Repository files navigation

Header only library that allows you to generate direct syscall instructions in an optimized, inlineable and easy to use manner.

All you have to do is copy over the header files and call the initialization functioninit_syscalls_list before using theINLINE_SYSCALL(function_pointer) andINLINE_SYSCALL_T(function_type) macros.

// This header contains the initialization function.// If you already initialized, inline_syscall.hpp contains all you need.#include"inline_syscall/include/in_memory_init.hpp"// Needs to be called once at startup before INLINE_SYSCALL is used.jm::init_syscalls_list();// Usage of the main macro INLINE_SYSCALLvoid* allocation =nullptr;SIZE_T size      =0x1000;NTSTATUS status  = INLINE_SYSCALL(NtAllocateVirtualMemory)((HANDLE)-1, &allocation,0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

As one of the main goals of this library is to be as optimized as possible here is the output of an optimized build.

mov qword ptr[rsp+30h],0                  ; void* allocation = nullptrmov qword ptr[rsp+28h],1000h              ; SIZE_T size      = 0x1000;moveax, dword ptr[entry (07FF683157004h)] ; syscall id is loadedleardx,[rsp+30h]                          ; BaseAddress     = &allocationlear9,[rsp+28h]                           ; RegionSize      = &sizemovr10,0FFFFFFFFFFFFFFFFh                 ; ProcessHandle   = -1xorr8d,r8d                                 ; ZeroBits        = 0subrsp,40h                                 ; preparing stackmov qword ptr[type],3000h                  ; AllocationType  = MEM_RESERVE | MEM_COMMITmov qword ptr[protect],4                  ; Protect         = PAGE_READWRITEsyscall                                     ; syscall instruction itselfaddrsp,40h                                 ; restoring stack

• Q: What are the main uses of this? A: Obfuscation and hook avoidance.
• Q: Why would I use this over some other library? A: The code this generates can be inlined and it is optimized for every single parameter count as much as possible.
• Q: Why can't this work on MSVC? A: MSVC doesn't support GCC style inline assembly which can be properly optimized and worked on by compiler.
• Q: Why can't this work on GCC? A: Contrary to MSVC, GCC is too good at optimizing inline assembly and as such breaks my code that tries to be somewhat generic.

This library enables you to create your own custom initialization routines that are more resilent against missing syscalls or acquire syscall ids in some other way.

JM_INLINE_SYSCALL_ENTRY_TYPE can be defined with your own syscall entry type that needs to be constructible from a hash. By defaultsyscall_entry_small is used, butsyscall_entry_full is also shipped.

If you want to use the providedINLINE_SYSCALL macro you will need to use the providedjm::hash function.

To acquire the start of syscall entries you need to calljm::syscall_entries() and iterate untill you hit a zero entry.