diff options
| author | boris <wzn@moneybot.cc> | 2018-12-19 00:13:24 +1300 |
|---|---|---|
| committer | boris <wzn@moneybot.cc> | 2018-12-19 00:13:24 +1300 |
| commit | 77b52da44b263df4884be2f35f885d8edccbb6fa (patch) | |
| tree | 54a9a07c67d507cb5120ae7e4ee86669dfec7c6b /csgo-loader/csgo-client/Security/SyscallManager.hpp | |
| parent | 1270999026bd77165edfffebfce277a34761710c (diff) | |
added new loader project :)
merry christmas
Diffstat (limited to 'csgo-loader/csgo-client/Security/SyscallManager.hpp')
| -rw-r--r-- | csgo-loader/csgo-client/Security/SyscallManager.hpp | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/csgo-loader/csgo-client/Security/SyscallManager.hpp b/csgo-loader/csgo-client/Security/SyscallManager.hpp new file mode 100644 index 0000000..e154625 --- /dev/null +++ b/csgo-loader/csgo-client/Security/SyscallManager.hpp @@ -0,0 +1,65 @@ +#pragma once
+
+#include <windows.h>
+#include <winternl.h>
+#include <cstdint>
+#include <algorithm>
+#include <map>
+#include <fstream>
+#include <vector>
+#include <iterator>
+
+using ByteArray = std::vector<uint8_t>;
+
+namespace Wrapper {
+ // A stub used for our syscalls.
+ class SyscallStub {
+ // The shellcode which executes a low latency system call.
+ uint8_t m_Shellcode[11] = {
+ 0x4C, 0x8B, 0xD1, // mov r10, rcx
+ 0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, [syscall index]
+ 0x0F, 0x05, // syscall
+ 0xC3
+ };
+ public:
+ // Constructors.
+ SyscallStub() = default;
+
+ // Sets the syscall index.
+ void SetIndex(uint32_t Index);
+
+ __forceinline uintptr_t Get() {
+ return (uintptr_t)m_Shellcode;
+ }
+ };
+
+ // Manager for system calls. Used to iterate NTDLL for all syscall indices.
+ // Read: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
+ class SyscallManager {
+ // Reading NTDLL from disk because it cannot be modified
+ // due to restrictions put in place by PatchGuard.
+ ByteArray GetNtdllFromDisk();
+
+ // Container for all syscall stubs.
+ std::map<uint64_t, SyscallStub> m_Syscalls;
+
+ // Helper functions.
+ uint64_t GetRawOffsetByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t FileSize, uint64_t Rva);
+ IMAGE_SECTION_HEADER *GetSectionByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t Rva);
+
+ public:
+ // Initialises the syscall manager, dumping all the
+ // syscall indices.
+ bool Start();
+
+ // Finds a syscall by hash.
+ template < typename T >
+ T Find(uint64_t Hash) {
+ return (T)m_Syscalls[Hash].Get();
+ }
+ };
+
+ using SyscallManagerPtr = std::unique_ptr<SyscallManager>;
+}
+
+extern Wrapper::SyscallManagerPtr Syscalls;
\ No newline at end of file |