ha haaa

1 files changed, 304 insertions, 0 deletions

diff --git a/src/ntutil.cpp b/src/ntutil.cpp
new file mode 100644
index 0000000..c0f6b98
--- /dev/null
+++ b/src/ntutil.cpp
@@ -0,0 +1,304 @@
+//|_   _   _.     _  ._  |_   _.  _ |
+//| | (/_ (_| \/ (/_ | | | | (_| (_ |<
+
+#include "ntutil.h"
+#include "syscall.h"
+
+// it's big nigga season
+
+NTSTATUS64 nt_create_thread64(
+  REG64* thread,
+  ACCESS_MASK mask,
+  _OBJECT_ATTRIBUTES64* object_attributes,
+  HANDLE process_handle,
+  LPTHREAD_START_ROUTINE start_routine,
+  void* parameter,
+  U32 suspended,
+  U32 stack_zero_bits,
+  U32 stack_commit,
+  U32 stack_reserve
+) {
+  static SYSCALL_ENTRY nt_create_thread = syscall_find_syscall64( "NtCreateThreadEx"fnv );
+
+  REG64 start = (U64)start_routine;
+  REG64 access64 = (U64)mask;
+  REG64 process64 = (U64)process_handle;
+  REG64 thread_handle_ptr = (U64)thread;
+  REG64 object_attributes_ptr = (U64)object_attributes;
+  REG64 suspended64 = (U64)suspended;
+  REG64 parameter64 = (U64)parameter;
+  
+  REG64 stack_zero_bits64 = stack_zero_bits;
+  REG64 stack_commit64 = stack_commit;
+  REG64 stack_reserve64 = stack_reserve;
+
+  REG64 unk64{};
+  
+  NTSTATUS64 status = syscall_execute( nt_create_thread.idx,
+    thread_handle_ptr,
+    access64,
+    object_attributes_ptr,
+    process64,
+    start,
+    parameter64,
+    suspended64,
+    stack_zero_bits64,
+    stack_commit64,
+    stack_reserve64,
+    unk64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_close64( REG64 handle ) {
+  static SYSCALL_ENTRY nt_close = syscall_find_syscall( "NtClose"fnv );
+
+  NTSTATUS64 status = syscall_execute( nt_close.idx, handle );
+  return status;
+}
+
+NTSTATUS64 nt_open_process64(
+  HANDLE* handle,
+  U32 desired_access,
+  _OBJECT_ATTRIBUTES64* obj_attrbitues,
+  _CLIENT_ID_T<U64>* client_id
+) {
+  static SYSCALL_ENTRY nt_open_process = syscall_find_syscall( "NtOpenProcess"fnv );
+
+  REG64 handle64{}; 
+  REG64 desired_access64 = (U64)desired_access;
+  REG64 object_attributes64 = (U64)obj_attrbitues;
+  REG64 client_id64 = (U64)client_id;
+
+  NTSTATUS64 status = syscall_execute( nt_open_process.idx,
+    (REG64)(U64)&handle64,
+    desired_access64,
+    object_attributes64,
+    client_id64
+  );
+
+  *handle = (HANDLE)handle64.u32[0];
+  return status;
+}
+
+NTSTATUS64 nt_write_vm64(
+  HANDLE handle,
+  U64 address,
+  void* value,
+  ULONG size,
+  U64* out_ret_bytes
+) {
+  static SYSCALL_ENTRY nt_write_vm = syscall_find_syscall( "NtWriteVirtualMemory"fnv );
+
+  REG64 handle64 = (U64)handle;
+  REG64 address64 = address;
+  REG64 value64 = (U64)value;
+  REG64 size64 = (U64)size;
+  REG64 out_ret_bytes64 = (U64)out_ret_bytes;
+
+  NTSTATUS64 status = syscall_execute( nt_write_vm.idx,
+    handle64,
+    address64,
+    value64,
+    size64,
+    out_ret_bytes64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_read_vm64(
+  HANDLE handle,
+  U64 address,
+  void* buffer,
+  ULONG size,
+  U64* out_ret_bytes
+) {
+  static SYSCALL_ENTRY nt_write_vm = syscall_find_syscall( "NtReadVirtualMemory"fnv );
+
+  REG64 handle64 = (U64)handle;
+  REG64 address64 = address;
+  REG64 buffer64 = (U64)buffer;
+  REG64 size64 = (U64)size;
+  REG64 out_ret_bytes64 = (U64)out_ret_bytes; 
+
+  NTSTATUS64 status = syscall_execute( nt_write_vm.idx,
+    handle64,
+    address64,
+    buffer64,
+    size64,
+    out_ret_bytes64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_query_vm64(
+  HANDLE handle,
+  U64 address,
+  WIN32_MEMORY_INFORMATION_CLASS information_class,
+  void* memory_information,
+  U64 memory_information_length,
+  U64* return_length
+  ) {
+  static SYSCALL_ENTRY nt_query_vm = syscall_find_syscall( "NtQueryVirtualMemory"fnv );
+
+  REG64 handle64 = (U64)handle;
+  REG64 address64 = address;
+  REG64 info_class64 = (U64)information_class;
+  REG64 memory_information64 = (U64)memory_information;
+  REG64 memory_information_length64 = memory_information_length;
+  REG64 return_length64 = (U64)return_length;
+
+  NTSTATUS64 status = syscall_execute( nt_query_vm.idx,
+    handle64,
+    address64,
+    info_class64,
+    memory_information64,
+    memory_information_length64,
+    return_length64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_allocate_vm64(
+  HANDLE handle,
+  U64* allocated_address,
+  ULONG zero_bits,
+  U64* region_size,
+  ULONG allocation_type,
+  ULONG protect) {
+  static SYSCALL_ENTRY nt_allocate_vm = syscall_find_syscall64( "NtAllocateVirtualMemory"fnv );
+
+  REG64 handle64 = (U64)handle;
+  REG64 allocated_address64 = (U64)allocated_address;
+  REG64 zero_bits64 = (U64)zero_bits;
+  REG64 region_size64 = (U64)region_size;
+  REG64 allocation_type64 = (U64)allocation_type;
+  REG64 protect64 = (U64)protect;
+
+  NTSTATUS64 status = syscall_execute( nt_allocate_vm.idx,
+    handle64,
+    allocated_address64,
+    zero_bits64,
+    region_size64,
+    allocation_type64,
+    protect64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_query_system_information64(
+  SYSTEM_INFORMATION_CLASS info_class,
+  void* system_information,
+  ULONG system_infromation_length,
+  ULONG* return_length
+) {
+  static SYSCALL_ENTRY nt_query_system_info = syscall_find_syscall( "NtQuerySystemInformation"fnv );
+
+  REG64 info_class64 = (U64)info_class;
+  REG64 system_information64 = (U64)system_information;
+  REG64 system_information_length64 = (U64)system_infromation_length;
+  REG64 return_length64 = (U64)return_length;
+
+  NTSTATUS64 status = syscall_execute( nt_query_system_info.idx,
+    info_class64,
+    system_information64,
+    system_information_length64,
+    return_length64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_query_information_process64(
+  HANDLE handle,
+  PROCESSINFOCLASS info_class,
+  void* process_information,
+  ULONG process_information_length,
+  ULONG* out_information_length
+) {
+  static SYSCALL_ENTRY nt_query_info_process = syscall_find_syscall64( "NtQueryInformationProcess"fnv );
+  
+  REG64 handle64 = (U64)handle;
+  REG64 info_class64 = (U64)info_class;
+  REG64 process_info64 = (U64)process_information;
+  REG64 process_info_length64 = (U64)process_information_length;
+  REG64 out_info_length64 = (U64)out_information_length;
+
+  NTSTATUS64 status = syscall_execute( nt_query_info_process.idx,
+    handle64,
+    info_class64,
+    process_info64,
+    process_info_length64,
+    out_info_length64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_delay_execution64(
+  BOOLEAN alterable,
+  LARGE_INTEGER* delay_interval
+) {
+  static SYSCALL_ENTRY nt_delay_execution = syscall_find_syscall64( "NtDelayExecution"fnv );
+
+  REG64 alterable64 = (U64)alterable;
+  REG64 delay_interval64 = (U64)delay_interval;
+
+  NTSTATUS64 status = syscall_execute( nt_delay_execution.idx,
+    alterable64,
+    delay_interval64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_query_object64(
+  HANDLE handle,
+  I32 info_class,
+  void* object_information,
+  ULONG object_information_length,
+  ULONG* return_length
+) {
+  static SYSCALL_ENTRY nt_query_object = syscall_find_syscall64( "NtQueryObject"fnv );
+
+  REG64 handle64 = (U64)handle;
+  REG64 info_class64 = (U64)info_class;
+  REG64 object_info64 = (U64)object_information;
+  REG64 object_info_length64 = (U64)object_information_length;
+  REG64 return_length64 = (U64)return_length;
+
+  NTSTATUS64 status = syscall_execute( nt_query_object.idx,
+    handle64,
+    info_class64,
+    object_info64,
+    object_info_length64,
+    return_length64
+  );
+
+  return status;
+}
+
+NTSTATUS64 nt_set_timer_resolution64(
+  ULONG desired_resolution,
+  BOOLEAN set_resolution,
+  ULONG* current_resolution) {
+  static SYSCALL_ENTRY nt_set_timer_resolution = syscall_find_syscall64( "NtSetTimerResolution"fnv );
+  
+  REG64 desired_resolution64 = (U64)desired_resolution;
+  REG64 set_resolution64 = (U64)set_resolution;
+  REG64 current_resolution64 = (U64)current_resolution;
+
+  NTSTATUS64 status = syscall_execute( nt_set_timer_resolution.idx,
+    desired_resolution64,
+    set_resolution64,
+    current_resolution64
+  );
+
+  return status;
+}
+