EDR-Ransomware/dynamic_direct_syscall.cpp at main · gilanglahat22/EDR-Ransomware · GitHub

1
#include <stdio.h>#ifdef _WIN32// Windows-specific includes and definitions#include <windows.h>#include <winternl.h>// Definisi fungsi NtAllocateVirtualMemory (tanpa implementasi langsung)EXTERN_C NTSTATUS NtAllocateVirtualMemory(    HANDLE ProcessHandle,    PVOID *BaseAddress,    ULONG ZeroBits,    PSIZE_T RegionSize,    ULONG AllocationType,    ULONG Protect);// Struktur untuk menyimpan informasi syscalltypedef struct _SYSTEM_CALL_INFORMATION {    ULONG_PTR Address;    WORD Number;} SYSTEM_CALL_INFORMATION, *PSYSTEM_CALL_INFORMATION;// Fungsi untuk mendapatkan nomor syscall NtAllocateVirtualMemory secara dinamisWORD GetNtAllocateVirtualMemorySyscallNumber() {    static WORD syscallNumber = 0;    if (syscallNumber != 0) {        return syscallNumber;    }    HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");    if (!ntdll) {        return 0;    }    // Pada sistem x64, syscall stub biasanya dimulai dengan "mov r10, rcx" (4C 8B D1)    BYTE pattern[] = { 0x4C, 0x8B, 0xD1, 0xB8 }; // Tambahkan B8 untuk mov eax, <syscall_number>    MEMORY_BASIC_INFORMATION mbi = { 0 };    ULONG_PTR currentAddress = (ULONG_PTR)ntdll;    SIZE_T patternSize = sizeof(pattern);    while (VirtualQuery((LPCVOID)currentAddress, &mbi, sizeof(mbi))) {        if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_EXECUTE_READ) {            for (ULONG_PTR i = 0; i < mbi.RegionSize - patternSize; ++i) {                BYTE* possibleMatch = (BYTE*)(mbi.BaseAddress + i);                if (memcmp(possibleMatch, pattern, patternSize - 1) == 0) {                    syscallNumber = *(WORD*)(possibleMatch + patternSize - 1 + 1); // Baca WORD setelah B8                    if (syscallNumber > 0) return syscallNumber;                }            }        }        currentAddress += mbi.RegionSize;        if (currentAddress <= (ULONG_PTR)ntdll) break; // Overflow check    }    return 0;}// Windows memory allocation functionint AllocateMemory(void** baseAddress, size_t size) {    WORD syscallNumber = GetNtAllocateVirtualMemorySyscallNumber();    if (!syscallNumber) {        printf("Gagal mendapatkan nomor syscall NtAllocateVirtualMemory.\n");        return -1;    }        printf("Nomor Syscall NtAllocateVirtualMemory: 0x%04X\n", syscallNumber);        // For demonstration, use VirtualAlloc instead of direct syscall    *baseAddress = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);    return (*baseAddress != NULL) ? 0 : -1;}// Windows memory free functionvoid FreeMemory(void* address) {    if (address) {        VirtualFree(address, 0, MEM_RELEASE);    }}#elif defined(__APPLE__) || defined(__unix__) || defined(__unix) || defined(unix)// MacOS/Unix includes#include <sys/mman.h>#include <unistd.h>#include <string.h>#include <errno.h>typedef unsigned short WORD;typedef void* PVOID;typedef size_t SIZE_T;typedef SIZE_T* PSIZE_T;typedef long NTSTATUS;typedef void* HANDLE;typedef unsigned long ULONG;typedef unsigned long ULONG_PTR;// Stub function for syscall numbers on macOS/UnixWORD GetNtAllocateVirtualMemorySyscallNumber() {    // On macOS/Unix, we'd use mmap which isn't a syscall number in the same way    // Return a dummy value for demonstration    return 0x1234;}// MacOS/Unix memory allocation using mmapint AllocateMemory(void** baseAddress, size_t size) {    // Get page size for alignment    long pageSize = sysconf(_SC_PAGESIZE);    if (pageSize <= 0) pageSize = 4096; // Default if sysconf fails        // Round up size to page size    size_t alignedSize = (size + pageSize - 1) & ~(pageSize - 1);        // Using mmap instead of direct syscall    *baseAddress = mmap(NULL, alignedSize, PROT_READ | PROT_WRITE,                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);        if (*baseAddress == MAP_FAILED) {        printf("Memory allocation failed: %s\n", strerror(errno));        *baseAddress = NULL;        return -1;    }        printf("Memory allocated using mmap at address: %p\n", *baseAddress);    return 0;}// MacOS/Unix memory free functionvoid FreeMemory(void* address) {    if (address) {        // Get page size for determining size        long pageSize = sysconf(_SC_PAGESIZE);        if (pageSize <= 0) pageSize = 4096;                // For demonstration, we'll free a single page        // In real code, you'd need to track the size allocated        munmap(address, pageSize);    }}#else// Other platforms - minimal stub implementationtypedef unsigned short WORD;typedef void* PVOID;typedef size_t SIZE_T;typedef SIZE_T* PSIZE_T;typedef long NTSTATUS;typedef void* HANDLE;typedef unsigned long ULONG;typedef unsigned long ULONG_PTR;WORD GetNtAllocateVirtualMemorySyscallNumber() {    printf("This function is not implemented on this platform.\n");    return 0;}int AllocateMemory(void** baseAddress, size_t size) {    printf("Memory allocation not implemented on this platform.\n");    return -1;}void FreeMemory(void* address) {    printf("Memory free not implemented on this platform.\n");}#endifint main() {    // Cross-platform example    void* baseAddress = NULL;    size_t memSize = 4096; // 4KB        printf("Attempting to allocate %zu bytes of memory...\n", memSize);        // Use the appropriate function based on platform    int result = AllocateMemory(&baseAddress, memSize);        if (result == 0 && baseAddress != NULL) {        printf("Memory allocation successful at address: %p\n", baseAddress);                // Test by writing to the memory        memset(baseAddress, 0x41, 10); // Fill first 10 bytes with 'A'        printf("First 10 bytes set to: %.10s\n", (char*)baseAddress);                // Free the memory        FreeMemory(baseAddress);        printf("Memory freed.\n");    } else {        printf("Memory allocation failed.\n");    }        return 0;}