inline_syscall
1.0.0
僅標頭庫,它允許您以優化,不可限制且易於使用的方式生成直接的SYSCALL指令。
您所要做的就是複制標題文件,並在使用INLINE_SYSCALL(function_pointer)和INLINE_SYSCALL_T(function_type) macros之前調用初始化函數init_syscalls_list 。
// This header contains the initialization function.
// If you already initialized, inline_syscall.hpp contains all you need.
# include " inline_syscall/include/in_memory_init.hpp "
// Needs to be called once at startup before INLINE_SYSCALL is used.
jm::init_syscalls_list ();
// Usage of the main macro INLINE_SYSCALL
void * allocation = nullptr ;
SIZE_T size = 0x1000 ;
NTSTATUS status = INLINE_SYSCALL(NtAllocateVirtualMemory)((HANDLE)- 1 , &allocation, 0 , &size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);由於該庫的主要目標之一是要盡可能優化,這是優化構建的輸出。
mov qword ptr [ rsp + 30h ], 0 ; void* allocation = nullptr
mov qword ptr [ rsp + 28h ], 1000h ; SIZE_T size = 0x1000;
mov eax , dword ptr [ entry ( 07FF683157004h ) ] ; syscall id is loaded
lea rdx , [ rsp + 30h ] ; BaseAddress = &allocation
lea r9 , [ rsp + 28h ] ; RegionSize = &size
mov r10 , 0FFFFFFFFFFFFFFFFh ; ProcessHandle = -1
xor r8d , r8d ; ZeroBits = 0
sub rsp , 40h ; preparing stack
mov qword ptr [ type ], 3000h ; AllocationType = MEM_RESERVE | MEM_COMMIT
mov qword ptr [ protect ], 4 ; Protect = PAGE_READWRITE
syscall ; syscall instruction itself
add rsp , 40h ; restoring stack 該庫使您能夠創建自己的自定義初始化例程,這些例程對缺少Syscall或以其他方式獲取Syscall ID更具彈性。
JM_INLINE_SYSCALL_ENTRY_TYPE可以使用您自己的SYSCALL輸入類型來定義,該類型需要從哈希構建。默認情況下,使用了syscall_entry_small ,但syscall_entry_full也已發貨。
如果要使用提供的INLINE_SYSCALL宏,則需要使用提供的jm::hash函數。
要獲取SYSCALL條目的開始,您需要調用jm::syscall_entries()並迭代,直到您達到零條目。
