https://github.com/justasmasiulis/inline_syscall
Inline syscalls made easy for windows on clang
https://github.com/justasmasiulis/inline_syscall
assembly cpp17 header-only hooks inline library obfuscation static-analysis syscall syscalls windows x64
Last synced: about 2 months ago
JSON representation
Inline syscalls made easy for windows on clang
- Host: GitHub
- URL: https://github.com/justasmasiulis/inline_syscall
- Owner: JustasMasiulis
- License: apache-2.0
- Created: 2019-05-09T21:01:52.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2024-06-21T00:26:33.000Z (12 months ago)
- Last Synced: 2025-04-04T04:12:32.132Z (2 months ago)
- Topics: assembly, cpp17, header-only, hooks, inline, library, obfuscation, static-analysis, syscall, syscalls, windows, x64
- Language: C++
- Homepage:
- Size: 35.2 KB
- Stars: 700
- Watchers: 19
- Forks: 86
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# inline_syscall []() []() []()
Header only library that allows you to generate direct syscall instructions in an optimized, inlineable and easy to use manner.## How to use
All you have to do is copy over the header files and call the initialization function `init_syscalls_list` before using the `INLINE_SYSCALL(function_pointer)` and `INLINE_SYSCALL_T(function_type)` macros.```cpp
// This header contains the initialization function.
// If you already initialized, inline_syscall.hpp contains all you need.
#include "inline_syscall/include/in_memory_init.hpp"// Needs to be called once at startup before INLINE_SYSCALL is used.
jm::init_syscalls_list();// Usage of the main macro INLINE_SYSCALL
void* allocation = nullptr;
SIZE_T size = 0x1000;
NTSTATUS status = INLINE_SYSCALL(NtAllocateVirtualMemory)((HANDLE)-1, &allocation, 0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
```## What code does it generate
As one of the main goals of this library is to be as optimized as possible here is the output of an optimized build.
```asm
mov qword ptr [rsp+30h], 0 ; void* allocation = nullptr
mov qword ptr [rsp+28h], 1000h ; SIZE_T size = 0x1000;
mov eax, dword ptr [entry (07FF683157004h)] ; syscall id is loaded
lea rdx, [rsp+30h] ; BaseAddress = &allocation
lea r9, [rsp+28h] ; RegionSize = &size
mov r10, 0FFFFFFFFFFFFFFFFh ; ProcessHandle = -1
xor r8d,r8d ; ZeroBits = 0
sub rsp,40h ; preparing stack
mov qword ptr [type],3000h ; AllocationType = MEM_RESERVE | MEM_COMMIT
mov qword ptr [protect], 4 ; Protect = PAGE_READWRITE
syscall ; syscall instruction itself
add rsp,40h ; restoring stack
```## FAQ
* Q: What are the main uses of this? A: Obfuscation and hook avoidance.
* Q: Why would I use this over some other library? A: The code this generates can be inlined and it is optimized for every single parameter count as much as possible.
* Q: Why can't this work on MSVC? A: MSVC doesn't support GCC style inline assembly which can be properly optimized and worked on by compiler.
* Q: Why can't this work on GCC? A: Contrary to MSVC, GCC is too good at optimizing inline assembly and as such breaks my code that tries to be somewhat generic.## Creating your own initialization function
This library enables you to create your own custom initialization routines that are more resilent against missing syscalls or acquire syscall ids in some other way.`JM_INLINE_SYSCALL_ENTRY_TYPE` can be defined with your own syscall entry type that needs to be constructible from a hash. By default `syscall_entry_small` is used, but `syscall_entry_full` is also shipped.
If you want to use the provided `INLINE_SYSCALL` macro you will need to use the provided `jm::hash` function.
To acquire the start of syscall entries you need to call `jm::syscall_entries()` and iterate untill you hit a zero entry.