https://github.com/crime-trix/ntscope

C++20 Windows Native API metadata inspection library
https://github.com/crime-trix/ntscope

cpp cxx20 metadata native-api ntdll pe-parser windows

Last synced: 5 days ago
JSON representation

C++20 Windows Native API metadata inspection library

• Host: GitHub
• URL: https://github.com/crime-trix/ntscope
• Owner: crime-trix
• License: mit
• Created: 2026-05-10T02:36:32.000Z (28 days ago)
• Default Branch: main
• Last Pushed: 2026-05-10T02:36:42.000Z (28 days ago)
• Last Synced: 2026-05-10T05:17:01.273Z (28 days ago)
• Topics: cpp, cxx20, metadata, native-api, ntdll, pe-parser, windows
• Language: C++
• Homepage: https://github.com/crime-trix/ntscope
• Size: 7.81 KB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# ntscope

`ntscope` is a small C++20 header-only library for inspecting Windows Native API metadata in loaded modules. It reads PE exports, builds a searchable `Nt*` syscall table from `ntdll.dll`, and keeps the result visible as ordinary C++ data.

[![ci](https://github.com/crime-trix/ntscope/actions/workflows/ci.yml/badge.svg)](https://github.com/crime-trix/ntscope/actions/workflows/ci.yml)

## Example

```cpp

#include 

#include 

int main() {

    auto ntdll = ntscope::module_view::current_process(L"ntdll.dll");

    auto syscalls = ntscope::syscall_table::from_module(*ntdll);

    if (auto entry = syscalls->find("NtQuerySystemInformation")) {

        std::cout << entry->name << " = " << entry->number << "\n";

    }

}

```

## Surface

- `module_view`: lightweight view over a module loaded in the current process.

- `export_table`: validated PE export enumeration with lookup by name.

- `syscall_table`: searchable `Nt*` metadata with source tracking.

- `syscall_table::from_ntdll()`: convenience loader for the common `ntdll.dll` path.

- `native_function`: typed lookup for exported Native API routines.

The library does not allocate executable memory and does not install process-wide handlers. It is a metadata layer first: predictable, inspectable, and easy to embed in tools.

## Build

```sh

cmake -S . -B build -DNTSCOPE_BUILD_EXAMPLES=ON -DNTSCOPE_BUILD_TESTS=ON

cmake --build build --config Release

ctest --test-dir build -C Release --output-on-failure

```

## Requirements

- Windows

- C++20 compiler

- CMake 3.20+ for the example/test project