Skip to content

Commit

Permalink
Coding revision for SyscallDumper
Browse files Browse the repository at this point in the history
  • Loading branch information
daem0nc0re committed Dec 1, 2022
1 parent 9eea9e8 commit 382ffb6
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 70 deletions.
32 changes: 10 additions & 22 deletions SyscallDumper/SyscallDumper/Handler/Execute.cs
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,13 @@ internal class Execute
{
public static void Run(CommandLineParser options)
{
string target_1 = options.GetValue("INPUT_DLL_1");
string target_2 = options.GetValue("INPUT_DLL_2");
string output = null;
string result;
string ntdll;
string win32u;
string target_1 = options.GetValue("INPUT_DLL_1");
string target_2 = options.GetValue("INPUT_DLL_2");
string filter = options.GetValue("search");
string output = null;

if (options.GetFlag("help"))
{
Expand Down Expand Up @@ -43,12 +44,8 @@ public static void Run(CommandLineParser options)
Console.WriteLine("[*] No target is specified.");
Console.WriteLine("[>] Dumping from system default ntdll.dll and win32u.dll.");

ntdll = Modules.GetSyscallTable(
@"C:\Windows\System32\ntdll.dll",
options.GetValue("filter"));
win32u = Modules.GetSyscallTable(
@"C:\Windows\System32\win32u.dll",
options.GetValue("filter"));
ntdll = Modules.GetSyscallTable(@"C:\Windows\System32\ntdll.dll", filter);
win32u = Modules.GetSyscallTable(@"C:\Windows\System32\win32u.dll", filter);

if (string.IsNullOrEmpty(output))
{
Expand All @@ -61,9 +58,7 @@ public static void Run(CommandLineParser options)

try
{
File.AppendAllText(
output,
string.Format("{0}\n\n{1}", ntdll, win32u));
File.AppendAllText(output, string.Format("{0}\n\n{1}", ntdll, win32u));
}
catch
{
Expand All @@ -77,9 +72,7 @@ public static void Run(CommandLineParser options)
}
else
{
result = Modules.GetSyscallTable(
target_1,
options.GetValue("filter"));
result = Modules.GetSyscallTable(target_1, filter);

if (string.IsNullOrEmpty(output))
{
Expand Down Expand Up @@ -122,10 +115,7 @@ public static void Run(CommandLineParser options)
return;
}

result = Modules.GetDiffTable(
target_1,
target_2,
options.GetValue("filter"));
result = Modules.GetDiffTable(target_1, target_2, filter);

if (string.IsNullOrEmpty(output))
{
Expand All @@ -138,9 +128,7 @@ public static void Run(CommandLineParser options)

try
{
File.AppendAllText(
output,
string.Format("{0}", result));
File.AppendAllText(output, string.Format("{0}", result));
}
catch
{
Expand Down
48 changes: 16 additions & 32 deletions SyscallDumper/SyscallDumper/Library/Helpers.cs
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,14 @@ public static string BuildModifiedSyscallTableText(
Dictionary<string, int> syscallTableBase,
Dictionary<string, int> syscallTableModified)
{
var result = new StringBuilder();
var columnName = "Syscall Name";
var columnNumber = "Number";
var columnHexNumber = "Number (hex)";
string formatter;
string delimiter;
string numberString;
string hexNumberString;
var result = new StringBuilder();
var columnName = "Syscall Name";
var columnNumber = "Number";
var columnHexNumber = "Number (hex)";
var maxNameLength = columnName.Length;
var maxNumberLength = columnNumber.Length;
var maxHexNumberLength = columnHexNumber.Length;
Expand Down Expand Up @@ -51,14 +51,10 @@ public static string BuildModifiedSyscallTableText(
maxHexNumberLength);
delimiter = string.Format(
"{0}\n",
new string('-', 10+ maxNameLength + maxNumberLength + maxHexNumberLength));
new string('-', 10 + maxNameLength + maxNumberLength + maxHexNumberLength));

result.Append(delimiter);
result.Append(string.Format(
formatter,
columnName,
columnNumber,
columnHexNumber));
result.Append(string.Format(formatter, columnName, columnNumber, columnHexNumber));
result.Append(delimiter);

foreach (var name in syscallTableModified.Keys)
Expand All @@ -85,30 +81,24 @@ public static string BuildModifiedSyscallTableText(
}


public static string BuildSyscallTableText(
Dictionary<string, int> syscallTable)
public static string BuildSyscallTableText(Dictionary<string, int> syscallTable)
{
var result = new StringBuilder();
var columnName = "Syscall Name";
var columnNumber = "Number";
var columnHexNumber = "Number (hex)";
string formatter;
string delimiter;
string numberString;
string hexNumberString;
var result = new StringBuilder();
var columnName = "Syscall Name";
var columnNumber = "Number";
var columnHexNumber = "Number (hex)";
var maxNameLength = columnName.Length;
var maxNumberLength = columnNumber.Length;
var maxHexNumberLength = columnHexNumber.Length;

foreach (var name in syscallTable.Keys)
{
numberString = string.Format(
"{0}",
syscallTable[name]);

hexNumberString = string.Format(
"0x{0}",
syscallTable[name].ToString("X4"));
numberString = string.Format("{0}", syscallTable[name]);
hexNumberString = string.Format("0x{0}", syscallTable[name].ToString("X4"));

if (name.Length > maxNameLength)
maxNameLength = name.Length;
Expand All @@ -130,11 +120,7 @@ public static string BuildSyscallTableText(
new string('-', 10 + maxNameLength + maxNumberLength + maxHexNumberLength));

result.Append(delimiter);
result.Append(string.Format(
formatter,
columnName,
columnNumber,
columnHexNumber));
result.Append(string.Format(formatter, columnName, columnNumber, columnHexNumber));
result.Append(delimiter);

foreach (var entry in syscallTable)
Expand All @@ -151,11 +137,9 @@ public static string BuildSyscallTableText(
return result.ToString();
}

public static bool CompareStringIgnoreCase(string stringA, string stringB)
public static bool CompareIgnoreCase(string strA, string strB)
{
var comparison = StringComparison.OrdinalIgnoreCase;

return (string.Compare(stringA, stringB, comparison) == 0);
return (string.Compare(strA, strB, StringComparison.OrdinalIgnoreCase) == 0);
}
}
}
7 changes: 3 additions & 4 deletions SyscallDumper/SyscallDumper/Library/Modules.cs
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ private static Dictionary<string, int> FilterTable(

public static string GetSyscallTable(string filePath, string filter)
{
Dictionary<string, int> table;
var result = new StringBuilder();
var fullPath = Path.GetFullPath(filePath);
Dictionary<string, int> table;

if (!File.Exists(fullPath))
{
Expand Down Expand Up @@ -58,15 +58,14 @@ public static string GetSyscallTable(string filePath, string filter)

public static string GetDiffTable(string oldFilePath, string newFilePath, string filter)
{
var results = new StringBuilder();
Dictionary<string, int> oldTable;
Dictionary<string, int> newTable;
var results = new StringBuilder();
var deleted = new Dictionary<string, int>();
var modified = new Dictionary<string, int>();
var added = new Dictionary<string, int>();

if (string.IsNullOrEmpty(oldFilePath) ||
string.IsNullOrEmpty(newFilePath))
if (string.IsNullOrEmpty(oldFilePath) || string.IsNullOrEmpty(newFilePath))
{
Console.WriteLine("[-] Missing file name to diff.");

Expand Down
13 changes: 6 additions & 7 deletions SyscallDumper/SyscallDumper/Library/Utilities.cs
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,14 @@ namespace SyscallDumper.Library
{
internal class Utilities
{
public static Dictionary<string, int> DumpSyscallNumber(
string filePath)
public static Dictionary<string, int> DumpSyscallNumber(string filePath)
{
var results = new Dictionary<string, int>();
var rgx = new Regex(@"^Nt\S+$");
var fullPath = Path.GetFullPath(filePath);
string imageName;
int syscallNumber;
Dictionary<string, IntPtr> exports;
var results = new Dictionary<string, int>();
var rgx = new Regex(@"^Nt\S+$");
var fullPath = Path.GetFullPath(filePath);

if (!File.Exists(fullPath))
{
Expand All @@ -36,8 +35,8 @@ public static Dictionary<string, int> DumpSyscallNumber(
Console.WriteLine(" [*] Architecture : {0}", pe.Architecture);
Console.WriteLine(" [*] Image Name : {0}", imageName);

if (!Helpers.CompareStringIgnoreCase(imageName, "ntdll.dll") &&
!Helpers.CompareStringIgnoreCase(imageName, "win32u.dll"))
if (!Helpers.CompareIgnoreCase(imageName, "ntdll.dll") &&
!Helpers.CompareIgnoreCase(imageName, "win32u.dll"))
{
Console.WriteLine("[-] Loaded file is not ntdll.dll or win32u.dll.");

Expand Down
6 changes: 1 addition & 5 deletions SyscallDumper/SyscallDumper/SyscallDumper.cs
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ static void Main(string[] args)
options.AddFlag(false, "h", "help", "Displays this help message.");
options.AddFlag(false, "d", "dump", "Flag to dump syscall from ntdll.dll or win32u.dll.");
options.AddFlag(false, "D", "diff", "Flag to take diff between 2 dlls.");
options.AddParameter(false, "f", "filter", null, "Specifies search filter (e.g. \"-f createfile\").");
options.AddParameter(false, "s", "search", null, "Specifies search filter (e.g. \"-s createfile\").");
options.AddParameter(false, "o", "output", null, "Specifies output file (e.g. \"-o result.txt\").");
options.AddArgument(false, "INPUT_DLL_1", "Specifies path of ntdll.dll or win32u.dll. Older one in diffing.");
options.AddArgument(false, "INPUT_DLL_2", "Specifies path of ntdll.dll or win32u.dll. Newer one in diffing.");
Expand All @@ -28,15 +28,11 @@ static void Main(string[] args)
catch (InvalidOperationException ex)
{
Console.WriteLine(ex.Message);

return;
}
catch (ArgumentException ex)
{
options.GetHelp();
Console.WriteLine(ex.Message);

return;
}
}
}
Expand Down

0 comments on commit 382ffb6

Please sign in to comment.