@@ -54,11 +54,11 @@ PVOID SC_Address(PVOID NtApiAddress)
5454 #ifdef _WIN64
5555 // If the process is 64-bit on a 64-bit OS, we need to search for syscall
5656 BYTE syscall_code [] = { 0x0f , 0x05 , 0xc3 };
57- ULONG distance_to_syscall = 0x12 ;
57+ ULONG distance_to_syscall [ 2 ] = { 0x12 , 0x8 }; //in some ntdll version it is 8 distance
5858 #else
5959 // If the process is 32-bit on a 32-bit OS, we need to search for sysenter
6060 BYTE syscall_code [] = { 0x0f , 0x34 , 0xc3 };
61- ULONG distance_to_syscall = 0x0f ;
61+ ULONG distance_to_syscall [ 1 ] = { 0x0f } ;
6262 #endif
6363
6464 #ifdef _M_IX86
@@ -74,46 +74,49 @@ PVOID SC_Address(PVOID NtApiAddress)
7474
7575 // we don't really care if there is a 'jmp' between
7676 // NtApiAddress and the 'syscall; ret' instructions
77- SyscallAddress = SW3_RVA2VA (PVOID , NtApiAddress , distance_to_syscall );
78-
79- if (!memcmp ((PVOID )syscall_code , SyscallAddress , sizeof (syscall_code )))
77+ for (ULONG32 index = 0 ;index < _countof (distance_to_syscall ); index ++ )
8078 {
81- // we can use the original code for this system call :)
82- #if defined(DEBUG )
83- printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
84- #endif
85- return SyscallAddress ;
86- }
87-
88- // the 'syscall; ret' intructions have not been found,
89- // we will try to use one near it, similarly to HalosGate
79+ SyscallAddress = SW3_RVA2VA (PVOID , NtApiAddress , distance_to_syscall [index ]);
9080
91- for (ULONG32 num_jumps = 1 ; num_jumps < searchLimit ; num_jumps ++ )
92- {
93- // let's try with an Nt* API below our syscall
94- SyscallAddress = SW3_RVA2VA (
95- PVOID ,
96- NtApiAddress ,
97- distance_to_syscall + num_jumps * 0x20 );
9881 if (!memcmp ((PVOID )syscall_code , SyscallAddress , sizeof (syscall_code )))
9982 {
100- #if defined(DEBUG )
101- printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
102- #endif
83+ // we can use the original code for this system call :)
84+ #if defined(DEBUG )
85+ printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
86+ #endif
10387 return SyscallAddress ;
10488 }
10589
106- // let's try with an Nt* API above our syscall
107- SyscallAddress = SW3_RVA2VA (
108- PVOID ,
109- NtApiAddress ,
110- distance_to_syscall - num_jumps * 0x20 );
111- if (!memcmp ((PVOID )syscall_code , SyscallAddress , sizeof (syscall_code )))
90+ // the 'syscall; ret' intructions have not been found,
91+ // we will try to use one near it, similarly to HalosGate
92+
93+ for (ULONG32 num_jumps = 1 ; num_jumps < searchLimit ; num_jumps ++ )
11294 {
113- #if defined(DEBUG )
114- printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
115- #endif
116- return SyscallAddress ;
95+ // let's try with an Nt* API below our syscall
96+ SyscallAddress = SW3_RVA2VA (
97+ PVOID ,
98+ NtApiAddress ,
99+ distance_to_syscall [index ] + num_jumps * 0x20 );
100+ if (!memcmp ((PVOID )syscall_code , SyscallAddress , sizeof (syscall_code )))
101+ {
102+ #if defined(DEBUG )
103+ printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
104+ #endif
105+ return SyscallAddress ;
106+ }
107+
108+ // let's try with an Nt* API above our syscall
109+ SyscallAddress = SW3_RVA2VA (
110+ PVOID ,
111+ NtApiAddress ,
112+ distance_to_syscall [index ] - num_jumps * 0x20 );
113+ if (!memcmp ((PVOID )syscall_code , SyscallAddress , sizeof (syscall_code )))
114+ {
115+ #if defined(DEBUG )
116+ printf ("Found Syscall Opcodes at address 0x%p\n" , SyscallAddress );
117+ #endif
118+ return SyscallAddress ;
119+ }
117120 }
118121 }
119122
0 commit comments