syscall
Classes, exceptions, and methods to parse Windows syscall codes and call syscalls directly.
- class pyjectify.windows.utils.syscall.Syscall(syscalltable: Dict[str, int] = {})[source]
This class represents a ntdll-like object and provides methods parse and use direct syscalls.
You can use Syscall.NtFunc(args) to call a ntdll function. If the syscode was retrieved, this method will use a direct syscall. Else it will fallback to loaded ntdll.
This util does not support WOW64.
Initialization: build a method allowing direct syscalls using a shellcode
- Parameters:
syscalltable – initial syscall codes (can be filled later)
- property syscalltable: dict[str, int]
Dict of ntdll function name -> syscall code (store the retrieved syscall codes)
- property syscall: Callable[[...], int]
Syscall wrapper, first argument is the syscode and other arguments are the sycall arguments
- get_syscode(syscall: str, from_disk: bool = False) int[source]
Retrieve a syscall code from loaded ntdll or from the disk, and update syscalltable attribute accordingly
- Parameters:
syscall – syscall name to retrieve
from_disk – decide wether the syscode are retrieved from the loaded ntdll or from the ntdll.dll on the disk
- Returns:
The syscode coresponding to the syscall
- get_common(from_disk: bool = False)[source]
Retrieve common syscall codes from loaded ntdll or from the disk, and update syscalltable attribute accordingly
Syscall codes retrieved are those used by PyJectify’s core ProcessHandle: NtQueryVirtualMemory, NtAllocateVirtualMemory, NtFreeVirtualMemory, NtProtectVirtualMemory, NtReadVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx
- Parameters:
from_disk – decide wether the syscode are retrieved from the loaded ntdll or from the ntdll.dll on the disk