direct syscalls independent of the underlying bit width

get_syscall64_ids.h

@@ -0,0 +1,71 @@
+#ifndef GET_SYSCALL64_IDS_H
+#define GET_SYSCALL64_IDS_H
+/**
+\file
+*/
+
+/**
+\brief Definition of the hashs of APIs and the error value INVALID_SYSCALL_ID
+*/
+enum SYSCALL_IDS
+{
+	// Files
+	NTOPENFILE = 0xC29C5019, //! Supported by get_basic_syscall_ID
+	NTCREATEFILE = 0x15A5ECDB, //! Supported by get_basic_syscall_ID
+	NTREADFILE = 0x2E979AE3,  //! Supported by get_basic_syscall_ID
+	NTCLOSE = 0x8B8E133D,  //! Supported by get_basic_syscall_ID
+	NTWRITEFILE = 0xD69326B2,
+
+	// Mutexes
+	NTCREATEMUTANT = 0x280632B4,
+	NTOPENMUTANT = 0xEC225D72,
+	NTRELEASEMUTANT = 0x29567961,
+
+	// Registry
+	NTOPENKEY = 0x4BB73E02,
+	NTQUERYVALUEKEY = 0xB4C18A83,
+
+	// Process
+	NTQUERYSYSTEMINFORMATION = 0xEE4F73A8,
+
+	INVALID_SYSCALL_ID = 0xFFFFFFFF, //! Used to signify errors
+};
+
+/**
+\brief Gets the basic ID for the hash given.
+
+This function does not dependent on the ID table but instead has
+hardcoded definitions for a FEW Apis (these are marked in the
+SYSCALL_IDS enum)
+\param func The hash of the API that the ID is searched for
+\return Returns the ID or INVALID_SYSCALL_ID
+\sa get_syscall_ID()
+*/
+DWORD get_basic_syscall_ID(SYSCALL_IDS func);
+
+/**
+\brief Initalizes the ID table.
+\return If FALSE no direct syscalls can be made.
+\sa free_ID_table()
+*/
+BOOL initalize_ID_table();
+
+/**
+\brief Frees the ID table. After this is done
+no direct syscalls can be made anymore
+\sa initalize_ID_table()
+*/
+VOID destroy_ID_table();
+
+/**
+\brief Gets the ID for the hash given.
+\pre This function does dependent on the ID table so make sure
+to initalize_ID_table() first.
+\param func The hash of the API that the ID is searched for
+\return Returns the ID or INVALID_SYSCALL_ID
+\sa initalize_ID_table()
+*/
+DWORD get_syscall_ID(DWORD func);
+
+#endif // GET_SYSCALL64_IDS_H
+