-
Notifications
You must be signed in to change notification settings - Fork 63
/
syscallsstubs.std.x64.asm
46 lines (39 loc) · 1.4 KB
/
syscallsstubs.std.x64.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
.data
currentHash DWORD 0
.code
EXTERN SW2_GetSyscallNumber: PROC
WhisperMain PROC
pop rax
mov [rsp+ 8], rcx ; Save registers.
mov [rsp+16], rdx
mov [rsp+24], r8
mov [rsp+32], r9
sub rsp, 28h
mov ecx, currentHash
call SW2_GetSyscallNumber
add rsp, 28h
mov rcx, [rsp+ 8] ; Restore registers.
mov rdx, [rsp+16]
mov r8, [rsp+24]
mov r9, [rsp+32]
mov r10, rcx
syscall ; Issue syscall
ret
WhisperMain ENDP
NtAllocateVirtualMemory PROC
mov currentHash, 00B9D610Fh ; Load function hash into global variable.
call WhisperMain ; Resolve function hash into syscall number and make the call
NtAllocateVirtualMemory ENDP
NtWriteVirtualMemory PROC
mov currentHash, 07BEB777Fh ; Load function hash into global variable.
call WhisperMain ; Resolve function hash into syscall number and make the call
NtWriteVirtualMemory ENDP
NtCreateThreadEx PROC
mov currentHash, 005285BEFh ; Load function hash into global variable.
call WhisperMain ; Resolve function hash into syscall number and make the call
NtCreateThreadEx ENDP
NtProtectVirtualMemory PROC
mov currentHash, 0C19A0ACAh ; Load function hash into global variable.
call WhisperMain ; Resolve function hash into syscall number and make the call
NtProtectVirtualMemory ENDP
end