验证中...
码云 Gitee IDE 全新上线——支持 Git 管理的轻量在线编码环境
语言: C/C++
分类: 内核开发
最后更新于 2018-04-03 14:08
gdi.poc.cpp
原始数据 复制代码

#include "stdafx.h"
#include "win32k_def.h"
namespace ddk
{
typedef struct WIN32ITEM{
PCHAR szName;
DWORD CallNumber;
}WIN32ITEM, *PWIN32ITEM;
WIN32ITEM Table7601[] = {
{ "NtUserGetThreadState",4096 },
{ "NtUserPeekMessage",4097 },
{ "NtUserCallOneParam",4098 },
{ "NtUserGetKeyState",4099 },
{ "NtUserInvalidateRect",4100 },
{ "NtUserCallNoParam",4101 },
{ "NtUserGetMessage",4102 },
{ "NtUserMessageCall",4103 },
{ "NtGdiBitBlt",4104 },
{ "NtGdiGetCharSet",4105 },
{ "NtUserGetDC",4106 },
{ "NtGdiSelectBitmap",4107 },
{ "NtUserWaitMessage",4108 },
{ "NtUserTranslateMessage",4109 },
{ "NtUserGetProp",4110 },
{ "NtUserPostMessage",4111 },
{ "NtUserQueryWindow",4112 },
{ "NtUserTranslateAccelerator",4113 },
{ "NtGdiFlush",4114 },
{ "NtUserRedrawWindow",4115 },
{ "NtUserWindowFromPoint",4116 },
{ "NtUserCallMsgFilter",4117 },
{ "NtUserValidateTimerCallback",4118 },
{ "NtUserBeginPaint",4119 },
{ "NtUserSetTimer",4120 },
{ "NtUserEndPaint",4121 },
{ "NtUserSetCursor",4122 },
{ "NtUserKillTimer",4123 },
{ "NtUserBuildHwndList",4124 },
{ "NtUserSelectPalette",4125 },
{ "NtUserCallNextHookEx",4126 },
{ "NtUserHideCaret",4127 },
{ "NtGdiIntersectClipRect",4128 },
{ "NtUserCallHwndLock",4129 },
{ "NtUserGetProcessWindowStation",4130 },
{ "NtGdiDeleteObjectApp",4131 },
{ "NtUserSetWindowPos",4132 },
{ "NtUserShowCaret",4133 },
{ "NtUserEndDeferWindowPosEx",4134 },
{ "NtUserCallHwndParamLock",4135 },
{ "NtUserVkKeyScanEx",4136 },
{ "NtGdiSetDIBitsToDeviceInternal",4137 },
{ "NtUserCallTwoParam",4138 },
{ "NtGdiGetRandomRgn",4139 },
{ "NtUserCopyAcceleratorTable",4140 },
{ "NtUserNotifyWinEvent",4141 },
{ "NtGdiExtSelectClipRgn",4142 },
{ "NtUserIsClipboardFormatAvailable",4143 },
{ "NtUserSetScrollInfo",4144 },
{ "NtGdiStretchBlt",4145 },
{ "NtUserCreateCaret",4146 },
{ "NtGdiRectVisible",4147 },
{ "NtGdiCombineRgn",4148 },
{ "NtGdiGetDCObject",4149 },
{ "NtUserDispatchMessage",4150 },
{ "NtUserRegisterWindowMessage",4151 },
{ "NtGdiExtTextOutW",4152 },
{ "NtGdiSelectFont",4153 },
{ "NtGdiRestoreDC",4154 },
{ "NtGdiSaveDC",4155 },
{ "NtUserGetForegroundWindow",4156 },
{ "NtUserShowScrollBar",4157 },
{ "NtUserFindExistingCursorIcon",4158 },
{ "NtGdiGetDCDword",4159 },
{ "NtGdiGetRegionData",4160 },
{ "NtGdiLineTo",4161 },
{ "NtUserSystemParametersInfo",4162 },
{ "NtGdiGetAppClipBox",4163 },
{ "NtUserGetAsyncKeyState",4164 },
{ "NtUserGetCPD",4165 },
{ "NtUserRemoveProp",4166 },
{ "NtGdiDoPalette",4167 },
{ "NtGdiPolyPolyDraw",4168 },
{ "NtUserSetCapture",4169 },
{ "NtUserEnumDisplayMonitors",4170 },
{ "NtGdiCreateCompatibleBitmap",4171 },
{ "NtUserSetProp",4172 },
{ "NtGdiGetTextCharsetInfo",4173 },
{ "NtUserSBGetParms",4174 },
{ "NtUserGetIconInfo",4175 },
{ "NtUserExcludeUpdateRgn",4176 },
{ "NtUserSetFocus",4177 },
{ "NtGdiExtGetObjectW",4178 },
{ "NtUserDeferWindowPos",4179 },
{ "NtUserGetUpdateRect",4180 },
{ "NtGdiCreateCompatibleDC",4181 },
{ "NtUserGetClipboardSequenceNumber",4182 },
{ "NtGdiCreatePen",4183 },
{ "NtUserShowWindow",4184 },
{ "NtUserGetKeyboardLayoutList",4185 },
{ "NtGdiPatBlt",4186 },
{ "NtUserMapVirtualKeyEx",4187 },
{ "NtUserSetWindowLong",4188 },
{ "NtGdiHfontCreate",4189 },
{ "NtUserMoveWindow",4190 },
{ "NtUserPostThreadMessage",4191 },
{ "NtUserDrawIconEx",4192 },
{ "NtUserGetSystemMenu",4193 },
{ "NtGdiDrawStream",4194 },
{ "NtUserInternalGetWindowText",4195 },
{ "NtUserGetWindowDC",4196 },
{ "NtGdiD3dDrawPrimitives2",4197 },
{ "NtGdiInvertRgn",4198 },
{ "NtGdiGetRgnBox",4199 },
{ "NtGdiGetAndSetDCDword",4200 },
{ "NtGdiMaskBlt",4201 },
{ "NtGdiGetWidthTable",4202 },
{ "NtUserScrollDC",4203 },
{ "NtUserGetObjectInformation",4204 },
{ "NtGdiCreateBitmap",4205 },
{ "NtUserFindWindowEx",4206 },
{ "NtGdiPolyPatBlt",4207 },
{ "NtUserUnhookWindowsHookEx",4208 },
{ "NtGdiGetNearestColor",4209 },
{ "NtGdiTransformPoints",4210 },
{ "NtGdiGetDCPoint",4211 },
{ "NtGdiCreateDIBBrush",4212 },
{ "NtGdiGetTextMetricsW",4213 },
{ "NtUserCreateWindowEx",4214 },
{ "NtUserSetParent",4215 },
{ "NtUserGetKeyboardState",4216 },
{ "NtUserToUnicodeEx",4217 },
{ "NtUserGetControlBrush",4218 },
{ "NtUserGetClassName",4219 },
{ "NtGdiAlphaBlend",4220 },
{ "NtGdiDdBlt",4221 },
{ "NtGdiOffsetRgn",4222 },
{ "NtUserDefSetText",4223 },
{ "NtGdiGetTextFaceW",4224 },
{ "NtGdiStretchDIBitsInternal",4225 },
{ "NtUserSendInput",4226 },
{ "NtUserGetThreadDesktop",4227 },
{ "NtGdiCreateRectRgn",4228 },
{ "NtGdiGetDIBitsInternal",4229 },
{ "NtUserGetUpdateRgn",4230 },
{ "NtGdiDeleteClientObj",4231 },
{ "NtUserGetIconSize",4232 },
{ "NtUserFillWindow",4233 },
{ "NtGdiExtCreateRegion",4234 },
{ "NtGdiComputeXformCoefficients",4235 },
{ "NtUserSetWindowsHookEx",4236 },
{ "NtUserNotifyProcessCreate",4237 },
{ "NtGdiUnrealizeObject",4238 },
{ "NtUserGetTitleBarInfo",4239 },
{ "NtGdiRectangle",4240 },
{ "NtUserSetThreadDesktop",4241 },
{ "NtUserGetDCEx",4242 },
{ "NtUserGetScrollBarInfo",4243 },
{ "NtGdiGetTextExtent",4244 },
{ "NtUserSetWindowFNID",4245 },
{ "NtGdiSetLayout",4246 },
{ "NtUserCalcMenuBar",4247 },
{ "NtUserThunkedMenuItemInfo",4248 },
{ "NtGdiExcludeClipRect",4249 },
{ "NtGdiCreateDIBSection",4250 },
{ "NtGdiGetDCforBitmap",4251 },
{ "NtUserDestroyCursor",4252 },
{ "NtUserDestroyWindow",4253 },
{ "NtUserCallHwndParam",4254 },
{ "NtGdiCreateDIBitmapInternal",4255 },
{ "NtUserOpenWindowStation",4256 },
{ "NtGdiDdDeleteSurfaceObject",4257 },
{ "NtGdiDdCanCreateSurface",4258 },
{ "NtGdiDdCreateSurface",4259 },
{ "NtUserSetCursorIconData",4260 },
{ "NtGdiDdDestroySurface",4261 },
{ "NtUserCloseDesktop",4262 },
{ "NtUserOpenDesktop",4263 },
{ "NtUserSetProcessWindowStation",4264 },
{ "NtUserGetAtomName",4265 },
{ "NtGdiDdResetVisrgn",4266 },
{ "NtGdiExtCreatePen",4267 },
{ "NtGdiCreatePaletteInternal",4268 },
{ "NtGdiSetBrushOrg",4269 },
{ "NtUserBuildNameList",4270 },
{ "NtGdiSetPixel",4271 },
{ "NtUserRegisterClassExWOW",4272 },
{ "NtGdiCreatePatternBrushInternal",4273 },
{ "NtUserGetAncestor",4274 },
{ "NtGdiGetOutlineTextMetricsInternalW",4275 },
{ "NtGdiSetBitmapBits",4276 },
{ "NtUserCloseWindowStation",4277 },
{ "NtUserGetDoubleClickTime",4278 },
{ "NtUserEnableScrollBar",4279 },
{ "NtGdiCreateSolidBrush",4280 },
{ "NtUserGetClassInfoEx",4281 },
{ "NtGdiCreateClientObj",4282 },
{ "NtUserUnregisterClass",4283 },
{ "NtUserDeleteMenu",4284 },
{ "NtGdiRectInRegion",4285 },
{ "NtUserScrollWindowEx",4286 },
{ "NtGdiGetPixel",4287 },
{ "NtUserSetClassLong",4288 },
{ "NtUserGetMenuBarInfo",4289 },
{ "NtGdiDdCreateSurfaceEx",4290 },
{ "NtGdiDdCreateSurfaceObject",4291 },
{ "NtGdiGetNearestPaletteIndex",4292 },
{ "NtGdiDdLockD3D",4293 },
{ "NtGdiDdUnlockD3D",4294 },
{ "NtGdiGetCharWidthW",4295 },
{ "NtUserInvalidateRgn",4296 },
{ "NtUserGetClipboardOwner",4297 },
{ "NtUserSetWindowRgn",4298 },
{ "NtUserBitBltSysBmp",4299 },
{ "NtGdiGetCharWidthInfo",4300 },
{ "NtUserValidateRect",4301 },
{ "NtUserCloseClipboard",4302 },
{ "NtUserOpenClipboard",4303 },
{ "NtGdiGetStockObject",4304 },
{ "NtUserSetClipboardData",4305 },
{ "NtUserEnableMenuItem",4306 },
{ "NtUserAlterWindowStyle",4307 },
{ "NtGdiFillRgn",4308 },
{ "NtUserGetWindowPlacement",4309 },
{ "NtGdiModifyWorldTransform",4310 },
{ "NtGdiGetFontData",4311 },
{ "NtUserGetOpenClipboardWindow",4312 },
{ "NtUserSetThreadState",4313 },
{ "NtGdiOpenDCW",4314 },
{ "NtUserTrackMouseEvent",4315 },
{ "NtGdiGetTransform",4316 },
{ "NtUserDestroyMenu",4317 },
{ "NtGdiGetBitmapBits",4318 },
{ "NtUserConsoleControl",4319 },
{ "NtUserSetActiveWindow",4320 },
{ "NtUserSetInformationThread",4321 },
{ "NtUserSetWindowPlacement",4322 },
{ "NtUserGetControlColor",4323 },
{ "NtGdiSetMetaRgn",4324 },
{ "NtGdiSetMiterLimit",4325 },
{ "NtGdiSetVirtualResolution",4326 },
{ "NtGdiGetRasterizerCaps",4327 },
{ "NtUserSetWindowWord",4328 },
{ "NtUserGetClipboardFormatName",4329 },
{ "NtUserRealInternalGetMessage",4330 },
{ "NtUserCreateLocalMemHandle",4331 },
{ "NtUserAttachThreadInput",4332 },
{ "NtGdiCreateHalftonePalette",4333 },
{ "NtUserPaintMenuBar",4334 },
{ "NtUserSetKeyboardState",4335 },
{ "NtGdiCombineTransform",4336 },
{ "NtUserCreateAcceleratorTable",4337 },
{ "NtUserGetCursorFrameInfo",4338 },
{ "NtUserGetAltTabInfo",4339 },
{ "NtUserGetCaretBlinkTime",4340 },
{ "NtGdiQueryFontAssocInfo",4341 },
{ "NtUserProcessConnect",4342 },
{ "NtUserEnumDisplayDevices",4343 },
{ "NtUserEmptyClipboard",4344 },
{ "NtUserGetClipboardData",4345 },
{ "NtUserRemoveMenu",4346 },
{ "NtGdiSetBoundsRect",4347 },
{ "NtGdiGetBitmapDimension",4348 },
{ "NtUserConvertMemHandle",4349 },
{ "NtUserDestroyAcceleratorTable",4350 },
{ "NtUserGetGUIThreadInfo",4351 },
{ "NtGdiCloseFigure",4352 },
{ "NtUserSetWindowsHookAW",4353 },
{ "NtUserSetMenuDefaultItem",4354 },
{ "NtUserCheckMenuItem",4355 },
{ "NtUserSetWinEventHook",4356 },
{ "NtUserUnhookWinEvent",4357 },
{ "NtUserLockWindowUpdate",4358 },
{ "NtUserSetSystemMenu",4359 },
{ "NtUserThunkedMenuInfo",4360 },
{ "NtGdiBeginPath",4361 },
{ "NtGdiEndPath",4362 },
{ "NtGdiFillPath",4363 },
{ "NtUserCallHwnd",4364 },
{ "NtUserDdeInitialize",4365 },
{ "NtUserModifyUserStartupInfoFlags",4366 },
{ "NtUserCountClipboardFormats",4367 },
{ "NtGdiAddFontMemResourceEx",4368 },
{ "NtGdiEqualRgn",4369 },
{ "NtGdiGetSystemPaletteUse",4370 },
{ "NtGdiRemoveFontMemResourceEx",4371 },
{ "NtUserEnumDisplaySettings",4372 },
{ "NtUserPaintDesktop",4373 },
{ "NtGdiExtEscape",4374 },
{ "NtGdiSetBitmapDimension",4375 },
{ "NtGdiSetFontEnumeration",4376 },
{ "NtUserChangeClipboardChain",4377 },
{ "NtUserSetClipboardViewer",4378 },
{ "NtUserShowWindowAsync",4379 },
{ "NtGdiCreateColorSpace",4380 },
{ "NtGdiDeleteColorSpace",4381 },
{ "NtUserActivateKeyboardLayout",4382 },
{ "NtGdiAbortDoc",4383 },
{ "NtGdiAbortPath",4384 },
{ "NtGdiAddEmbFontToDC",4385 },
{ "NtGdiAddFontResourceW",4386 },
{ "NtGdiAddRemoteFontToDC",4387 },
{ "NtGdiAddRemoteMMInstanceToDC",4388 },
{ "NtGdiAngleArc",4389 },
{ "NtGdiAnyLinkedFonts",4390 },
{ "NtGdiArcInternal",4391 },
{ "NtGdiBRUSHOBJ_DeleteRbrush",4392 },
{ "NtGdiBRUSHOBJ_hGetColorTransform",4393 },
{ "NtGdiBRUSHOBJ_pvAllocRbrush",4394 },
{ "NtGdiBRUSHOBJ_pvGetRbrush",4395 },
{ "NtGdiBRUSHOBJ_ulGetBrushColor",4396 },
{ "NtGdiBeginGdiRendering",4397 },
{ "NtGdiCLIPOBJ_bEnum",4398 },
{ "NtGdiCLIPOBJ_cEnumStart",4399 },
{ "NtGdiCLIPOBJ_ppoGetPath",4400 },
{ "NtGdiCancelDC",4401 },
{ "NtGdiChangeGhostFont",4402 },
{ "NtGdiCheckBitmapBits",4403 },
{ "NtGdiClearBitmapAttributes",4404 },
{ "NtGdiUnloadPrinterDriver",4405 },
{ "NtGdiColorCorrectPalette",4406 },
{ "NtGdiConfigureOPMProtectedOutput",4407 },
{ "NtGdiConvertMetafileRect",4408 },
{ "NtGdiCreateBitmapFromDxSurface",4409 },
{ "NtGdiCreateColorTransform",4410 },
{ "NtGdiCreateEllipticRgn",4411 },
{ "NtGdiCreateHatchBrushInternal",4412 },
{ "NtGdiCreateMetafileDC",4413 },
{ "NtGdiCreateOPMProtectedOutputs",4414 },
{ "NtGdiCreateRoundRectRgn",4415 },
{ "NtGdiCreateServerMetaFile",4416 },
{ "NtGdiD3dContextCreate",4417 },
{ "NtGdiD3dContextDestroy",4418 },
{ "NtGdiD3dContextDestroyAll",4419 },
{ "NtGdiD3dValidateTextureStageState",4420 },
{ "NtGdiDDCCIGetCapabilitiesString",4421 },
{ "NtGdiDDCCIGetCapabilitiesStringLength",4422 },
{ "NtGdiDDCCIGetTimingReport",4423 },
{ "NtGdiDDCCIGetVCPFeature",4424 },
{ "NtGdiDDCCISaveCurrentSettings",4425 },
{ "NtGdiDDCCISetVCPFeature",4426 },
{ "NtGdiDdAddAttachedSurface",4427 },
{ "NtGdiDdAlphaBlt",4428 },
{ "NtGdiDdAttachSurface",4429 },
{ "NtGdiDdBeginMoCompFrame",4430 },
{ "NtGdiDdCanCreateD3DBuffer",4431 },
{ "NtGdiDdColorControl",4432 },
{ "NtGdiDdCreateD3DBuffer",4433 },
{ "NtGdiDdCreateDirectDrawObject",4434 },
{ "NtGdiDdCreateFullscreenSprite",4435 },
{ "NtGdiDdCreateMoComp",4436 },
{ "NtGdiDdDDIAcquireKeyedMutex",4437 },
{ "NtGdiDdDDICheckExclusiveOwnership",4438 },
{ "NtGdiDdDDICheckMonitorPowerState",4439 },
{ "NtGdiDdDDICheckOcclusion",4440 },
{ "NtGdiDdDDICheckSharedResourceAccess",4441 },
{ "NtGdiDdDDICheckVidPnExclusiveOwnership",4442 },
{ "NtGdiDdDDICloseAdapter",4443 },
{ "NtGdiDdDDIConfigureSharedResource",4444 },
{ "NtGdiDdDDICreateAllocation",4445 },
{ "NtGdiDdDDICreateContext",4446 },
{ "NtGdiDdDDICreateDCFromMemory",4447 },
{ "NtGdiDdDDICreateDevice",4448 },
{ "NtGdiDdDDICreateKeyedMutex",4449 },
{ "NtGdiDdDDICreateOverlay",4450 },
{ "NtGdiDdDDICreateSynchronizationObject",4451 },
{ "NtGdiDdDDIDestroyAllocation",4452 },
{ "NtGdiDdDDIDestroyContext",4453 },
{ "NtGdiDdDDIDestroyDCFromMemory",4454 },
{ "NtGdiDdDDIDestroyDevice",4455 },
{ "NtGdiDdDDIDestroyKeyedMutex",4456 },
{ "NtGdiDdDDIDestroyOverlay",4457 },
{ "NtGdiDdDDIDestroySynchronizationObject",4458 },
{ "NtGdiDdDDIEscape",4459 },
{ "NtGdiDdDDIFlipOverlay",4460 },
{ "NtGdiDdDDIGetContextSchedulingPriority",4461 },
{ "NtGdiDdDDIGetDeviceState",4462 },
{ "NtGdiDdDDIGetDisplayModeList",4463 },
{ "NtGdiDdDDIGetMultisampleMethodList",4464 },
{ "NtGdiDdDDIGetOverlayState",4465 },
{ "NtGdiDdDDIGetPresentHistory",4466 },
{ "NtGdiDdDDIGetPresentQueueEvent",4467 },
{ "NtGdiDdDDIGetProcessSchedulingPriorityClass",4468 },
{ "NtGdiDdDDIGetRuntimeData",4469 },
{ "NtGdiDdDDIGetScanLine",4470 },
{ "NtGdiDdDDIGetSharedPrimaryHandle",4471 },
{ "NtGdiDdDDIInvalidateActiveVidPn",4472 },
{ "NtGdiDdDDILock",4473 },
{ "NtGdiDdDDIOpenAdapterFromDeviceName",4474 },
{ "NtGdiDdDDIOpenAdapterFromHdc",4475 },
{ "NtGdiDdDDIOpenKeyedMutex",4476 },
{ "NtGdiDdDDIOpenResource",4477 },
{ "NtGdiDdDDIOpenSynchronizationObject",4478 },
{ "NtGdiDdDDIPollDisplayChildren",4479 },
{ "NtGdiDdDDIPresent",4480 },
{ "NtGdiDdDDIQueryAdapterInfo",4481 },
{ "NtGdiDdDDIQueryAllocationResidency",4482 },
{ "NtGdiDdDDIQueryResourceInfo",4483 },
{ "NtGdiDdDDIQueryStatistics",4484 },
{ "NtGdiDdDDIReleaseKeyedMutex",4485 },
{ "NtGdiDdDDIReleaseProcessVidPnSourceOwners",4486 },
{ "NtGdiDdDDIRender",4487 },
{ "NtGdiDdDDISetAllocationPriority",4488 },
{ "NtGdiDdDDISetContextSchedulingPriority",4489 },
{ "NtGdiDdDDISetDisplayMode",4490 },
{ "NtGdiDdDDISetDisplayPrivateDriverFormat",4491 },
{ "NtGdiDdDDISetGammaRamp",4492 },
{ "NtGdiDdDDISetProcessSchedulingPriorityClass",4493 },
{ "NtGdiDdDDISetQueuedLimit",4494 },
{ "NtGdiDdDDISetVidPnSourceOwner",4495 },
{ "NtGdiDdDDISharedPrimaryLockNotification",4496 },
{ "NtGdiDdDDISharedPrimaryUnLockNotification",4497 },
{ "NtGdiDdDDISignalSynchronizationObject",4498 },
{ "NtGdiDdDDIUnlock",4499 },
{ "NtGdiDdDDIUpdateOverlay",4500 },
{ "NtGdiDdDDIWaitForIdle",4501 },
{ "NtGdiDdDDIWaitForSynchronizationObject",4502 },
{ "NtGdiDdDDIWaitForVerticalBlankEvent",4503 },
{ "NtGdiDdDeleteDirectDrawObject",4504 },
{ "NtGdiDdDestroyD3DBuffer",4505 },
{ "NtGdiDdDestroyFullscreenSprite",4506 },
{ "NtGdiDdDestroyMoComp",4507 },
{ "NtGdiDdEndMoCompFrame",4508 },
{ "NtGdiDdFlip",4509 },
{ "NtGdiDdFlipToGDISurface",4510 },
{ "NtGdiDdGetAvailDriverMemory",4511 },
{ "NtGdiDdGetBltStatus",4512 },
{ "NtGdiDdGetDC",4513 },
{ "NtGdiDdGetDriverInfo",4514 },
{ "NtGdiDdGetDriverState",4515 },
{ "NtGdiDdGetDxHandle",4516 },
{ "NtGdiDdGetFlipStatus",4517 },
{ "NtGdiDdGetInternalMoCompInfo",4518 },
{ "NtGdiDdGetMoCompBuffInfo",4519 },
{ "NtGdiDdGetMoCompFormats",4520 },
{ "NtGdiDdGetMoCompGuids",4521 },
{ "NtGdiDdGetScanLine",4522 },
{ "NtGdiDdLock",4523 },
{ "NtGdiDdNotifyFullscreenSpriteUpdate",4524 },
{ "NtGdiDdQueryDirectDrawObject",4525 },
{ "NtGdiDdQueryMoCompStatus",4526 },
{ "NtGdiDdQueryVisRgnUniqueness",4527 },
{ "NtGdiDdReenableDirectDrawObject",4528 },
{ "NtGdiDdReleaseDC",4529 },
{ "NtGdiDdRenderMoComp",4530 },
{ "NtGdiDdSetColorKey",4531 },
{ "NtGdiDdSetExclusiveMode",4532 },
{ "NtGdiDdSetGammaRamp",4533 },
{ "NtGdiDdSetOverlayPosition",4534 },
{ "NtGdiDdUnattachSurface",4535 },
{ "NtGdiDdUnlock",4536 },
{ "NtGdiDdUpdateOverlay",4537 },
{ "NtGdiDdWaitForVerticalBlank",4538 },
{ "NtGdiDeleteColorTransform",4539 },
{ "NtGdiDescribePixelFormat",4540 },
{ "NtGdiDestroyOPMProtectedOutput",4541 },
{ "NtGdiDestroyPhysicalMonitor",4542 },
{ "NtGdiDoBanding",4543 },
{ "NtGdiDrawEscape",4544 },
{ "NtGdiDvpAcquireNotification",4545 },
{ "NtGdiDvpCanCreateVideoPort",4546 },
{ "NtGdiDvpColorControl",4547 },
{ "NtGdiDvpCreateVideoPort",4548 },
{ "NtGdiDvpDestroyVideoPort",4549 },
{ "NtGdiDvpFlipVideoPort",4550 },
{ "NtGdiDvpGetVideoPortBandwidth",4551 },
{ "NtGdiDvpGetVideoPortConnectInfo",4552 },
{ "NtGdiDvpGetVideoPortField",4553 },
{ "NtGdiDvpGetVideoPortFlipStatus",4554 },
{ "NtGdiDvpGetVideoPortInputFormats",4555 },
{ "NtGdiDvpGetVideoPortLine",4556 },
{ "NtGdiDvpGetVideoPortOutputFormats",4557 },
{ "NtGdiDvpGetVideoSignalStatus",4558 },
{ "NtGdiDvpReleaseNotification",4559 },
{ "NtGdiDvpUpdateVideoPort",4560 },
{ "NtGdiDvpWaitForVideoPortSync",4561 },
{ "NtGdiDxgGenericThunk",4562 },
{ "NtGdiEllipse",4563 },
{ "NtGdiEnableEudc",4564 },
{ "NtGdiEndDoc",4565 },
{ "NtGdiEndGdiRendering",4566 },
{ "NtGdiEndPage",4567 },
{ "NtGdiEngAlphaBlend",4568 },
{ "NtGdiEngAssociateSurface",4569 },
{ "NtGdiEngBitBlt",4570 },
{ "NtGdiEngCheckAbort",4571 },
{ "NtGdiEngComputeGlyphSet",4572 },
{ "NtGdiEngCopyBits",4573 },
{ "NtGdiEngCreateBitmap",4574 },
{ "NtGdiEngCreateClip",4575 },
{ "NtGdiEngCreateDeviceBitmap",4576 },
{ "NtGdiEngCreateDeviceSurface",4577 },
{ "NtGdiEngCreatePalette",4578 },
{ "NtGdiEngDeleteClip",4579 },
{ "NtGdiEngDeletePalette",4580 },
{ "NtGdiEngDeletePath",4581 },
{ "NtGdiEngDeleteSurface",4582 },
{ "NtGdiEngEraseSurface",4583 },
{ "NtGdiEngFillPath",4584 },
{ "NtGdiEngGradientFill",4585 },
{ "NtGdiEngLineTo",4586 },
{ "NtGdiEngLockSurface",4587 },
{ "NtGdiEngMarkBandingSurface",4588 },
{ "NtGdiEngPaint",4589 },
{ "NtGdiEngPlgBlt",4590 },
{ "NtGdiEngStretchBlt",4591 },
{ "NtGdiEngStretchBltROP",4592 },
{ "NtGdiEngStrokeAndFillPath",4593 },
{ "NtGdiEngStrokePath",4594 },
{ "NtGdiEngTextOut",4595 },
{ "NtGdiEngTransparentBlt",4596 },
{ "NtGdiEngUnlockSurface",4597 },
{ "NtGdiEnumFonts",4598 },
{ "NtGdiEnumObjects",4599 },
{ "NtGdiEudcLoadUnloadLink",4600 },
{ "NtGdiExtFloodFill",4601 },
{ "NtGdiFONTOBJ_cGetAllGlyphHandles",4602 },
{ "NtGdiFONTOBJ_cGetGlyphs",4603 },
{ "NtGdiFONTOBJ_pQueryGlyphAttrs",4604 },
{ "NtGdiFONTOBJ_pfdg",4605 },
{ "NtGdiFONTOBJ_pifi",4606 },
{ "NtGdiFONTOBJ_pvTrueTypeFontFile",4607 },
{ "NtGdiFONTOBJ_pxoGetXform",4608 },
{ "NtGdiFONTOBJ_vGetInfo",4609 },
{ "NtGdiFlattenPath",4610 },
{ "NtGdiFontIsLinked",4611 },
{ "NtGdiForceUFIMapping",4612 },
{ "NtGdiFrameRgn",4613 },
{ "NtGdiFullscreenControl",4614 },
{ "NtGdiGetBoundsRect",4615 },
{ "NtGdiGetCOPPCompatibleOPMInformation",4616 },
{ "NtGdiGetCertificate",4617 },
{ "NtGdiGetCertificateSize",4618 },
{ "NtGdiGetCharABCWidthsW",4619 },
{ "NtGdiGetCharacterPlacementW",4620 },
{ "NtGdiGetColorAdjustment",4621 },
{ "NtGdiGetColorSpaceforBitmap",4622 },
{ "NtGdiGetDeviceCaps",4623 },
{ "NtGdiGetDeviceCapsAll",4624 },
{ "NtGdiGetDeviceGammaRamp",4625 },
{ "NtGdiGetDeviceWidth",4626 },
{ "NtGdiGetDhpdev",4627 },
{ "NtGdiGetETM",4628 },
{ "NtGdiGetEmbUFI",4629 },
{ "NtGdiGetEmbedFonts",4630 },
{ "NtGdiGetEudcTimeStampEx",4631 },
{ "NtGdiGetFontFileData",4632 },
{ "NtGdiGetFontFileInfo",4633 },
{ "NtGdiGetFontResourceInfoInternalW",4634 },
{ "NtGdiGetFontUnicodeRanges",4635 },
{ "NtGdiGetGlyphIndicesW",4636 },
{ "NtGdiGetGlyphIndicesWInternal",4637 },
{ "NtGdiGetGlyphOutline",4638 },
{ "NtGdiGetKerningPairs",4639 },
{ "NtGdiGetLinkedUFIs",4640 },
{ "NtGdiGetMiterLimit",4641 },
{ "NtGdiGetMonitorID",4642 },
{ "NtGdiGetNumberOfPhysicalMonitors",4643 },
{ "NtGdiGetOPMInformation",4644 },
{ "NtGdiGetOPMRandomNumber",4645 },
{ "NtGdiGetObjectBitmapHandle",4646 },
{ "NtGdiGetPath",4647 },
{ "NtGdiGetPerBandInfo",4648 },
{ "NtGdiGetPhysicalMonitorDescription",4649 },
{ "NtGdiGetPhysicalMonitors",4650 },
{ "NtGdiGetRealizationInfo",4651 },
{ "NtGdiGetServerMetaFileBits",4652 },
{ "NtGdiSetBrushAttributes",4653 },
{ "NtGdiGetStats",4654 },
{ "NtGdiGetStringBitmapW",4655 },
{ "NtGdiGetSuggestedOPMProtectedOutputArraySize",4656 },
{ "NtGdiGetTextExtentExW",4657 },
{ "NtGdiGetUFI",4658 },
{ "NtGdiGetUFIPathname",4659 },
{ "NtGdiGradientFill",4660 },
{ "NtGdiHLSurfGetInformation",4661 },
{ "NtGdiHLSurfSetInformation",4662 },
{ "NtGdiHT_Get8BPPFormatPalette",4663 },
{ "NtGdiHT_Get8BPPMaskPalette",4664 },
{ "NtGdiIcmBrushInfo",4665 },
{ "NtGdiUnmapMemFont",4666 },
{ "NtGdiInitSpool",4667 },
{ "NtGdiMakeFontDir",4668 },
{ "NtGdiMakeInfoDC",4669 },
{ "NtGdiMakeObjectUnXferable",4670 },
{ "NtGdiMakeObjectXferable",4671 },
{ "NtGdiMirrorWindowOrg",4672 },
{ "NtGdiMonoBitmap",4673 },
{ "NtGdiMoveTo",4674 },
{ "NtGdiOffsetClipRgn",4675 },
{ "NtGdiPATHOBJ_bEnum",4676 },
{ "NtGdiPATHOBJ_bEnumClipLines",4677 },
{ "NtGdiPATHOBJ_vEnumStart",4678 },
{ "NtGdiPATHOBJ_vEnumStartClipLines",4679 },
{ "NtGdiPATHOBJ_vGetBounds",4680 },
{ "NtGdiPathToRegion",4681 },
{ "NtGdiPlgBlt",4682 },
{ "NtGdiPolyDraw",4683 },
{ "NtGdiPolyTextOutW",4684 },
{ "NtGdiPtInRegion",4685 },
{ "NtGdiPtVisible",4686 },
{ "NtGdiQueryFonts",4687 },
{ "NtGdiRemoveFontResourceW",4688 },
{ "NtGdiRemoveMergeFont",4689 },
{ "NtGdiResetDC",4690 },
{ "NtGdiResizePalette",4691 },
{ "NtGdiRoundRect",4692 },
{ "NtGdiSTROBJ_bEnum",4693 },
{ "NtGdiSTROBJ_bEnumPositionsOnly",4694 },
{ "NtGdiSTROBJ_bGetAdvanceWidths",4695 },
{ "NtGdiSTROBJ_dwGetCodePage",4696 },
{ "NtGdiSTROBJ_vEnumStart",4697 },
{ "NtGdiScaleViewportExtEx",4698 },
{ "NtGdiScaleWindowExtEx",4699 },
{ "NtGdiSelectBrush",4700 },
{ "NtGdiSelectClipPath",4701 },
{ "NtGdiSelectPen",4702 },
{ "NtGdiSetBitmapAttributes",4703 },
{ "NtGdiGetSpoolMessage",4704 },
{ "NtGdiSetColorAdjustment",4705 },
{ "NtGdiSetColorSpace",4706 },
{ "NtGdiSetDeviceGammaRamp",4707 },
{ "NtGdiSetFontXform",4708 },
{ "NtGdiSetIcmMode",4709 },
{ "NtGdiSetLinkedUFIs",4710 },
{ "NtGdiSetMagicColors",4711 },
{ "NtGdiSetOPMSigningKeyAndSequenceNumbers",4712 },
{ "NtGdiSetPUMPDOBJ",4713 },
{ "NtGdiSetPixelFormat",4714 },
{ "NtGdiSetRectRgn",4715 },
{ "NtGdiSetSizeDevice",4716 },
{ "NtGdiSetSystemPaletteUse",4717 },
{ "NtGdiSetTextJustification",4718 },
{ "NtGdiSfmGetNotificationTokens",4719 },
{ "NtGdiStartDoc",4720 },
{ "NtGdiStartPage",4721 },
{ "NtGdiStrokeAndFillPath",4722 },
{ "NtGdiStrokePath",4723 },
{ "NtGdiSwapBuffers",4724 },
{ "NtGdiTransparentBlt",4725 },
{ "NtGdiUMPDEngFreeUserMem",4726 },
{ "NtGdiClearBrushAttributes",4727 },
{ "NtGdiInit",4728 },
{ "NtGdiUpdateColors",4729 },
{ "NtGdiUpdateTransform",4730 },
{ "NtGdiWidenPath",4731 },
{ "NtGdiXFORMOBJ_bApplyXform",4732 },
{ "NtGdiXFORMOBJ_iGetXform",4733 },
{ "NtGdiXLATEOBJ_cGetPalette",4734 },
{ "NtGdiXLATEOBJ_hGetColorTransform",4735 },
{ "NtGdiXLATEOBJ_iXlate",4736 },
{ "NtUserAddClipboardFormatListener",4737 },
{ "NtUserAssociateInputContext",4738 },
{ "NtUserBlockInput",4739 },
{ "NtUserBuildHimcList",4740 },
{ "NtUserBuildPropList",4741 },
{ "NtUserCalculatePopupWindowPosition",4742 },
{ "NtUserCallHwndOpt",4743 },
{ "NtUserChangeDisplaySettings",4744 },
{ "NtUserChangeWindowMessageFilterEx",4745 },
{ "NtUserCheckAccessForIntegrityLevel",4746 },
{ "NtUserCheckDesktopByThreadId",4747 },
{ "NtUserCheckWindowThreadDesktop",4748 },
{ "NtUserChildWindowFromPointEx",4749 },
{ "NtUserClipCursor",4750 },
{ "NtUserCreateDesktopEx",4751 },
{ "NtUserCreateInputContext",4752 },
{ "NtUserCreateWindowStation",4753 },
{ "NtUserCtxDisplayIOCtl",4754 },
{ "NtUserDestroyInputContext",4755 },
{ "NtUserDisableThreadIme",4756 },
{ "NtUserDisplayConfigGetDeviceInfo",4757 },
{ "NtUserDisplayConfigSetDeviceInfo",4758 },
{ "NtUserDoSoundConnect",4759 },
{ "NtUserDoSoundDisconnect",4760 },
{ "NtUserDragDetect",4761 },
{ "NtUserDragObject",4762 },
{ "NtUserDrawAnimatedRects",4763 },
{ "NtUserDrawCaption",4764 },
{ "NtUserDrawCaptionTemp",4765 },
{ "NtUserDrawMenuBarTemp",4766 },
{ "NtUserDwmStartRedirection",4767 },
{ "NtUserDwmStopRedirection",4768 },
{ "NtUserEndMenu",4769 },
{ "NtUserEndTouchOperation",4770 },
{ "NtUserEvent",4771 },
{ "NtUserFlashWindowEx",4772 },
{ "NtUserFrostCrashedWindow",4773 },
{ "NtUserGetAppImeLevel",4774 },
{ "NtUserGetCaretPos",4775 },
{ "NtUserGetClipCursor",4776 },
{ "NtUserGetClipboardViewer",4777 },
{ "NtUserGetComboBoxInfo",4778 },
{ "NtUserGetCursorInfo",4779 },
{ "NtUserGetDisplayConfigBufferSizes",4780 },
{ "NtUserGetGestureConfig",4781 },
{ "NtUserGetGestureExtArgs",4782 },
{ "NtUserGetGestureInfo",4783 },
{ "NtUserGetGuiResources",4784 },
{ "NtUserGetImeHotKey",4785 },
{ "NtUserGetImeInfoEx",4786 },
{ "NtUserGetInputLocaleInfo",4787 },
{ "NtUserGetInternalWindowPos",4788 },
{ "NtUserGetKeyNameText",4789 },
{ "NtUserGetKeyboardLayoutName",4790 },
{ "NtUserGetLayeredWindowAttributes",4791 },
{ "NtUserGetListBoxInfo",4792 },
{ "NtUserGetMenuIndex",4793 },
{ "NtUserGetMenuItemRect",4794 },
{ "NtUserGetMouseMovePointsEx",4795 },
{ "NtUserGetPriorityClipboardFormat",4796 },
{ "NtUserGetRawInputBuffer",4797 },
{ "NtUserGetRawInputData",4798 },
{ "NtUserGetRawInputDeviceInfo",4799 },
{ "NtUserGetRawInputDeviceList",4800 },
{ "NtUserGetRegisteredRawInputDevices",4801 },
{ "NtUserGetTopLevelWindow",4802 },
{ "NtUserGetTouchInputInfo",4803 },
{ "NtUserGetUpdatedClipboardFormats",4804 },
{ "NtUserGetWOWClass",4805 },
{ "NtUserGetWindowCompositionAttribute",4806 },
{ "NtUserGetWindowCompositionInfo",4807 },
{ "NtUserGetWindowDisplayAffinity",4808 },
{ "NtUserGetWindowMinimizeRect",4809 },
{ "NtUserGetWindowRgnEx",4810 },
{ "NtUserGhostWindowFromHungWindow",4811 },
{ "NtUserHardErrorControl",4812 },
{ "NtUserHiliteMenuItem",4813 },
{ "NtUserHungWindowFromGhostWindow",4814 },
{ "NtUserHwndQueryRedirectionInfo",4815 },
{ "NtUserHwndSetRedirectionInfo",4816 },
{ "NtUserImpersonateDdeClientWindow",4817 },
{ "NtUserInitTask",4818 },
{ "NtUserInitialize",4819 },
{ "NtUserInitializeClientPfnArrays",4820 },
{ "NtUserInjectGesture",4821 },
{ "NtUserInternalGetWindowIcon",4822 },
{ "NtUserIsTopLevelWindow",4823 },
{ "NtUserIsTouchWindow",4824 },
{ "NtUserLoadKeyboardLayoutEx",4825 },
{ "NtUserLockWindowStation",4826 },
{ "NtUserLockWorkStation",4827 },
{ "NtUserLogicalToPhysicalPoint",4828 },
{ "NtUserMNDragLeave",4829 },
{ "NtUserMNDragOver",4830 },
{ "NtUserMagControl",4831 },
{ "NtUserMagGetContextInformation",4832 },
{ "NtUserMagSetContextInformation",4833 },
{ "NtUserManageGestureHandlerWindow",4834 },
{ "NtUserMenuItemFromPoint",4835 },
{ "NtUserMinMaximize",4836 },
{ "NtUserModifyWindowTouchCapability",4837 },
{ "NtUserNotifyIMEStatus",4838 },
{ "NtUserOpenInputDesktop",4839 },
{ "NtUserOpenThreadDesktop",4840 },
{ "NtUserPaintMonitor",4841 },
{ "NtUserPhysicalToLogicalPoint",4842 },
{ "NtUserPrintWindow",4843 },
{ "NtUserQueryDisplayConfig",4844 },
{ "NtUserQueryInformationThread",4845 },
{ "NtUserQueryInputContext",4846 },
{ "NtUserQuerySendMessage",4847 },
{ "NtUserRealChildWindowFromPoint",4848 },
{ "NtUserRealWaitMessageEx",4849 },
{ "NtUserRegisterErrorReportingDialog",4850 },
{ "NtUserRegisterHotKey",4851 },
{ "NtUserRegisterRawInputDevices",4852 },
{ "NtUserRegisterServicesProcess",4853 },
{ "NtUserRegisterSessionPort",4854 },
{ "NtUserRegisterTasklist",4855 },
{ "NtUserRegisterUserApiHook",4856 },
{ "NtUserRemoteConnect",4857 },
{ "NtUserRemoteRedrawRectangle",4858 },
{ "NtUserRemoteRedrawScreen",4859 },
{ "NtUserRemoteStopScreenUpdates",4860 },
{ "NtUserRemoveClipboardFormatListener",4861 },
{ "NtUserResolveDesktopForWOW",4862 },
{ "NtUserSendTouchInput",4863 },
{ "NtUserSetAppImeLevel",4864 },
{ "NtUserSetChildWindowNoActivate",4865 },
{ "NtUserSetClassWord",4866 },
{ "NtUserSetCursorContents",4867 },
{ "NtUserSetDisplayConfig",4868 },
{ "NtUserSetGestureConfig",4869 },
{ "NtUserSetImeHotKey",4870 },
{ "NtUserSetImeInfoEx",4871 },
{ "NtUserSetImeOwnerWindow",4872 },
{ "NtUserSetInternalWindowPos",4873 },
{ "NtUserSetLayeredWindowAttributes",4874 },
{ "NtUserSetMenu",4875 },
{ "NtUserSetMenuContextHelpId",4876 },
{ "NtUserSetMenuFlagRtoL",4877 },
{ "NtUserSetMirrorRendering",4878 },
{ "NtUserSetObjectInformation",4879 },
{ "NtUserSetProcessDPIAware",4880 },
{ "NtUserSetShellWindowEx",4881 },
{ "NtUserSetSysColors",4882 },
{ "NtUserSetSystemCursor",4883 },
{ "NtUserSetSystemTimer",4884 },
{ "NtUserSetThreadLayoutHandles",4885 },
{ "NtUserSetWindowCompositionAttribute",4886 },
{ "NtUserSetWindowDisplayAffinity",4887 },
{ "NtUserSetWindowRgnEx",4888 },
{ "NtUserSetWindowStationUser",4889 },
{ "NtUserSfmDestroyLogicalSurfaceBinding",4890 },
{ "NtUserSfmDxBindSwapChain",4891 },
{ "NtUserSfmDxGetSwapChainStats",4892 },
{ "NtUserSfmDxOpenSwapChain",4893 },
{ "NtUserSfmDxQuerySwapChainBindingStatus",4894 },
{ "NtUserSfmDxReleaseSwapChain",4895 },
{ "NtUserSfmDxReportPendingBindingsToDwm",4896 },
{ "NtUserSfmDxSetSwapChainBindingStatus",4897 },
{ "NtUserSfmDxSetSwapChainStats",4898 },
{ "NtUserSfmGetLogicalSurfaceBinding",4899 },
{ "NtUserShowSystemCursor",4900 },
{ "NtUserSoundSentry",4901 },
{ "NtUserSwitchDesktop",4902 },
{ "NtUserTestForInteractiveUser",4903 },
{ "NtUserTrackPopupMenuEx",4904 },
{ "NtUserUnloadKeyboardLayout",4905 },
{ "NtUserUnlockWindowStation",4906 },
{ "NtUserUnregisterHotKey",4907 },
{ "NtUserUnregisterSessionPort",4908 },
{ "NtUserUnregisterUserApiHook",4909 },
{ "NtUserUpdateInputContext",4910 },
{ "NtUserUpdateInstance",4911 },
{ "NtUserUpdateLayeredWindow",4912 },
{ "NtUserUpdatePerUserSystemParameters",4913 },
{ "NtUserUpdateWindowTransform",4914 },
{ "NtUserUserHandleGrantAccess",4915 },
{ "NtUserValidateHandleSecure",4916 },
{ "NtUserWaitForInputIdle",4917 },
{ "NtUserWaitForMsgAndEvent",4918 },
{ "NtUserWindowFromPhysicalPoint",4919 },
{ "NtUserYieldTask",4920 },
{ "NtUserSetClassLongPtr",4921 },
{ "NtUserSetWindowLongPtr",4922 },
};
class NtCall :public Singleton<NtCall>
{
public:
NtCall()
{
build_Table();
Win32Process = nullptr;
Win32Process = ddk::util::get_win32_process();
}
~NtCall() {
if (Win32Process)
ObDereferenceObject(Win32Process);
for (auto &p : _syscalltable)
{
ExFreePool(p);
}
}
private:
template<typename T>
inline T get(const std::string& name)
{
auto iter = _funcs.find(name);
if (iter != _funcs.end())
return reinterpret_cast<T>(iter->second);
return reinterpret_cast<T>(nullptr);
}
template<typename T>
inline T gen_syscall(DWORD syscallid, LPCSTR szCallName)
{
auto p = NtCall::get<T>(std::string(szCallName));
if (p)
{
return p;
}
auto KiServiceEntry = (ULONG64)ddk::util::get_KiServiceEntry();
if (!KiServiceEntry)
{
return reinterpret_cast<T>(nullptr);
}
LOG_DEBUG("Entry = %p\r\n", (PVOID)KiServiceEntry);
//這裏Build
unsigned char syscall_shellcode[] =
{
0x48, 0x8B, 0xC4, 0xFA, 0x48, 0x83, 0xEC, 0x10, 0x50, 0x9C,
0x6A, 0x10, 0x48, 0x8D, 0x05, 0x0C, 0x00, 0x00, 0x00, 0x50,
0xB8, 0x78, 0x56, 0x34, 0x12, 0xFF, 0x25, 0x01, 0x00, 0x00,
0x00, 0xC3, 0x66, 0x66, 0x77, 0x77, 0x88, 0x88, 0x99, 0x99
};
size_t offset_syscallnumber = 0x15;
size_t offset_kiserviceAddr = 0x20;
auto pshellcode = reinterpret_cast<PUCHAR>(ExAllocatePoolWithTag(NonPagedPool, sizeof(syscall_shellcode), 'scsc'));
if (!pshellcode)
{
return reinterpret_cast<T>(nullptr);
}
RtlCopyMemory(pshellcode, syscall_shellcode, sizeof(syscall_shellcode));
auto psyscallid = (PDWORD)(&pshellcode[offset_syscallnumber]);
auto pKiServiceAddr = (PULONG64)(&pshellcode[offset_kiserviceAddr]);
*psyscallid = syscallid;
*pKiServiceAddr = KiServiceEntry;
_funcs.insert(std::make_pair(std::string(szCallName), (PVOID)pshellcode));
_syscalltable.push_back(pshellcode);
LOG_DEBUG("syscall = %p\r\n", pshellcode);
return reinterpret_cast<T>(pshellcode);
}
public:
template<typename T, typename... Args>
inline auto CallNtUser(const std::string& name, Args&&... args) -> typename std::result_of<T(Args...)>::type
{
bool win32 = false;
KAPC_STATE apcstate = {};
auto syscallid = mmTable[name];
auto pfn = gen_syscall<T>(syscallid, name.c_str());
LOG_DEBUG("call %p\r\n", pfn);
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
LOG_DEBUG("Switch To Csrss\r\n");
win32 = true;
KeStackAttachProcess(Win32Process, &apcstate);
}
auto result = pfn ? pfn(std::forward<Args>(args)...) : (std::result_of<T(Args...)>::type)(0);
if(win32)
KeUnstackDetachProcess(&apcstate);
return result;
}
template<typename T, typename... Args>
inline NTSTATUS CallNtCall(const std::string& name, Args&&... args)
{
bool win32 = false;
KAPC_STATE apcstate = {};
auto syscallid = mmTable[name];
auto pfn = gen_syscall<T>(syscallid, name.c_str());
LOG_DEBUG("call %p\r\n", pfn);
auto result = pfn ? pfn(std::forward<Args>(args)...) : STATUS_ORDINAL_NOT_FOUND;
return result;
}
private:
std::unordered_map<std::string, DWORD> mmTable;
PEPROCESS Win32Process;
std::unordered_map<std::string, PVOID> _funcs;
std::vector<PVOID> _syscalltable;
private:
void build_Table()
{
build_syscall_table(std::wstring(L"\\SystemRoot\\System32\\ntdll.dll"));
if (*NtBuildNumber>9600)
{
load_win10Table();
return;
}
//POC以win7為例子
auto myTable = Table7601;
auto sizeTable = ARRAYSIZE(Table7601);
for (auto i=0;i<sizeTable;i++)
{
mmTable.insert(std::make_pair(std::string(myTable[i].szName), myTable[i].CallNumber));
}
}
void load_win10Table()
{
//从win32u.dll里load
build_syscall_table(std::wstring(L"\\SystemRoot\\System32\\win32u.dll"));
}
private:
void build_syscall_table(std::wstring dllpath)
{
auto dllBase = ddk::util::load_dll(dllpath);
auto exit_1 = std::experimental::make_scope_exit([&]() {
if (dllBase)
ddk::util::free_dll(dllBase); });
auto get_syscall_number = [=](auto FuncRva)
{
if (FuncRva)
{
PUCHAR Func = (PUCHAR)dllBase + FuncRva;
#ifdef _X86_
// check for mov eax,imm32
if (*Func == 0xB8)
{
// return imm32 argument (syscall numbr)
return *(PULONG)((PUCHAR)Func + 1);
}
#elif _AMD64_
// check for mov eax,imm32
if (*(Func + 3) == 0xB8)
{
// return imm32 argument (syscall numbr)
return *(PULONG)(Func + 4);
}
#endif
}
return DWORD(-1);
};
if (dllBase)
{
auto RVATOVA = [](auto _base_, auto _offset_) {
return ((PUCHAR)(_base_)+(ULONG)(_offset_));
};
__try
{
PIMAGE_EXPORT_DIRECTORY pExport = NULL;
PIMAGE_NT_HEADERS32 pHeaders32 = (PIMAGE_NT_HEADERS32)
((PUCHAR)dllBase + ((PIMAGE_DOS_HEADER)dllBase)->e_lfanew);
if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)
{
// 32-bit image
if (pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(
dllBase,
pHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
);
}
}
else if (pHeaders32->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64)
{
// 64-bit image
PIMAGE_NT_HEADERS64 pHeaders64 = (PIMAGE_NT_HEADERS64)
((PUCHAR)dllBase + ((PIMAGE_DOS_HEADER)dllBase)->e_lfanew);
if (pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress)
{
pExport = (PIMAGE_EXPORT_DIRECTORY)RVATOVA(
dllBase,
pHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
);
}
}
if (pExport)
{
PULONG AddressOfFunctions = (PULONG)RVATOVA(dllBase, pExport->AddressOfFunctions);
PSHORT AddrOfOrdinals = (PSHORT)RVATOVA(dllBase, pExport->AddressOfNameOrdinals);
PULONG AddressOfNames = (PULONG)RVATOVA(dllBase, pExport->AddressOfNames);
ULONG i = 0;
for (i = 0; i < pExport->NumberOfFunctions; i++)
{
auto func_name = std::string((char *)RVATOVA(dllBase, AddressOfNames[i]));
if (func_name.size() > 2
&& func_name.at(0) == 'N'&&func_name.at(1) == 't')
{
auto syscall_id = get_syscall_number(AddressOfFunctions[AddrOfOrdinals[i]]);
{
LOG_DEBUG("load %s %d\r\n", func_name.c_str(), syscall_id);
mmTable.insert(std::make_pair(func_name, syscall_id));
}
}
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
}
};
};
#define W32_SYSCALL(name, ...) (ddk::NtCall::getInstance().CallNtUser<decltype(& ## name)>( #name, __VA_ARGS__ ))
#define NT_SYSCALL(name,...)(ddk::NtCall::getInstance().CallNtCall<decltype(& ## name)>( #name, __VA_ARGS__ ))
//////////////////////////////////////////////////////////////////////////
//獲取最前窗體
HWND GetForegroundWindow()
{
return W32_SYSCALL(NtUserGetForegroundWindow);
}
//GetDC 封裝
HDC GetDC(HWND _hwnd)
{
return W32_SYSCALL(NtUserGetDC, _hwnd);
}
//查找窗體
HWND FindWindowW(LPCWSTR lpClassName, LPCWSTR lpWindowName)
{
//User32的參數地址必須在R3内存區域
//必須小于W32UserProbeAddress
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
return HWND(0);
}
SIZE_T allocSize = sizeof(UNICODE_STRING) * 2 + MAX_PATH * sizeof(WCHAR) * 2;
auto pMem = ddk::mem_util::MmAllocateVirtualMemory(PsGetCurrentProcess(), NULL, &allocSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
{
return HWND(0);
}
auto exit1 = std::experimental::make_scope_exit([&]() {
ddk::mem_util::MmFreeVirtualMemory(PsGetCurrentProcess(), pMem);
});
RtlZeroMemory(pMem, allocSize);
if (allocSize<sizeof(UNICODE_STRING) * 2 + MAX_PATH * sizeof(WCHAR) * 2)
{
return HWND(0);
}
auto pBuffer = (PUCHAR)pMem;
PUNICODE_STRING usClassName = (PUNICODE_STRING)(pBuffer);
PUNICODE_STRING usWindowName = (PUNICODE_STRING)(pBuffer + sizeof(UNICODE_STRING));
auto str_buffer = pBuffer + sizeof(UNICODE_STRING) * 2;
if (lpClassName)
{
RtlCopyMemory(str_buffer, lpClassName, sizeof(WCHAR)*wcslen(lpClassName));
RtlInitUnicodeString(usClassName, (PCWSTR)str_buffer);
str_buffer += sizeof(WCHAR)*(wcslen(lpClassName) + 1);
}
if (lpWindowName)
{
RtlCopyMemory(str_buffer, lpWindowName, sizeof(WCHAR)*wcslen(lpWindowName));
RtlInitUnicodeString(usWindowName, (PCWSTR)str_buffer);
}
return W32_SYSCALL(NtUserFindWindowEx,HWND(0),HWND(0),usClassName,usWindowName,DWORD(0));
}
HWND
FindWindowExW(
_In_opt_ HWND hWndParent,
_In_opt_ HWND hWndChildAfter,
_In_opt_ LPCWSTR lpszClass,
_In_opt_ LPCWSTR lpszWindow)
{
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
return HWND(0);
}
SIZE_T allocSize = sizeof(UNICODE_STRING) * 2 + MAX_PATH * sizeof(WCHAR) * 2;
auto pMem = ddk::mem_util::MmAllocateVirtualMemory(PsGetCurrentProcess(), NULL, &allocSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
{
return HWND(0);
}
auto exit1 = std::experimental::make_scope_exit([&]() {
ddk::mem_util::MmFreeVirtualMemory(PsGetCurrentProcess(), pMem);
});
RtlZeroMemory(pMem, allocSize);
if (allocSize < sizeof(UNICODE_STRING) * 2 + MAX_PATH * sizeof(WCHAR) * 2)
{
return HWND(0);
}
auto pBuffer = (PUCHAR)pMem;
PUNICODE_STRING usClassName = (PUNICODE_STRING)(pBuffer);
PUNICODE_STRING usWindowName = (PUNICODE_STRING)(pBuffer + sizeof(UNICODE_STRING));
auto str_buffer = pBuffer + sizeof(UNICODE_STRING) * 2;
if (lpszClass)
{
RtlCopyMemory(str_buffer, lpszClass, sizeof(WCHAR)*wcslen(lpszClass));
RtlInitUnicodeString(usClassName, (PCWSTR)str_buffer);
str_buffer += sizeof(WCHAR)*(wcslen(lpszClass) + 1);
}
if (lpszWindow)
{
RtlCopyMemory(str_buffer, lpszWindow, sizeof(WCHAR)*wcslen(lpszWindow));
RtlInitUnicodeString(usWindowName, (PCWSTR)str_buffer);
}
return W32_SYSCALL(NtUserFindWindowEx, hWndParent,hWndChildAfter, usClassName, usWindowName, DWORD(0));
}
//////////////////////////////////////////////////////////////////////////
//GDI繪圖函數
//TextOutW
BOOL TextOutW(
_In_ HDC hdc,
_In_ int x,
_In_ int y,
_In_reads_(c) LPCWSTR lpString,
_In_ int c)
{
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
return FALSE;
}
SIZE_T allocSize = (c + 1) * sizeof(WCHAR);
auto pMem = ddk::mem_util::MmAllocateVirtualMemory(PsGetCurrentProcess(), NULL, &allocSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
{
return FALSE;
}
auto exit1 = std::experimental::make_scope_exit([&]() {
ddk::mem_util::MmFreeVirtualMemory(PsGetCurrentProcess(), pMem);
});
RtlZeroMemory(pMem, allocSize);
if (allocSize < (c + 1) * sizeof(WCHAR))
{
return FALSE;
}
RtlCopyMemory(pMem, lpString, c * sizeof(WCHAR));
auto ret = W32_SYSCALL(NtGdiExtTextOutW, hdc, x, y, UINT(0), (RECT *)NULL, (LPCWSTR)pMem, c, (INT *)NULL, 0);
return ret;
}
BOOL PolylineTo(_In_ HDC hdc, _In_reads_(cpt) CONST POINT * apt, _In_ DWORD cpt)
{
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
return FALSE;
}
SIZE_T allocSize = sizeof(DWORD) + cpt * sizeof(POINT);
SIZE_T okSize = allocSize;
auto pMem = ddk::mem_util::MmAllocateVirtualMemory(PsGetCurrentProcess(), NULL, &allocSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
{
return FALSE;
}
auto exit1 = std::experimental::make_scope_exit([&]() {
ddk::mem_util::MmFreeVirtualMemory(PsGetCurrentProcess(), pMem);
});
RtlZeroMemory(pMem, allocSize);
if (allocSize < okSize)
{
return FALSE;
}
RtlCopyMemory(pMem, apt, sizeof(POINT)*cpt);
auto lpcpt = (PDWORD)((PUCHAR)pMem + sizeof(POINT)*cpt);
*lpcpt = cpt;
return W32_SYSCALL(NtGdiPolyPolyDraw, hdc, (POINT *)pMem, (INT*)lpcpt, INT64(1), 4);
}
BOOL Polyline(_In_ HDC hdc, _In_reads_(cpt) CONST POINT * apt, _In_ DWORD cpt)
{
if (!PsGetProcessWin32Process(PsGetCurrentProcess()))
{
return FALSE;
}
SIZE_T allocSize = sizeof(DWORD) + cpt * sizeof(POINT);
SIZE_T okSize = allocSize;
auto pMem = ddk::mem_util::MmAllocateVirtualMemory(PsGetCurrentProcess(), NULL, &allocSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
{
return FALSE;
}
auto exit1 = std::experimental::make_scope_exit([&]() {
ddk::mem_util::MmFreeVirtualMemory(PsGetCurrentProcess(), pMem);
});
RtlZeroMemory(pMem, allocSize);
if (allocSize < okSize)
{
return FALSE;
}
RtlCopyMemory(pMem, apt, sizeof(POINT)*cpt);
auto lpcpt = (PDWORD)((PUCHAR)pMem + sizeof(POINT)*cpt);
*lpcpt = cpt;
return W32_SYSCALL(NtGdiPolyPolyDraw, hdc, (POINT *)pMem, (INT*)lpcpt, INT64(1), 2);
}
//////////////////////////////////////////////////////////////////////////
ddk::nt_device pocGdi;
#ifndef _NTDDK_
#include <winioctl.h>
static const auto DosDeviceName = _T("\\\\.\\PocGdi");
#else
static const auto DeviceName = L"\\Device\\PocGdi";
static const auto DosDeviceName = L"\\DosDevices\\PocGdi";
#endif
static const auto DRV_DEVICE_CODE = 0x8000ul;
static const auto DRV_IOCTL_TEST = CTL_CODE(DRV_DEVICE_CODE, 0x0800, /* 0x0800-0x0FFF */METHOD_BUFFERED, FILE_ANY_ACCESS);
NTSTATUS ioctl_test(
PVOID InputBuffer,
ULONG InputBufferSize,
PVOID OutputBuffer,
ULONG OutputBufferSize,
ULONG_PTR *ReturnSize)
{
NTSTATUS retStatus = STATUS_UNSUCCESSFUL;
*ReturnSize = 0;
do
{
__try
{
//必須在用戶綫程上下文
//一般用hook,這裏用設備是爲了方便調試
auto hFWnd = GetForegroundWindow();
LOG_DEBUG("FHWND=%p\r\n", hFWnd);
auto dc = GetDC(hFWnd);
LOG_DEBUG("DC=%p\r\n", dc);
auto _find = FindWindowW(NULL, L"MFCApplication1");
LOG_DEBUG("_find=%p\r\n", _find);
auto bout = TextOutW(dc, 0, 0, L"Fuck2333", 8);
LOG_DEBUG("draw %d\r\n", bout);
POINT pts[2] = {};
pts[0].x = 10;
pts[1].x = 200;
pts[0].y = pts[1].y = 50;
bout = Polyline(dc, pts, 2);
LOG_DEBUG("draw2 %d\r\n", bout);
}
__except (1)
{
}
} while (0);
return retStatus;
}
void PocGdi()
{
pocGdi.set_device_code(DRV_DEVICE_CODE);
pocGdi.set_ioctrl_callback(DRV_IOCTL_TEST,ioctl_test);
if (!pocGdi.create_device(DeviceName, DosDeviceName))
{
LOG_DEBUG("CreateDeviceFailed\r\n");
}
}

评论列表( 0 )

你可以在登录后,发表评论

搜索帮助