From e4f43ffd06ca7f5a22203cde13e85ca61ff10f91 Mon Sep 17 00:00:00 2001 From: midipix Date: Sun, 26 May 2019 06:22:28 -0400 Subject: native api custom import table: added table-generation reference. --- src/refs/NTHASH | 253 +++++++++++++++++++++++++++++++++++++++++++++++++++++ src/refs/nthash.sh | 11 +++ 2 files changed, 264 insertions(+) create mode 100644 src/refs/NTHASH create mode 100755 src/refs/nthash.sh (limited to 'src/refs') diff --git a/src/refs/NTHASH b/src/refs/NTHASH new file mode 100644 index 0000000..77ba37d --- /dev/null +++ b/src/refs/NTHASH @@ -0,0 +1,253 @@ +ZwQueryObject +ZwSetInformationObject +ZwDuplicateObject +ZwMakeTemporaryObject +ZwClose +ZwQuerySecurityObject +ZwSetSecurityObject +ZwCreateDirectoryObject +ZwOpenDirectoryObject +ZwQueryDirectoryObject +ZwCreateSymbolicLinkObject +ZwOpenSymbolicLinkObject +ZwQuerySymbolicLinkObject +ZwQuerySystemInformation +ZwSetSystemInformation +ZwQuerySystemEnvironmentValue +ZwSetSystemEnvironmentValue +ZwShutdownSystem +ZwSystemDebugControl +ZwAllocateVirtualMemory +ZwFreeVirtualMemory +ZwQueryVirtualMemory +ZwProtectVirtualMemory +ZwReadVirtualMemory +ZwWriteVirtualMemory +ZwLockVirtualMemory +ZwUnlockVirtualMemory +ZwFlushVirtualMemory +ZwAllocateUserPhysicalPages +ZwFreeUserPhysicalPages +ZwMapUserPhysicalPages +ZwGetWriteWatch +ZwResetWriteWatch +ZwCreateSection +ZwOpenSection +ZwQuerySection +ZwExtendSection +ZwMapViewOfSection +ZwUnmapViewOfSection +ZwAreMappedFilesTheSame +ZwCreateThread +ZwOpenThread +ZwTerminateThread +ZwQueryInformationThread +ZwSetInformationThread +ZwSuspendThread +ZwResumeThread +ZwGetContextThread +ZwSetContextThread +ZwQueueApcThread +ZwTestAlert +ZwAlertThread +ZwAlertResumeThread +ZwRegisterThreadTerminatePort +ZwImpersonateThread +ZwImpersonateAnonymousToken +ZwCreateProcess +ZwCreateUserProcess +ZwOpenProcess +ZwTerminateProcess +ZwQueryInformationProcess +ZwSetInformationProcess +ZwFlushInstructionCache +RtlCreateProcessParameters +RtlDestroyProcessParameters +RtlNormalizeProcessParams +RtlCreateQueryDebugBuffer +RtlDestroyQueryDebugBuffer +RtlQueryProcessDebugInformation +ZwCreateJobObject +ZwOpenJobObject +ZwTerminateJobObject +ZwAssignProcessToJobObject +ZwQueryInformationJobObject +ZwSetInformationJobObject +ZwCreateToken +ZwOpenProcessToken +ZwOpenThreadToken +ZwDuplicateToken +ZwFilterToken +ZwAdjustPrivilegesToken +ZwAdjustGroupsToken +ZwQueryInformationToken +ZwSetInformationToken +ZwWaitForSingleObject +ZwSignalAndWaitForSingleObject +ZwWaitForMultipleObjects +ZwCreateTimer +ZwOpenTimer +ZwCancelTimer +ZwSetTimer +ZwQueryTimer +ZwCreateEvent +ZwOpenEvent +ZwSetEvent +ZwPulseEvent +ZwResetEvent +ZwClearEvent +ZwQueryEvent +ZwCreateSemaphore +ZwOpenSemaphore +ZwReleaseSemaphore +ZwQuerySemaphore +ZwCreateMutant +ZwOpenMutant +ZwReleaseMutant +ZwQueryMutant +ZwCreateIoCompletion +ZwOpenIoCompletion +ZwSetIoCompletion +ZwRemoveIoCompletion +ZwQueryIoCompletion +ZwCreateEventPair +ZwOpenEventPair +ZwWaitLowEventPair +ZwSetLowEventPair +ZwWaitHighEventPair +ZwSetHighEventPair +ZwSetLowWaitHighEventPair +ZwSetHighWaitLowEventPair +ZwQuerySystemTime +ZwSetSystemTime +ZwQueryPerformanceCounter +ZwSetTimerResolution +ZwQueryTimerResolution +ZwDelayExecution +ZwYieldExecution +ZwCreateProfile +ZwSetIntervalProfile +ZwQueryIntervalProfile +ZwStartProfile +ZwStopProfile +ZwCreatePort +ZwCreateWaitablePort +ZwConnectPort +ZwSecureConnectPort +ZwListenPort +ZwAcceptConnectPort +ZwCompleteConnectPort +ZwRequestPort +ZwRequestWaitReplyPort +ZwReplyPort +ZwReplyWaitReplyPort +ZwReplyWaitReceivePort +ZwReplyWaitReceivePortEx +ZwReadRequestData +ZwWriteRequestData +ZwQueryInformationPort +ZwImpersonateClientOfPort +CsrClientCallServer +CsrPortHandle +ZwLoadDriver +ZwUnloadDriver +ZwCreateFile +ZwOpenFile +ZwDeleteFile +ZwFlushBuffersFile +ZwCancelIoFile +ZwCancelIoFileEx +ZwReadFile +ZwWriteFile +ZwReadFileScatter +ZwWriteFileGather +ZwLockFile +ZwUnlockFile +ZwDeviceIoControlFile +ZwFsControlFile +ZwNotifyChangeDirectoryFile +ZwQueryEaFile +ZwSetEaFile +ZwCreateNamedPipeFile +ZwCreateMailslotFile +ZwQueryVolumeInformationFile +ZwSetVolumeInformationFile +ZwQueryQuotaInformationFile +ZwSetQuotaInformationFile +ZwQueryAttributesFile +ZwQueryFullAttributesFile +ZwQueryDirectoryFile +ZwQueryInformationFile +ZwSetInformationFile +ZwCreateKey +ZwOpenKey +ZwDeleteKey +ZwFlushKey +ZwSaveKey +ZwSaveMergedKeys +ZwRestoreKey +ZwLoadKey +ZwLoadKey2 +ZwUnloadKey +ZwQueryOpenSubKeys +ZwReplaceKey +ZwSetInformationKey +ZwQueryKey +ZwEnumerateKey +ZwNotifyChangeKey +ZwNotifyChangeMultipleKeys +ZwDeleteValueKey +ZwSetValueKey +ZwQueryValueKey +ZwEnumerateValueKey +ZwQueryMultipleValueKey +ZwInitializeRegistry +ZwPrivilegeCheck +ZwPrivilegeObjectAuditAlarm +ZwPrivilegedServiceAuditAlarm +ZwAccessCheck +ZwAccessCheckAndAuditAlarm +ZwAccessCheckByType +ZwAccessCheckByTypeResultList +ZwOpenObjectAuditAlarm +ZwCloseObjectAuditAlarm +ZwDeleteObjectAuditAlarm +ZwAccessCheckByTypeAndAuditAlarm +ZwAccessCheckByTypeResultListAndAuditAlarm +ZwAccessCheckByTypeResultListAndAuditAlarmByHandle +ZwIsSystemResumeAutomatic +ZwSetThreadExecutionState +ZwGetDevicePowerState +ZwSetSystemPowerState +ZwInitiatePowerAction +ZwPowerInformation +ZwPlugPlayControl +ZwGetPlugPlayEvent +ZwRaiseException +ZwContinue +ZwQueryDefaultLocale +ZwSetDefaultLocale +ZwQueryDefaultUILanguage +ZwSetDefaultUILanguage +ZwQueryInstallUILanguage +ZwAllocateLocallyUniqueId +ZwAllocateUuids +ZwSetUuidSeed +ZwAddAtom +ZwFindAtom +ZwDeleteAtom +ZwQueryInformationAtom +ZwFlushWriteBuffer +ZwRaiseHardError +ZwSetDefaultHardErrorPort +ZwDisplayString +ZwCreatePagingFile +ZwSetLdtEntries +ZwVdmControl +LdrLoadDll +LdrUnloadDll +memset +sprintf +_snprintf +vsprintf +_vsnprintf diff --git a/src/refs/nthash.sh b/src/refs/nthash.sh new file mode 100755 index 0000000..fc9d3ba --- /dev/null +++ b/src/refs/nthash.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +printf '#define __NTAPI_HASH_TABLE %s\n' '\' + +N=0; for f in $(cat NTHASH); do + HASH="0x$(printf "%s\n" $f | mdso -c32 - | cut -d' ' -f1)"; + printf "\t{0x%08x,\t(%d)},\t/* %s */ %s\n" $HASH $N $f '\'; + N=$((N + 1)); +done | sort -k2 -g + +printf '\n#define __NT_IMPORTED_SYMBOLS_ARRAY_SIZE\t%d\n' "$(cat NTHASH | wc -l)" -- cgit v1.2.3