syscall
Classes, exceptions, and methods to parse Windows syscall codes and call syscalls directly.
- class pyjectify.windows.utils.syscall.Syscall(syscalltable: Dict[str, str] = {})[source]
This class represents a NTDLL-like object and provides methods parse and use direct syscalls
You can use Syscall.NtFunc(args) to call a NTDLL function. If the syscode was retrieved, this method will use a direct syscall. Else it will fallback to loaded ntdll.
This util does not support WOW64.
- syscalltable: dict
Dict of syscall -> syscode, store the retrieved syscall codes
- syscall: CFUNCTYPE
syscall wrapper, first argument is the syscode and other arguments are the sycall arguments
- get_syscode(syscall: str, from_disk: bool = False) int[source]
Retrieve a syscall code from loaded ntdll or from the disk
- Parameters:
syscall – syscall name to retrieve
from_disk – decide wether the syscode are retrieved from the loaded ntdll or from the ntdll.dll on the disk
- Returns:
The syscode coresponding to the syscall
- get_common(from_disk: bool = False)[source]
Retrieve common syscall codes from loaded ntdll or from the disk
Syscall codes retrieved are those used by PyJectify’s core ProcessHandle: NtQueryVirtualMemory, NtAllocateVirtualMemory, NtFreeVirtualMemory, NtProtectVirtualMemory, NtReadVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx
- Parameters:
from_disk – decide wether the syscode are retrieved from the loaded ntdll or from the ntdll.dll on the disk