Skip to content

Instantly share code, notes, and snippets.

@zaneGittins

zaneGittins/direct-syscall-createfile.cpp

Created November 28, 2022 23:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zaneGittins/02a9786680b502305427f6ff03bc274c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zaneGittins/02a9786680b502305427f6ff03bc274c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
direct-syscall-createfile.cpp
#include <stdio.h>
#include <Windows.h>
#include <winternl.h>
#include "winternl.h"
#pragma comment(lib, "ntdll")
/* based on: https://github.com/nothydud/direct-syscall/blob/master/main.c
https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet/blob/main/evasion/direct_syscall.cpp
*/
_declspec(naked) NTSTATUS _stdcall NtCreateFile(PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength)
{
_asm
{
mov eax, 0x55 // System call symbol from https://j00ru.vexillium.org/syscalls/nt/64/
call dword ptr fs:[0xC0] // X86SwitchTo64BitMode
ret 4 // clean up the stack and jump to return address
}
}
int main()
{
OBJECT_ATTRIBUTES oa;
HANDLE fileHandle = NULL;
NTSTATUS status = NULL;
UNICODE_STRING fileName;
IO_STATUS_BLOCK osb;
HANDLE hObject = OpenProcess(PROCESS_VM_READ, false, 10488);
RtlInitUnicodeString(&fileName, (PCWSTR)L"\\??\\c:\\temp\\test.txt");
ZeroMemory(&osb, sizeof(IO_STATUS_BLOCK));
InitializeObjectAttributes(&oa, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
NtCreateFile(&fileHandle, FILE_GENERIC_WRITE, &oa, &osb, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_WRITE, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment