1, NULL, FALSE }, + { "ZwAccessCheckAndAuditAlarm", 24, -1, (PULONG_PTR) SystemCallHandler2, NULL, FALSE }, + { "ZwAccessCheckByType", 17, -1, (PULONG_PTR) SystemCallHandler3, NULL, FALSE }, + { "ZwAccessCheckByTypeAndAuditAlarm", 30, -1, (PULONG_PTR) SystemCallHandler4, NULL, FALSE }, + { "ZwAccessCheckByTypeResultList", 27, -1, (PULONG_PTR) SystemCallHandler5, NULL, FALSE }, + { "ZwAccessCheckByTypeResultListAndAuditAlarm", 40, -1, (PULONG_PTR) SystemCallHandler6, NULL, FALSE }, + { "ZwAccessCheckByTypeResultListAndAuditAlarmByHandle", 48, -1, (PULONG_PTR) SystemCallHandler7, NULL, FALSE }, + + +#if HOOK_ATOM + { "ZwAddAtom", 7, -1, (PULONG_PTR) HookedNtAddAtom, NULL, TRUE }, +#else + { "ZwAddAtom", 7, -1, (PULONG_PTR) SystemCallHandler8, NULL, FALSE }, +#endif + + +//XXX + { "ZwAddBootEntry", 12, -1, (PULONG_PTR) SystemCallHandler9, NULL, FALSE }, + { "ZwAddDriverEntry", 14, -1, (PULONG_PTR) SystemCallHandler10, NULL, FALSE }, + + +#if HOOK_TOKEN_ZZZ + { "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) HookedNtAdjustGroupsToken, NULL, TRUE }, +#else + { "ZwAdjustGroupsToken", 17, -1, (PULONG_PTR) SystemCallHandler11, NULL, FALSE }, +#endif + +#if HOOK_TOKEN + { "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) HookedNtAdjustPrivilegesToken, NULL, TRUE }, +#else + { "ZwAdjustPrivilegesToken", 21, -1, (PULONG_PTR) SystemCallHandler12, NULL, FALSE }, +#endif + + + { "ZwAlertResumeThread", 17, -1, (PULONG_PTR) SystemCallHandler13, NULL, FALSE }, + { "ZwAlertThread", 11, -1, (PULONG_PTR) SystemCallHandler14, NULL, FALSE }, + { "ZwAllocateLocallyUniqueId", 23, -1, (PULONG_PTR) SystemCallHandler15, NULL, FALSE }, + { "ZwAllocateUserPhysicalPages", 25, -1, (PULONG_PTR) SystemCallHandler16, NULL, FALSE }, + { "ZwAllocateUuids", 13, -1, (PULONG_PTR) SystemCallHandler17, NULL, FALSE }, + { "ZwAllocateVirtualMemory", 21, -1, (PULONG_PTR) SystemCallHandler18, NULL, FALSE }, + { "ZwApphelpCacheControl", 19, -1, (PULONG_PTR) SystemCallHandler19, NULL, FALSE }, + { "ZwAreMappedFilesTheSame", 21, -1, (PULONG_PTR) SystemCallHandler20, NULL, FALSE }, + { "ZwAssignProcessToJobObject", 24, -1, (PULONG_PTR) SystemCallHandler21, NULL, FALSE }, + { "ZwCallbackReturn", 14, -1, (PULONG_PTR) SystemCallHandler22, NULL, FALSE }, + { "ZwCancelDeviceWakeupRequest", 25, -1, (PULONG_PTR) SystemCallHandler23, NULL, FALSE }, + { "ZwCancelIoFile", 12, -1, (PULONG_PTR) SystemCallHandler24, NULL, FALSE }, + { "ZwCancelTimer", 11, -1, (PULONG_PTR) SystemCallHandler25, NULL, FALSE }, + { "ZwClearEvent", 10, -1, (PULONG_PTR) SystemCallHandler26, NULL, FALSE }, + + /* don't mediate for performance reasons, requires a valid handle anyway */ + { "ZwClose", 5, -1, NULL, NULL, FALSE }, + + { "ZwCloseObjectAuditAlarm", 21, -1, (PULONG_PTR) SystemCallHandler28, NULL, FALSE }, + { "ZwCompactKeys", 11, -1, (PULONG_PTR) SystemCallHandler29, NULL, FALSE }, + { "ZwCompareTokens", 13, -1, (PULONG_PTR) SystemCallHandler30, NULL, FALSE }, + { "ZwCompleteConnectPort", 19, -1, (PULONG_PTR) SystemCallHandler31, NULL, FALSE }, + { "ZwCompressKey", 11, -1, (PULONG_PTR) SystemCallHandler32, NULL, FALSE }, + + +#if HOOK_PORT + { "ZwConnectPort", 11, -1, (PULONG_PTR) HookedNtConnectPort, NULL, TRUE }, +#else + { "ZwConnectPort", 11, -1, (PULONG_PTR) SystemCallHandler33, NULL, FALSE }, +#endif + + + { "ZwContinue", 8, -1, (PULONG_PTR) SystemCallHandler34, NULL, FALSE }, + + +#if HOOK_DEBUG_ZZZ + { "ZwCreateDebugObject", 17, -1, (PULONG_PTR) HookedNtCreateDebugObject, NULL, TRUE }, +#else + { "ZwCreateDebugObject", 17, -1, (PULONG_PTR) SystemCallHandler35, NULL, FALSE }, +#endif + + +#if HOOK_DIROBJ + { "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) HookedNtCreateDirectoryObject, NULL, TRUE }, +#else + { "ZwCreateDirectoryObject", 21, -1, (PULONG_PTR) SystemCallHandler36, NULL, FALSE }, +#endif + + +#if HOOK_EVENT + { "ZwCreateEvent", 11, -1, (PULONG_PTR) HookedNtCreateEvent, NULL, TRUE }, + { "ZwCreateEventPair", 15, -1, (PULONG_PTR) HookedNtCreateEventPair, NULL, TRUE }, +#else + { "ZwCreateEvent", 11, -1, (PULONG_PTR) SystemCallHandler37, NULL, FALSE }, + { "ZwCreateEventPair", 15, -1, (PULONG_PTR) SystemCallHandler38, NULL, FALSE }, +#endif + + +#if HOOK_FILE + { "ZwCreateFile", 10, -1, (PULONG_PTR) HookedNtCreateFile, NULL, TRUE }, +#else + { "ZwCreateFile", 10, -1, (PULONG_PTR) SystemCallHandler39, NULL, FALSE }, +#endif + + + { "ZwCreateIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler40, NULL, FALSE }, + + +#if HOOK_JOB + { "ZwCreateJobObject", 15, -1, (PULONG_PTR) HookedNtCreateJobObject, NULL, TRUE }, +#else + { "ZwCreateJobObject", 15, -1, (PULONG_PTR) SystemCallHandler41, NULL, FALSE }, +#endif + + +//XXX ??? + { "ZwCreateJobSet", 12, -1, (PULONG_PTR) SystemCallHandler42, NULL, FALSE }, + + +#if HOOK_REGISTRY + { "ZwCreateKey", 9, -1, (PULONG_PTR) HookedNtCreateKey, NULL, TRUE }, +#else + { "ZwCreateKey", 9, -1, (PULONG_PTR) SystemCallHandler43, NULL, FALSE }, +#endif + + + { "ZwCreateKeyedEvent", 16, -1, (PULONG_PTR) SystemCallHandler44, NULL, FALSE }, + + +#if HOOK_FILE + { "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) HookedNtCreateMailslotFile, NULL, TRUE }, +#else + { "ZwCreateMailslotFile", 18, -1, (PULONG_PTR) SystemCallHandler45, NULL, FALSE }, +#endif + + +#if HOOK_MUTANT + { "ZwCreateMutant", 12, -1, (PULONG_PTR) HookedNtCreateMutant, NULL, TRUE }, +#else + { "ZwCreateMutant", 12, -1, (PULONG_PTR) SystemCallHandler46, NULL, FALSE }, +#endif + + +#if HOOK_FILE + { "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) HookedNtCreateNamedPipeFile, NULL, TRUE }, +#else + { "ZwCreateNamedPipeFile", 19, -1, (PULONG_PTR) SystemCallHandler47, NULL, FALSE }, +#endif + + + { "ZwCreatePagingFile", 16, -1, (PULONG_PTR) SystemCallHandler48, NULL, FALSE }, + + +#if HOOK_PORT + { "ZwCreatePort", 10, -1, (PULONG_PTR) HookedNtCreatePort, NULL, TRUE }, +#else + { "ZwCreatePort", 10, -1, (PULONG_PTR) SystemCallHandler49, NULL, FALSE }, +#endif + + +#if HOOK_PROCESS + { "ZwCreateProcess", 13, -1, (PULONG_PTR) HookedNtCreateProcess, NULL, TRUE }, + { "ZwCreateProcessEx", 15, -1, (PULONG_PTR) HookedNtCreateProcessEx, NULL, TRUE }, +#else + { "ZwCreateProcess", 13, -1, (PULONG_PTR) SystemCallHandler50, NULL, FALSE }, + { "ZwCreateProcessEx", 15, -1, (PULONG_PTR) SystemCallHandler51, NULL, FALSE }, +#endif + + + { "ZwCreateProfile", 13, -1, (PULONG_PTR) SystemCallHandler52, NULL, FALSE }, + + +#if HOOK_SECTION + { "ZwCreateSection", 13, -1, (PULONG_PTR) HookedNtCreateSection, NULL, TRUE }, +#else + { "ZwCreateSection", 13, -1, (PULONG_PTR) SystemCallHandler53, NULL, FALSE }, +#endif + + +#if HOOK_SEMAPHORE + { "ZwCreateSemaphore", 15, -1, (PULONG_PTR) HookedNtCreateSemaphore, NULL, TRUE }, +#else + { "ZwCreateSemaphore", 15, -1, (PULONG_PTR) SystemCallHandler54, NULL, FALSE }, +#endif + + +#if HOOK_SYMLINK + { "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) HookedNtCreateSymbolicLinkObject, NULL, TRUE }, +#else + { "ZwCreateSymbolicLinkObject", 24, -1, (PULONG_PTR) SystemCallHandler55, NULL, FALSE }, +#endif + + +#if HOOK_PROCESS + { "ZwCreateThread", 12, -1, (PULONG_PTR) HookedNtCreateThread, NULL, TRUE }, +#else + { "ZwCreateThread", 12, -1, (PULONG_PTR) SystemCallHandler56, NULL, FALSE }, +#endif + + +#if HOOK_TIMER + { "ZwCreateTimer", 11, -1, (PULONG_PTR) HookedNtCreateTimer, NULL, TRUE }, +#else + { "ZwCreateTimer", 11, -1, (PULONG_PTR) SystemCallHandler57, NULL, FALSE }, +#endif + + +#if HOOK_TOKEN_ZZZ + { "ZwCreateToken", 11, -1, (PULONG_PTR) HookedNtCreateToken, NULL, TRUE }, +#else + { "ZwCreateToken", 11, -1, (PULONG_PTR) SystemCallHandler58, NULL, FALSE }, +#endif + + +#if HOOK_PORT + { "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) HookedNtCreateWaitablePort, NULL, TRUE }, +#else + { "ZwCreateWaitablePort", 18, -1, (PULONG_PTR) SystemCallHandler59, NULL, FALSE }, +#endif + + +#if HOOK_DEBUG + { "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) HookedNtDebugActiveProcess, NULL, TRUE }, +#else + { "ZwDebugActiveProcess", 18, -1, (PULONG_PTR) SystemCallHandler60, NULL, FALSE }, +#endif + + + { "ZwDebugContinue", 13, -1, (PULONG_PTR) SystemCallHandler61, NULL, FALSE }, + { "ZwDelayExecution", 14, -1, (PULONG_PTR) SystemCallHandler62, NULL, FALSE }, + { "ZwDeleteAtom", 10, -1, (PULONG_PTR) SystemCallHandler63, NULL, FALSE }, + { "ZwDeleteBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler64, NULL, FALSE }, + { "ZwDeleteDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler65, NULL, FALSE }, + + +#if HOOK_FILE + { "ZwDeleteFile", 10, -1, (PULONG_PTR) HookedNtDeleteFile, NULL, TRUE }, +#else + { "ZwDeleteFile", 10, -1, (PULONG_PTR) SystemCallHandler66, NULL, FALSE }, +#endif + + +#if HOOK_REGISTRY + { "ZwDeleteKey", 9, -1, (PULONG_PTR) HookedNtDeleteKey, NULL, TRUE }, +#else + { "ZwDeleteKey", 9, -1, (PULONG_PTR) SystemCallHandler67, NULL, FALSE }, +#endif + + { "ZwDeleteObjectAuditAlarm", 22, -1, (PULONG_PTR) SystemCallHandler68, NULL, FALSE }, + { "ZwDeleteValueKey", 14, -1, (PULONG_PTR) SystemCallHandler69, NULL, FALSE }, +//XXX + + { "ZwDeviceIoControlFile", 19, -1, NULL, NULL, FALSE }, + { "ZwDisplayString", 13, -1, (PULONG_PTR) SystemCallHandler71, NULL, FALSE }, + { "ZwDuplicateObject", 15, -1, (PULONG_PTR) SystemCallHandler72, NULL, FALSE }, + { "ZwDuplicateToken", 14, -1, (PULONG_PTR) SystemCallHandler73, NULL, FALSE }, + { "ZwEnumerateBootEntries", 20, -1, (PULONG_PTR) SystemCallHandler74, NULL, FALSE }, + { "ZwEnumerateDriverEntries", 22, -1, (PULONG_PTR) SystemCallHandler75, NULL, FALSE }, + { "ZwEnumerateKey", 12, -1, (PULONG_PTR) SystemCallHandler76, NULL, FALSE }, + { "ZwEnumerateSystemEnvironmentValuesEx", 34, -1, (PULONG_PTR) SystemCallHandler77, NULL, FALSE }, + { "ZwEnumerateValueKey", 17, -1, (PULONG_PTR) SystemCallHandler78, NULL, FALSE }, +//XXX + + + { "ZwExtendSection", 13, -1, (PULONG_PTR) SystemCallHandler79, NULL, FALSE }, + { "ZwFilterToken", 11, -1, (PULONG_PTR) SystemCallHandler80, NULL, FALSE }, + + +#if HOOK_ATOM + { "ZwFindAtom", 8, -1, (PULONG_PTR) HookedNtFindAtom, NULL, TRUE }, +#else + { "ZwFindAtom", 8, -1, (PULONG_PTR) SystemCallHandler81, NULL, FALSE }, +#endif + + + { "ZwFlushBuffersFile", 16, -1, (PULONG_PTR) SystemCallHandler82, NULL, FALSE }, + { "ZwFlushInstructionCache", 21, -1, (PULONG_PTR) SystemCallHandler83, NULL, FALSE }, + { "ZwFlushKey", 8, -1, (PULONG_PTR) SystemCallHandler84, NULL, FALSE }, + { "ZwFlushVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler85, NULL, FALSE }, + { "ZwFlushWriteBuffer", 16, -1, (PULONG_PTR) SystemCallHandler86, NULL, FALSE }, + { "ZwFreeUserPhysicalPages", 21, -1, (PULONG_PTR) SystemCallHandler87, NULL, FALSE }, + { "ZwFreeVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler88, NULL, FALSE }, + { "ZwFsControlFile", 13, -1, (PULONG_PTR) SystemCallHandler89, NULL, FALSE }, + { "ZwGetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler90, NULL, FALSE }, + { "ZwGetCurrentProcessorNumber", 25, -1, (PULONG_PTR) SystemCallHandler91, NULL, FALSE }, + { "ZwGetDevicePowerState", 19, -1, (PULONG_PTR) SystemCallHandler92, NULL, FALSE }, + { "ZwGetPlugPlayEvent", 16, -1, (PULONG_PTR) SystemCallHandler93, NULL, FALSE }, + { "ZwGetWriteWatch", 13, -1, (PULONG_PTR) SystemCallHandler94, NULL, FALSE }, + +//XXX + { "ZwImpersonateAnonymousToken", 25, -1, (PULONG_PTR) SystemCallHandler95, NULL, FALSE }, + { "ZwImpersonateClientOfPort", 23, -1, (PULONG_PTR) SystemCallHandler96, NULL, FALSE }, + { "ZwImpersonateThread", 17, -1, (PULONG_PTR) SystemCallHandler97, NULL, FALSE }, + + { "ZwInitializeRegistry", 18, -1, (PULONG_PTR) SystemCallHandler98, NULL, FALSE }, + { "ZwInitiatePowerAction", 19, -1, (PULONG_PTR) SystemCallHandler99, NULL, FALSE }, + { "ZwIsProcessInJob", 14, -1, (PULONG_PTR) SystemCallHandler100, NULL, FALSE }, + { "ZwIsSystemResumeAutomatic", 23, -1, (PULONG_PTR) SystemCallHandler101, NULL, FALSE }, + { "ZwListenPort", 10, -1, (PULONG_PTR) SystemCallHandler102, NULL, FALSE }, + + +#if HOOK_DRIVEROBJ + { "ZwLoadDriver", 10, -1, (PULONG_PTR) HookedNtLoadDriver, NULL, TRUE }, +#else + { "ZwLoadDriver", 10, -1, (PULONG_PTR) SystemCallHandler103, NULL, FALSE }, +#endif + + + { "ZwLoadKey", 7, -1, (PULONG_PTR) SystemCallHandler104, NULL, FALSE }, + { "ZwLoadKey2", 8, -1, (PULONG_PTR) SystemCallHandler105, NULL, FALSE }, + { "ZwLoadKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler106, NULL, FALSE }, + { "ZwLockFile", 8, -1, (PULONG_PTR) SystemCallHandler107, NULL, FALSE }, + { "ZwLockProductActivationKeys", 25, -1, (PULONG_PTR) SystemCallHandler108, NULL, FALSE }, + { "ZwLockRegistryKey", 15, -1, (PULONG_PTR) SystemCallHandler109, NULL, FALSE }, + { "ZwLockVirtualMemory", 17, -1, (PULONG_PTR) SystemCallHandler110, NULL, FALSE }, + { "ZwMakePermanentObject", 19, -1, (PULONG_PTR) SystemCallHandler111, NULL, FALSE }, + { "ZwMakeTemporaryObject", 19, -1, (PULONG_PTR) SystemCallHandler112, NULL, FALSE }, + { "ZwMapUserPhysicalPages", 20, -1, (PULONG_PTR) SystemCallHandler113, NULL, FALSE }, + { "ZwMapUserPhysicalPagesScatter", 27, -1, (PULONG_PTR) SystemCallHandler114, NULL, FALSE }, + + +#if HOOK_SECTION_ZZZ + { "ZwMapViewOfSection", 16, -1, (PULONG_PTR) HookedNtMapViewOfSection, NULL, TRUE }, +#else + { "ZwMapViewOfSection", 16, -1, (PULONG_PTR) SystemCallHandler115, NULL, FALSE }, +#endif + + + { "ZwModifyBootEntry", 15, -1, (PULONG_PTR) SystemCallHandler116, NULL, FALSE }, + { "ZwModifyDriverEntry", 17, -1, (PULONG_PTR) SystemCallHandler117, NULL, FALSE }, + { "ZwNotifyChangeDirectoryFile", 25, -1, (PULONG_PTR) SystemCallHandler118, NULL, FALSE }, + { "ZwNotifyChangeKey", 15, -1, (PULONG_PTR) SystemCallHandler119, NULL, FALSE }, + { "ZwNotifyChangeMultipleKeys", 24, -1, (PULONG_PTR) SystemCallHandler120, NULL, FALSE }, + + +#if HOOK_DIROBJ + { "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) HookedNtOpenDirectoryObject, NULL, TRUE }, +#else + { "ZwOpenDirectoryObject", 19, -1, (PULONG_PTR) SystemCallHandler121, NULL, FALSE }, +#endif + + +#if HOOK_EVENT + { "ZwOpenEvent", 9, -1, (PULONG_PTR) HookedNtOpenEvent, NULL, TRUE }, + { "ZwOpenEventPair", 13, -1, (PULONG_PTR) HookedNtOpenEventPair, NULL, TRUE }, +#else + { "ZwOpenEvent", 9, -1, (PULONG_PTR) SystemCallHandler122, NULL, FALSE }, + { "ZwOpenEventPair", 13, -1, (PULONG_PTR) SystemCallHandler123, NULL, FALSE }, +#endif + + +#if HOOK_FILE + { "ZwOpenFile", 8, -1, (PULONG_PTR) HookedNtOpenFile, NULL, TRUE }, +#else + { "ZwOpenFile", 8, -1, (PULONG_PTR) SystemCallHandler124, NULL, FALSE }, +#endif + + { "ZwOpenIoCompletion", 16, -1, (PULONG_PTR) SystemCallHandler125, NULL, FALSE }, + + +#if HOOK_JOB + { "ZwOpenJobObject", 13, -1, (PULONG_PTR) HookedNtOpenJobObject, NULL, TRUE }, +#else + { "ZwOpenJobObject", 13, -1, (PULONG_PTR) SystemCallHandler126, NULL, FALSE }, +#endif + + +#if HOOK_REGISTRY + { "ZwOpenKey", 7, -1, (PULONG_PTR) HookedNtOpenKey, NULL, TRUE }, +#else + { "ZwOpenKey", 7, -1, (PULONG_PTR) SystemCallHandler127, NULL, FALSE }, +#endif + + + { "ZwOpenKeyedEvent", 14, -1, (PULONG_PTR) SystemCallHandler128, NULL, FALSE }, + + +#if HOOK_MUTANT + { "ZwOpenMutant", 10, -1, (PULONG_PTR) HookedNtOpenMutant, NULL, TRUE }, +#else + { "ZwOpenMutant", 10, -1, (PULONG_PTR) SystemCallHandler129, NULL, FALSE }, +#endif + + + { "ZwOpenObjectAuditAlarm", 20, -1, (PULONG_PTR) SystemCallHandler130, NULL, FALSE }, + + +#if HOOK_PROCESS + { "ZwOpenProcess", 11, -1, (PULONG_PTR) HookedNtOpenProcess, NULL, TRUE }, +#else + { "ZwOpenProcess", 11, -1, (PULONG_PTR) SystemCallHandler131, NULL, FALSE }, +#endif + + +#if HOOK_TOKEN_ZZZ + { "ZwOpenProcessToken", 16, -1, (PULONG_PTR) HookedNtOpenProcessToken, NULL, TRUE }, + { "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) HookedNtOpenProcessTokenEx, NULL, TRUE }, +#else + { "ZwOpenProcessToken", 16, -1, (PULONG_PTR) SystemCallHandler132, NULL, FALSE }, + { "ZwOpenProcessTokenEx", 18, -1, (PULONG_PTR) SystemCallHandler133, NULL, FALSE }, +#endif + + +#if HOOK_SECTION + { "ZwOpenSection", 11, -1, (PULONG_PTR) HookedNtOpenSection, NULL, TRUE }, +#else + { "ZwOpenSection", 11, -1, (PULONG_PTR) SystemCallHandler134, NULL, FALSE }, +#endif + + +#if HOOK_SEMAPHORE + { "ZwOpenSemaphore", 13, -1, (PULONG_PTR) HookedNtOpenSemaphore, NULL, TRUE }, +#else + { "ZwOpenSemaphore", 13, -1, (PULONG_PTR) SystemCallHandler135, NULL, FALSE }, +#endif + + +#if HOOK_SYMLINK_ZZZ + { "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) HookedNtOpenSymbolicLinkObject, NULL, TRUE }, +#else + { "ZwOpenSymbolicLinkObject", 22, -1, (PULONG_PTR) SystemCallHandler136, NULL, FALSE }, +#endif + + +#if HOOK_PROCESS + { "ZwOpenThread", 10, -1, (PULONG_PTR) HookedNtOpenThread, NULL, TRUE }, +#else + { "ZwOpenThread", 10, -1, (PULONG_PTR) SystemCallHandler137, NULL, FALSE }, +#endif + + +#if HOOK_TOKEN_ZZZ + { "ZwOpenThreadToken", 15, -1, (PULONG_PTR) HookedNtOpenThreadToken, NULL, TRUE }, + { "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) HookedNtOpenThreadTokenEx, NULL, TRUE }, +#else + { "ZwOpenThreadToken", 15, -1, (PULONG_PTR) SystemCallHandler138, NULL, FALSE }, + { "ZwOpenThreadTokenEx", 17, -1, (PULONG_PTR) SystemCallHandler139, NULL, FALSE }, +#endif + + +#if HOOK_TIMER + { "ZwOpenTimer", 9, -1, (PULONG_PTR) HookedNtOpenTimer, NULL, TRUE }, +#else + { "ZwOpenTimer", 9, -1, (PULONG_PTR) SystemCallHandler140, NULL, FALSE }, +#endif + + + { "ZwPlugPlayControl", 15, -1, (PULONG_PTR) SystemCallHandler141, NULL, FALSE }, + { "ZwPowerInformation", 16, -1, (PULONG_PTR) SystemCallHandler142, NULL, FALSE }, + { "ZwPrivilegeCheck", 14, -1, (PULONG_PTR) SystemCallHandler143, NULL, FALSE }, + { "ZwPrivilegeObjectAuditAlarm", 25, -1, (PULONG_PTR) SystemCallHandler144, NULL, FALSE }, + { "ZwPrivilegedServiceAuditAlarm", 27, -1, (PULONG_PTR) SystemCallHandler145, NULL, FALSE }, + { "ZwProtectVirtualMemory", 20, -1, (PULONG_PTR) SystemCallHandler146, NULL, FALSE }, + { "ZwPulseEvent", 10, -1, (PULONG_PTR) SystemCallHandler147, NULL, FALSE }, + + +#if HOOK_FILE + { "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) HookedNtQueryAttributesFile, NULL, TRUE }, +#else + { "ZwQueryAttributesFile", 19, -1, (PULONG_PTR) SystemCallHandler148, NULL, FALSE }, +#endif + + + { "ZwQueryBootEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler149, NULL, FALSE }, + { "ZwQueryBootOptions", 16, -1, (PULONG_PTR) SystemCallHandler150, NULL, FALSE }, + { "ZwQueryDebugFilterState", 21, -1, (PULONG_PTR) SystemCallHandler151, NULL, FALSE }, + { "ZwQueryDefaultLocale", 18, -1, (PULONG_PTR) SystemCallHandler152, NULL, FALSE }, + { "ZwQueryDefaultUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler153, NULL, FALSE }, + + +#if FILE_HOOK_ZZZ + { "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) HookedNtQueryDirectoryFile, NULL, TRUE }, +#else + { "ZwQueryDirectoryFile", 18, -1, (PULONG_PTR) SystemCallHandler154, NULL, FALSE }, +#endif + + + { "ZwQueryDirectoryObject", 20, -1, (PULONG_PTR) SystemCallHandler155, NULL, FALSE }, + { "ZwQueryDriverEntryOrder", 21, -1, (PULONG_PTR) SystemCallHandler156, NULL, FALSE }, + { "ZwQueryEaFile", 11, -1, (PULONG_PTR) SystemCallHandler157, NULL, FALSE }, + { "ZwQueryEvent", 10, -1, (PULONG_PTR) SystemCallHandler158, NULL, FALSE }, + + +#if HOOK_FILE + { "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) HookedNtQueryFullAttributesFile, NULL, TRUE }, +#else + { "ZwQueryFullAttributesFile", 23, -1, (PULONG_PTR) SystemCallHandler159, NULL, FALSE }, +#endif + + + { "ZwQueryInformationAtom", 20, -1, (PULONG_PTR) SystemCallHandler160, NULL, FALSE }, + { "ZwQueryInformationFile", 20, -1, (PULONG_PTR) SystemCallHandler161, NULL, FALSE }, + { "ZwQueryInformationJobObject", 25, -1, (PULONG_PTR) SystemCallHandler162, NULL, FALSE }, + { "ZwQueryInformationPort", 20, -1, (PULONG_PTR) SystemCallHandler163, NULL, FALSE }, + { "ZwQueryInformationProcess", 23, -1, (PULONG_PTR) SystemCallHandler164, NULL, FALSE }, + { "ZwQueryInformationThread", 22, -1, (PULONG_PTR) SystemCallHandler165, NULL, FALSE }, + { "ZwQueryInformationToken", 21, -1, (PULONG_PTR) SystemCallHandler166, NULL, FALSE }, + { "ZwQueryInstallUILanguage", 22, -1, (PULONG_PTR) SystemCallHandler167, NULL, FALSE }, + { "ZwQueryIntervalProfile", 20, -1, (PULONG_PTR) SystemCallHandler168, NULL, FALSE }, + { "ZwQueryIoCompletion", 17, -1, (PULONG_PTR) SystemCallHandler169, NULL, FALSE }, + { "ZwQueryKey", 8, -1, (PULONG_PTR) SystemCallHandler170, NULL, FALSE }, + { "ZwQueryMultipleValueKey", 21, -1, (PULONG_PTR) SystemCallHandler171, NULL, FALSE }, + { "ZwQueryMutant", 11, -1, (PULONG_PTR) SystemCallHandler172, NULL, FALSE }, + { "ZwQueryObject", 11, -1, (PULONG_PTR) SystemCallHandler173, NULL, FALSE }, + { "ZwQueryOpenSubKeys", 16, -1, (PULONG_PTR) SystemCallHandler174, NULL, FALSE }, + { "ZwQueryOpenSubKeysEx", 18, -1, (PULONG_PTR) SystemCallHandler175, NULL, FALSE }, + { "ZwQueryPerformanceCounter", 23, -1, (PULONG_PTR) SystemCallHandler176, NULL, FALSE }, + { "ZwQueryPortInformationProcess", 27, -1, (PULONG_PTR) SystemCallHandler177, NULL, FALSE }, + { "ZwQueryQuotaInformationFile", 25, -1, (PULONG_PTR) SystemCallHandler178, NULL, FALSE }, + { "ZwQuerySection", 12, -1, (PULONG_PTR) SystemCallHandler179, NULL, FALSE }, + { "ZwQuerySecurityObject", 19, -1, (PULONG_PTR) SystemCallHandler180, NULL, FALSE }, + { "ZwQuerySemaphore", 14, -1, (PULONG_PTR) SystemCallHandler181, NULL, FALSE }, + { "ZwQuerySymbolicLinkObject", 23, -1, (PULONG_PTR) SystemCallHandler182, NULL, FALSE }, + { "ZwQuerySystemEnvironmentValue", 27, -1, (PULONG_PTR) SystemCallHandler183, NULL, FALSE }, + { "ZwQuerySystemEnvironmentValueEx", 29, -1, (PULONG_PTR) SystemCallHandler184, NULL, FALSE }, + { "ZwQuerySystemInformation", 22, -1, (PULONG_PTR) SystemCallHandler185, NULL, FALSE }, + { "ZwQuerySystemTime", 15, -1, (PULONG_PTR) SystemCallHandler186, NULL, FALSE }, + { "ZwQueryTimer", 10, -1, (PULONG_PTR) SystemCallHandler187, NULL, FALSE }, + { "ZwQueryTimerResolution", 20, -1, (PULONG_PTR) SystemCallHandler188, NULL, FALSE }, + + +#if HOOK_REGISTRY_ZZZ + { "ZwQueryValueKey", 13, -1, (PULONG_PTR) HookedNtQueryValueKey, NULL, TRUE }, +#else + { "ZwQueryValueKey", 13, -1, (PULONG_PTR) SystemCallHandler189, NULL, FALSE }, +#endif + + + { "ZwQueryVirtualMemory", 18, -1, (PULONG_PTR) SystemCallHandler190, NULL, FALSE }, + { "ZwQueryVolumeInformationFile", 26, -1, (PULONG_PTR) SystemCallHandler191, NULL, FALSE }, + { "ZwQueueApcThread", 14, -1, (PULONG_PTR) SystemCallHandler192, NULL, FALSE }, + + +//XXX should we not mediate these calls? they are only raised during an error and we might +// not encounter them during "learning" phase? can these be abused otherwise? + { "ZwRaiseException", 14, -1, (PULONG_PTR) SystemCallHandler193, NULL, FALSE }, + { "ZwRaiseHardError", 14, -1, (PULONG_PTR) SystemCallHandler194, NULL, FALSE }, + + /* don't mediate for performance reasons, requires a valid handle anyway */ + { "ZwReadFile", 8, -1, NULL, NULL, FALSE }, + { "ZwReadFileScatter", 15, -1, NULL, NULL, FALSE }, + { "ZwReadRequestData", 15, -1, NULL, NULL, FALSE }, + { "ZwReadVirtualMemory", 17, -1, NULL, NULL, FALSE }, + + { "ZwRegisterThreadTerminatePort", 27, -1, (PULONG_PTR) SystemCallHandler199, NULL, FALSE }, + { "ZwReleaseKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler200, NULL, FALSE }, + { "ZwReleaseMutant", 13, -1, (PULONG_PTR) SystemCallHandler201, NULL, FALSE }, + { "ZwReleaseSemaphore", 16, -1, (PULONG_PTR) SystemCallHandler202, NULL, FALSE }, + { "ZwRemoveIoCompletion", 18, -1, (PULONG_PTR) SystemCallHandler203, NULL, FALSE }, + { "ZwRemoveProcessDebug", 18, -1, (PULONG_PTR) SystemCallHandler204, NULL, FALSE }, + +//XXX + { "ZwRenameKey", 9, -1, (PULONG_PTR) SystemCallHandler205, NULL, FALSE }, + { "ZwReplaceKey", 10, -1, (PULONG_PTR) SystemCallHandler206, NULL, FALSE }, + + + { "ZwReplyPort", 9, -1, (PULONG_PTR) SystemCallHandler207, NULL, FALSE }, + { "ZwReplyWaitReceivePort", 20, -1, (PULONG_PTR) SystemCallHandler208, NULL, FALSE }, + { "ZwReplyWaitReceivePortEx", 22, -1, (PULONG_PTR) SystemCallHandler209, NULL, FALSE }, + { "ZwReplyWaitReplyPort", 18, -1, (PULONG_PTR) SystemCallHandler210, NULL, FALSE }, + { "ZwRequestDeviceWakeup", 19, -1, (PULONG_PTR) SystemCallHandler211, NULL, FALSE }, + { "ZwRequestPort", 11, -1, (PULONG_PTR) SystemCallHandler212, NULL, FALSE }, + { "ZwRequestWaitReplyPort", 20, -1, (PULONG_PTR) SystemCallHandler213, NULL, FALSE }, + { "ZwRequestWakeupLatency", 20, -1, (PULONG_PTR) SystemCallHandler214, NULL, FALSE }, + { "ZwResetEvent", 10, -1, (PULONG_PTR) SystemCallHandler215, NULL, FALSE }, + { "ZwResetWriteWatch", 15, -1, (PULONG_PTR) SystemCallHandler216, NULL, FALSE }, + { "ZwRestoreKey", 10, -1, (PULONG_PTR) SystemCallHandler217, NULL, FALSE }, + { "ZwResumeProcess", 13, -1, (PULONG_PTR) SystemCallHandler218, NULL, FALSE }, + { "ZwResumeThread", 12, -1, (PULONG_PTR) SystemCallHandler219, NULL, FALSE }, + { "ZwSaveKey", 7, -1, (PULONG_PTR) SystemCallHandler220, NULL, FALSE }, + { "ZwSaveKeyEx", 9, -1, (PULONG_PTR) SystemCallHandler221, NULL, FALSE }, + { "ZwSaveMergedKeys", 14, -1, (PULONG_PTR) SystemCallHandler222, NULL, FALSE }, + + +#if HOOK_PORT + { "ZwSecureConnectPort", 17, -1, (PULONG_PTR) HookedNtSecureConnectPort, NULL, TRUE }, +#else + { "ZwSecureConnectPort", 17, -1, (PULONG_PTR) SystemCallHandler223, NULL, FALSE }, +#endif + + + { "ZwSetBootEntryOrder", 17, -1, (PULONG_PTR) SystemCallHandler224, NULL, FALSE }, + { "ZwSetBootOptions", 14, -1, (PULONG_PTR) SystemCallHandler225, NULL, FALSE }, + +//XXX + { "ZwSetContextThread", 16, -1, (PULONG_PTR) SystemCallHandler226, NULL, FALSE }, + + { "ZwSetDebugFilterState", 19, -1, (PULONG_PTR) SystemCallHandler227, NULL, FALSE }, + { "ZwSetDefaultHardErrorPort", 23, -1, (PULONG_PTR) SystemCallHandler228, NULL, FALSE }, + { "ZwSetDefaultLocale", 16, -1, (PULONG_PTR) SystemCallHandler229, NULL, FALSE }, + { "ZwSetDefaultUILanguage", 20, -1, (PULONG_PTR) SystemCallHandler230, NULL, FALSE }, + { "ZwSetDriverEntryOrder", 19, -1, (PULONG_PTR) SystemCallHandler231, NULL, FALSE }, + { "ZwSetEaFile", 9, -1, (PULONG_PTR) SystemCallHandler232, NULL, FALSE }, + { "ZwSetEvent", 8, -1, (PULONG_PTR) SystemCallHandler233, NULL, FALSE }, + { "ZwSetEventBoostPriority", 21, -1, (PULONG_PTR) SystemCallHandler234, NULL, FALSE }, + { "ZwSetHighEventPair", 16, -1, (PULONG_PTR) SystemCallHandler235, NULL, FALSE }, + { "ZwSetHighWaitLowEventPair", 23, -1, (PULONG_PTR) SystemCallHandler236, NULL, FALSE }, + { "ZwSetInformationDebugObject", 25, -1, (PULONG_PTR) SystemCallHandler237, NULL, FALSE }, + +#if HOOK_FILE + { "ZwSetInformationFile", 18, -1, (PULONG_PTR) HookedNtSetInformationFile, NULL, TRUE }, +#else + { "ZwSetInformationFile", 18, -1, (PULONG_PTR) SystemCallHandler238, NULL, FALSE }, +#endif + + { "ZwSetInformationJobObject", 23, -1, (PULONG_PTR) SystemCallHandler239, NULL, FALSE }, + { "ZwSetInformationKey", 17, -1, (PULONG_PTR) SystemCallHandler240, NULL, FALSE }, + { "ZwSetInformationObject", 20, -1, (PULONG_PTR) SystemCallHandler241, NULL, FALSE }, + { "ZwSetInformationProcess", 21, -1, (PULONG_PTR) SystemCallHandler242, NULL, FALSE }, + { "ZwSetInformationThread", 20, -1, (PULONG_PTR) SystemCallHandler243, NULL, FALSE }, + + +#if HOOK_TOKEN + { "ZwSetInformationToken", 19, -1, (PULONG_PTR) HookedNtSetInformationToken, NULL, TRUE }, +#else + { "ZwSetInformationToken", 19, -1, (PULONG_PTR) SystemCallHandler244, NULL, FALSE }, +#endif + + + { "ZwSetIntervalProfile", 18, -1, (PULONG_PTR) SystemCallHandler245, NULL, FALSE }, + { "ZwSetIoCompletion", 15, -1, (PULONG_PTR) SystemCallHandler246, NULL, FALSE }, + + +#if HOOK_VDM + { "ZwSetLdtEntries", 13, -1, (PULONG_PTR) HookedNtSetLdtEntries, NULL, TRUE }, +#else + { "ZwSetLdtEntries", 13, -1, (PULONG_PTR) SystemCallHandler247, NULL, FALSE }, +#endif + + + { "ZwSetLowEventPair", 15, -1, (PULONG_PTR) SystemCallHandler248, NULL, FALSE }, + { "ZwSetLowWaitHighEventPair", 23, -1, (PULONG_PTR) SystemCallHandler249, NULL, FALSE }, + { "ZwSetQuotaInformationFile", 23, -1, (PULONG_PTR) SystemCallHandler250, NULL, FALSE }, + { "ZwSetSecurityObject", 17, -1, (PULONG_PTR) SystemCallHandler251, NULL, FALSE }, + { "ZwSetSystemEnvironmentValue", 25, -1, (PULONG_PTR) SystemCallHandler252, NULL, FALSE }, // XXX intel hal supports only 1 variable LastKnownGood + { "ZwSetSystemEnvironmentValueEx", 27, -1, (PULONG_PTR) SystemCallHandler253, NULL, FALSE }, + + +#if HOOK_SYSINFO + { "ZwSetSystemInformation", 20, -1, (PULONG_PTR) HookedNtSetSystemInformation, NULL, TRUE }, +#else + { "ZwSetSystemInformation", 20, -1, (PULONG_PTR) SystemCallHandler254, NULL, FALSE }, +#endif + + + { "ZwSetSystemPowerState", 19, -1, (PULONG_PTR) SystemCallHandler255, NULL, FALSE }, + + +#if HOOK_TIME + { "ZwSetSystemTime", 13, -1, (PULONG_PTR) HookedNtSetSystemTime, NULL, TRUE }, +#else + { "ZwSetSystemTime", 13, -1, (PULONG_PTR) SystemCallHandler256, NULL, FALSE }, +#endif + + + { "ZwSetThreadExecutionState", 23, -1, (PULONG_PTR) SystemCallHandler257, NULL, FALSE }, + { "ZwSetTimer", 8, -1, (PULONG_PTR) SystemCallHandler258, NULL, FALSE }, + + +#if 0 //HOOK_TIME + { "ZwSetTimerResolution", 18, -1, (PULONG_PTR) HookedNtSetTimerResolution, NULL, TRUE }, +#else + { "ZwSetTimerResolution", 18, -1, (PULONG_PTR) SystemCallHandler259, NULL, FALSE }, +#endif + + + { "ZwSetUuidSeed", 11, -1, (PULONG_PTR) SystemCallHandler260, NULL, FALSE }, + + +#if HOOK_REGISTRY_ZZZ + { "ZwSetValueKey", 11, -1, (PULONG_PTR) HookedNtSetValueKey, NULL, TRUE }, +#else + { "ZwSetValueKey", 11, -1, (PULONG_PTR) SystemCallHandler261, NULL, FALSE }, +#endif + + + { "ZwSetVolumeInformationFile", 24, -1, (PULONG_PTR) SystemCallHandler262, NULL, FALSE }, + +//XXX + { "ZwShutdownSystem", 14, -1, (PULONG_PTR) SystemCallHandler263, NULL, FALSE }, + + { "ZwSignalAndWaitForSingleObject", 28, -1, (PULONG_PTR) SystemCallHandler264, NULL, FALSE }, + { "ZwStartProfile", 12, -1, (PULONG_PTR) SystemCallHandler265, NULL, FALSE }, + { "ZwStopProfile", 11, -1, (PULONG_PTR) SystemCallHandler266, NULL, FALSE }, + { "ZwSuspendProcess", 14, -1, (PULONG_PTR) SystemCallHandler267, NULL, FALSE }, + { "ZwSuspendThread", 13, -1, (PULONG_PTR) SystemCallHandler268, NULL, FALSE }, + { "ZwSystemDebugControl", 18, -1, (PULONG_PTR) SystemCallHandler269, NULL, FALSE }, + +//XXX + { "ZwTerminateJobObject", 18, -1, (PULONG_PTR) SystemCallHandler270, NULL, FALSE }, + { "ZwTerminateProcess", 16, -1, (PULONG_PTR) SystemCallHandler271, NULL, FALSE }, + { "ZwTerminateThread", 15, -1, (PULONG_PTR) SystemCallHandler272, NULL, FALSE }, + + { "ZwTestAlert", 9, -1, (PULONG_PTR) SystemCallHandler273, NULL, FALSE }, + { "ZwTraceEvent", 10, -1, (PULONG_PTR) SystemCallHandler274, NULL, FALSE }, + { "ZwTranslateFilePath", 17, -1, (PULONG_PTR) SystemCallHandler275, NULL, FALSE }, + + +#if HOOK_DRIVEROBJ_ZZZ + { "ZwUnloadDriver", 12, -1, (PULONG_PTR) HookedNtUnloadDriver, NULL, TRUE }, +#else + { "ZwUnloadDriver", 12, -1, (PULONG_PTR) SystemCallHandler276, NULL, FALSE }, +#endif + + + { "ZwUnloadKey", 9, -1, (PULONG_PTR) SystemCallHandler277, NULL, FALSE }, + { "ZwUnloadKey2", 10, -1, (PULONG_PTR) SystemCallHandler278, NULL, FALSE }, + { "ZwUnloadKeyEx", 11, -1, (PULONG_PTR) SystemCallHandler279, NULL, FALSE }, + { "ZwUnlockFile", 10, -1, (PULONG_PTR) SystemCallHandler280, NULL, FALSE }, + { "ZwUnlockVirtualMemory", 19, -1, (PULONG_PTR) SystemCallHandler281, NULL, FALSE }, + { "ZwUnmapViewOfSection", 18, -1, (PULONG_PTR) SystemCallHandler282, NULL, FALSE }, + + +#if HOOK_VDM + { "ZwVdmControl", 10, -1, (PULONG_PTR) HookedNtVdmControl, NULL, TRUE }, +#else + { "ZwVdmControl", 10, -1, (PULONG_PTR) SystemCallHandler283, NULL, FALSE }, +#endif + + + { "ZwWaitForDebugEvent", 17, -1, (PULONG_PTR) SystemCallHandler284, NULL, FALSE }, + { "ZwWaitForKeyedEvent", 17, -1, (PULONG_PTR) SystemCallHandler285, NULL, FALSE }, + { "ZwWaitForMultipleObjects", 22, -1, (PULONG_PTR) SystemCallHandler286, NULL, FALSE }, + { "ZwWaitForSingleObject", 19, -1, (PULONG_PTR) SystemCallHandler287, NULL, FALSE }, + { "ZwWaitHighEventPair", 17, -1, (PULONG_PTR) SystemCallHandler288, NULL, FALSE }, + { "ZwWaitLowEventPair", 16, -1, (PULONG_PTR) SystemCallHandler289, NULL, FALSE }, + + /* don't mediate for performance reasons, requires a valid handle anyway */ + { "ZwWriteFile", 9, -1, NULL, NULL, FALSE }, + { "ZwWriteFileGather", 15, -1, NULL, NULL, FALSE }, + { "ZwWriteRequestData", 16, -1, NULL, NULL, FALSE }, + { "ZwWriteVirtualMemory", 18, -1, NULL, NULL, FALSE }, + { "ZwYieldExecution", 14, -1, NULL, NULL, FALSE }, +}; + + + +ACTION_TYPE +VerifySystemServiceCall(USHORT SystemServiceNumber) +{ + ACTION_TYPE Action = ACTION_NONE; + PIMAGE_PID_ENTRY p; + PPOLICY_RULE PolicyRule; + + +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("system call %x %x %s. irql %d", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName, KeGetCurrentIrql())); + + + if (KeGetCurrentIrql() != PASSIVE_LEVEL) + return ACTION_NONE; + + + if (LearningMode) + { + AddRule(RULE_SYSCALL, ZwCalls[SystemServiceNumber].ZwName, 0); + return ACTION_NONE; + } + + + /* verify policy and user return address? */ + + p = FindImagePidEntry(CURRENT_PROCESS_PID, 0); + + if (p == NULL) + { + LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("VerifySystemServiceCall: FindImagePidEntry(%d) failed\n", CURRENT_PROCESS_PID)); + return ACTION_NONE; + } +//XXX p->SecPolicy spinlock is not acquired + PolicyRule = p->SecPolicy.RuleList[ RULE_SYSCALL ]; + if (PolicyRule) + { + /* Calculate the bit array ULONG we need to read (bit array consists of a bunch of ULONGs) */ + ULONG UlongCount = SystemServiceNumber >> UlongBitShift; + + /* Choose the correct bit array ULONG */ + PULONG BitArray = &PolicyRule->ServiceBitArray[0] + UlongCount; + + ULONG BitOffset = SystemServiceNumber - (UlongCount << UlongBitShift); + + /* read the bit */ + Action = *BitArray & ( 1 << BitOffset ) ? ACTION_PERMIT : ACTION_DENY; + + if (Action == ACTION_DENY) + { + LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("denying system call %x %x %s\n", ZwCalls[SystemServiceNumber].OriginalFunction, ZwCalls[SystemServiceNumber].ServiceIDNumber, ZwCalls[SystemServiceNumber].ZwName)); + Action = ACTION_PERMIT; + } + } + + return Action; +} + + +//XXX can we get rid of pushfd / popfd ? +//XXX move to i386.c? +#define SYSCALL_HANDLER(num) \ + __declspec(naked) void SystemCallHandler##num() \ + { \ + _asm pushad \ + _asm { pushfd } \ + if (0 && VerifySystemServiceCall(num) == ACTION_DENY)\ + { \ + _asm popfd \ + _asm popad \ + _asm mov eax, 0xC0000022 /*STATUS_ACCESS_DENIED*/ \ + _asm ret \ + } \ + _asm popfd \ + _asm popad \ + _asm jmp dword ptr [ ZwCalls + num*20 + 12 ] \ +/* _asm jmp ZwCalls[num].OriginalFunction */\ + } + +/* +//XXX can find out dynamically the amount of stack space to clean up by looking at Zw* ret instruction + if (PolicyCheck(RULE_SYSCALL, NULL, 0) == ACTION_DENY) \ + { \ + _asm mov eax, 0xC0000022 \ + _asm ret \ + } \ +*/ + + +SYSCALL_HANDLER(0) SYSCALL_HANDLER(1) SYSCALL_HANDLER(2) SYSCALL_HANDLER(3) SYSCALL_HANDLER(4) +SYSCALL_HANDLER(5) SYSCALL_HANDLER(6) SYSCALL_HANDLER(7) SYSCALL_HANDLER(8) SYSCALL_HANDLER(9) +SYSCALL_HANDLER(10) SYSCALL_HANDLER(11) SYSCALL_HANDLER(12) SYSCALL_HANDLER(13) SYSCALL_HANDLER(14) +SYSCALL_HANDLER(15) SYSCALL_HANDLER(16) SYSCALL_HANDLER(17) SYSCALL_HANDLER(18) SYSCALL_HANDLER(19) +SYSCALL_HANDLER(20) SYSCALL_HANDLER(21) SYSCALL_HANDLER(22) SYSCALL_HANDLER(23) SYSCALL_HANDLER(24) +SYSCALL_HANDLER(25) SYSCALL_HANDLER(26) SYSCALL_HANDLER(27) SYSCALL_HANDLER(28) SYSCALL_HANDLER(29) +SYSCALL_HANDLER(30) SYSCALL_HANDLER(31) SYSCALL_HANDLER(32) SYSCALL_HANDLER(33) SYSCALL_HANDLER(34) +SYSCALL_HANDLER(35) SYSCALL_HANDLER(36) SYSCALL_HANDLER(37) SYSCALL_HANDLER(38) SYSCALL_HANDLER(39) +SYSCALL_HANDLER(40) SYSCALL_HANDLER(41) SYSCALL_HANDLER(42) SYSCALL_HANDLER(43) SYSCALL_HANDLER(44) +SYSCALL_HANDLER(45) SYSCALL_HANDLER(46) SYSCALL_HANDLER(47) SYSCALL_HANDLER(48) SYSCALL_HANDLER(49) +SYSCALL_HANDLER(50) SYSCALL_HANDLER(51) SYSCALL_HANDLER(52) SYSCALL_HANDLER(53) SYSCALL_HANDLER(54) +SYSCALL_HANDLER(55) SYSCALL_HANDLER(56) SYSCALL_HANDLER(57) SYSCALL_HANDLER(58) SYSCALL_HANDLER(59) +SYSCALL_HANDLER(60) SYSCALL_HANDLER(61) SYSCALL_HANDLER(62) SYSCALL_HANDLER(63) SYSCALL_HANDLER(64) +SYSCALL_HANDLER(65) SYSCALL_HANDLER(66) SYSCALL_HANDLER(67) SYSCALL_HANDLER(68) SYSCALL_HANDLER(69) +SYSCALL_HANDLER(70) SYSCALL_HANDLER(71) SYSCALL_HANDLER(72) SYSCALL_HANDLER(73) SYSCALL_HANDLER(74) +SYSCALL_HANDLER(75) SYSCALL_HANDLER(76) SYSCALL_HANDLER(77) SYSCALL_HANDLER(78) SYSCALL_HANDLER(79) +SYSCALL_HANDLER(80) SYSCALL_HANDLER(81) SYSCALL_HANDLER(82) SYSCALL_HANDLER(83) SYSCALL_HANDLER(84) +SYSCALL_HANDLER(85) SYSCALL_HANDLER(86) SYSCALL_HANDLER(87) SYSCALL_HANDLER(88) SYSCALL_HANDLER(89) +SYSCALL_HANDLER(90) SYSCALL_HANDLER(91) SYSCALL_HANDLER(92) SYSCALL_HANDLER(93) SYSCALL_HANDLER(94) +SYSCALL_HANDLER(95) SYSCALL_HANDLER(96) SYSCALL_HANDLER(97) SYSCALL_HANDLER(98) SYSCALL_HANDLER(99) +SYSCALL_HANDLER(100) SYSCALL_HANDLER(101) SYSCALL_HANDLER(102) SYSCALL_HANDLER(103) SYSCALL_HANDLER(104) +SYSCALL_HANDLER(105) SYSCALL_HANDLER(106) SYSCALL_HANDLER(107) SYSCALL_HANDLER(108) SYSCALL_HANDLER(109) +SYSCALL_HANDLER(110) SYSCALL_HANDLER(111) SYSCALL_HANDLER(112) SYSCALL_HANDLER(113) SYSCALL_HANDLER(114) +SYSCALL_HANDLER(115) SYSCALL_HANDLER(116) SYSCALL_HANDLER(117) SYSCALL_HANDLER(118) SYSCALL_HANDLER(119) +SYSCALL_HANDLER(120) SYSCALL_HANDLER(121) SYSCALL_HANDLER(122) SYSCALL_HANDLER(123) SYSCALL_HANDLER(124) +SYSCALL_HANDLER(125) SYSCALL_HANDLER(126) SYSCALL_HANDLER(127) SYSCALL_HANDLER(128) SYSCALL_HANDLER(129) +SYSCALL_HANDLER(130) SYSCALL_HANDLER(131) SYSCALL_HANDLER(132) SYSCALL_HANDLER(133) SYSCALL_HANDLER(134) +SYSCALL_HANDLER(135) SYSCALL_HANDLER(136) SYSCALL_HANDLER(137) SYSCALL_HANDLER(138) SYSCALL_HANDLER(139) +SYSCALL_HANDLER(140) SYSCALL_HANDLER(141) SYSCALL_HANDLER(142) SYSCALL_HANDLER(143) SYSCALL_HANDLER(144) +SYSCALL_HANDLER(145) SYSCALL_HANDLER(146) SYSCALL_HANDLER(147) SYSCALL_HANDLER(148) SYSCALL_HANDLER(149) +SYSCALL_HANDLER(150) SYSCALL_HANDLER(151) SYSCALL_HANDLER(152) SYSCALL_HANDLER(153) SYSCALL_HANDLER(154) +SYSCALL_HANDLER(155) SYSCALL_HANDLER(156) SYSCALL_HANDLER(157) SYSCALL_HANDLER(158) SYSCALL_HANDLER(159) +SYSCALL_HANDLER(160) SYSCALL_HANDLER(161) SYSCALL_HANDLER(162) SYSCALL_HANDLER(163) SYSCALL_HANDLER(164) +SYSCALL_HANDLER(165) SYSCALL_HANDLER(166) SYSCALL_HANDLER(167) SYSCALL_HANDLER(168) SYSCALL_HANDLER(169) +SYSCALL_HANDLER(170) SYSCALL_HANDLER(171) SYSCALL_HANDLER(172) SYSCALL_HANDLER(173) SYSCALL_HANDLER(174) +SYSCALL_HANDLER(175) SYSCALL_HANDLER(176) SYSCALL_HANDLER(177) SYSCALL_HANDLER(178) SYSCALL_HANDLER(179) +SYSCALL_HANDLER(180) SYSCALL_HANDLER(181) SYSCALL_HANDLER(182) SYSCALL_HANDLER(183) SYSCALL_HANDLER(184) +SYSCALL_HANDLER(185) SYSCALL_HANDLER(186) SYSCALL_HANDLER(187) SYSCALL_HANDLER(188) SYSCALL_HANDLER(189) +SYSCALL_HANDLER(190) SYSCALL_HANDLER(191) SYSCALL_HANDLER(192) SYSCALL_HANDLER(193) SYSCALL_HANDLER(194) +SYSCALL_HANDLER(195) SYSCALL_HANDLER(196) SYSCALL_HANDLER(197) SYSCALL_HANDLER(198) SYSCALL_HANDLER(199) +SYSCALL_HANDLER(200) SYSCALL_HANDLER(201) SYSCALL_HANDLER(202) SYSCALL_HANDLER(203) SYSCALL_HANDLER(204) +SYSCALL_HANDLER(205) SYSCALL_HANDLER(206) SYSCALL_HANDLER(207) SYSCALL_HANDLER(208) SYSCALL_HANDLER(209) +SYSCALL_HANDLER(210) SYSCALL_HANDLER(211) SYSCALL_HANDLER(212) SYSCALL_HANDLER(213) SYSCALL_HANDLER(214) +SYSCALL_HANDLER(215) SYSCALL_HANDLER(216) SYSCALL_HANDLER(217) SYSCALL_HANDLER(218) SYSCALL_HANDLER(219) +SYSCALL_HANDLER(220) SYSCALL_HANDLER(221) SYSCALL_HANDLER(222) SYSCALL_HANDLER(223) SYSCALL_HANDLER(224) +SYSCALL_HANDLER(225) SYSCALL_HANDLER(226) SYSCALL_HANDLER(227) SYSCALL_HANDLER(228) SYSCALL_HANDLER(229) +SYSCALL_HANDLER(230) SYSCALL_HANDLER(231) SYSCALL_HANDLER(232) SYSCALL_HANDLER(233) SYSCALL_HANDLER(234) +SYSCALL_HANDLER(235) SYSCALL_HANDLER(236) SYSCALL_HANDLER(237) SYSCALL_HANDLER(238) SYSCALL_HANDLER(239) +SYSCALL_HANDLER(240) SYSCALL_HANDLER(241) SYSCALL_HANDLER(242) SYSCALL_HANDLER(243) SYSCALL_HANDLER(244) +SYSCALL_HANDLER(245) SYSCALL_HANDLER(246) SYSCALL_HANDLER(247) SYSCALL_HANDLER(248) SYSCALL_HANDLER(249) +SYSCALL_HANDLER(250) SYSCALL_HANDLER(251) SYSCALL_HANDLER(252) SYSCALL_HANDLER(253) SYSCALL_HANDLER(254) +SYSCALL_HANDLER(255) SYSCALL_HANDLER(256) SYSCALL_HANDLER(257) SYSCALL_HANDLER(258) SYSCALL_HANDLER(259) +SYSCALL_HANDLER(260) SYSCALL_HANDLER(261) SYSCALL_HANDLER(262) SYSCALL_HANDLER(263) SYSCALL_HANDLER(264) +SYSCALL_HANDLER(265) SYSCALL_HANDLER(266) SYSCALL_HANDLER(267) SYSCALL_HANDLER(268) SYSCALL_HANDLER(269) +SYSCALL_HANDLER(270) SYSCALL_HANDLER(271) SYSCALL_HANDLER(272) SYSCALL_HANDLER(273) SYSCALL_HANDLER(274) +SYSCALL_HANDLER(275) SYSCALL_HANDLER(276) SYSCALL_HANDLER(277) SYSCALL_HANDLER(278) SYSCALL_HANDLER(279) +SYSCALL_HANDLER(280) SYSCALL_HANDLER(281) SYSCALL_HANDLER(282) SYSCALL_HANDLER(283) SYSCALL_HANDLER(284) +SYSCALL_HANDLER(285) SYSCALL_HANDLER(286) SYSCALL_HANDLER(287) SYSCALL_HANDLER(288) SYSCALL_HANDLER(289) +SYSCALL_HANDLER(290) SYSCALL_HANDLER(291) SYSCALL_HANDLER(292) SYSCALL_HANDLER(293) SYSCALL_HANDLER(294) + + + +/* + * InitSyscallsHooks() + * + * Description: + * Find the correct global syscall table indeces for all system calls + * (initialize "OriginalFunction" pointers). Must be called at PASSIVE_LEVEL IRQL + * in order to access pageable memory. + * + * NOTE: Called once during driver initialization (DriverEntry()). + * + * Parameters: + * None. + * + * Returns: + * TRUE to indicate success, FALSE if failed. + */ + +BOOLEAN +InitSyscallsHooks() +{ + int i; + + + ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]); + + for (i = 0; i < ZwCallsNumber; i++) + { + //XXX this can be optimized to return index directly?! this way when we restore syscalls back we don't have to do the same process again??!?! + ZwCalls[i].ServiceIDNumber = (USHORT) FindZwFunctionIndex(ZwCalls[i].ZwName); + } + + + return TRUE; +} + + + +/* + * InstallSyscallsHooks() + * + * Description: + * Mediate various system services. Called at DISPATCH_LEVEL IRQL. + * + * NOTE: Called once during driver initialization (DriverEntry()). + * + * Parameters: + * None. + * + * Returns: + * TRUE to indicate success, FALSE if failed. + */ + +BOOLEAN +InstallSyscallsHooks() +{ + int i; + + + ZwCallsNumber = sizeof(ZwCalls) / sizeof(ZwCalls[0]); + + for (i = 0; i < ZwCallsNumber; i++) + { + if (ZwCalls[i].HookFunction != NULL && + (HOOK_SYSCALLS || LearningMode || ZwCalls[i].Hijacked == TRUE)) + { + if (ZwCalls[i].ServiceIDNumber != (USHORT) -1) + { + ZwCalls[i].OriginalFunction = HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber, + ZwCalls[i].HookFunction); + ZwCalls[i].Hijacked = TRUE; + } + } + } + + + return TRUE; +} + + + +/* + * RemoveSyscallsHooks() + * + * Description: + * Restores all the original system service function pointers. + * + * NOTE: Called once during driver unload (DriverUnload()). + * + * Parameters: + * None. + * + * Returns: + * Nothing. + */ + +void +RemoveSyscallsHooks() +{ + int i; + + + for (i = 0; i < ZwCallsNumber; i++) + { + // restore hijacked system calls + if (ZwCalls[i].Hijacked == TRUE && ZwCalls[i].OriginalFunction != NULL && ZwCalls[i].ServiceIDNumber != -1) + { +// LOG(LOG_SS_HOOKPROC, LOG_PRIORITY_DEBUG, ("Restoring syscall %d %x\n", i, i)); + + HookSystemServiceByIndex(ZwCalls[i].ServiceIDNumber, ZwCalls[i].OriginalFunction); + } + } +} -- cgit v1.3