Also implement the syscall.id expression function

2024-02-19 03:08:29 +01:00 · 2024-02-19 03:08:29 +01:00 · a5f73b479f
parent 9e4c1a4d26
commit a5f73b479f
5 changed files with 48 additions and 3 deletions
--- a/src/dbg/exception.cpp
+++ b/src/dbg/exception.cpp
@ -13,6 +13,7 @@ static std::unordered_map<unsigned int, String> NtStatusNames;
 static std::unordered_map<unsigned int, String> ErrorNames;
 static std::unordered_map<String, unsigned int> Constants;
 static std::unordered_map<unsigned int, String> SyscallIndices;
+static std::unordered_map<String, unsigned int> SyscallNames;

 static bool UniversalCodeInit(const String & file, std::unordered_map<unsigned int, String> & names, unsigned char radix)
 {
@ -253,12 +254,43 @@ bool SyscallInit()
                SyscallIndices.insert({ index, syscall.Name });
        }
    }
-    ModClear(false);
+
+    // Populate the name map
+    for(const auto & itr : SyscallIndices)
+    {
+        SyscallNames.emplace(itr.second, itr.first);
+    }
+
+    // Also allow lookup with only the least significant 14 bits
+    // Reference: https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
+    for(const auto & itr : SyscallIndices)
+    {
+        auto truncated = itr.first & 0x3FFF;
+        if(truncated != itr.first)
+        {
+            SyscallIndices.emplace(truncated, itr.second);
+        }
+    }
+
+    // Clear the GUI
+    ModClear(true);
+
    return result;
 }

 const String & SyscallToName(unsigned int index)
 {
-    auto found = SyscallIndices.find(index);
+    auto found = SyscallIndices.find(index & 0x3FFF);
    return found != SyscallIndices.end() ? found->second : emptyString;
-}
+}
+
+unsigned int SyscallToId(const String & name)
+{
+    if(name.find("Zw") == 0)
+    {
+        return SyscallToId("Nt" + name.substr(2));
+    }
+
+    auto found = SyscallNames.find(name);
+    return found != SyscallNames.end() ? found->second : -1;
+}
--- a/src/dbg/exception.h
+++ b/src/dbg/exception.h
@ -22,5 +22,6 @@ std::vector<CONSTANTINFO> ConstantList();
 // To use this function, use EXCLUSIVE_ACQUIRE(LockModules)
 bool SyscallInit();
 const String & SyscallToName(unsigned int index);
+unsigned int SyscallToId(const String & name);

 #endif // _EXCEPTION_H
--- a/src/dbg/expressionfunctions.cpp
+++ b/src/dbg/expressionfunctions.cpp
@ -171,6 +171,7 @@ void ExpressionFunctions::Init()
    ExpressionFunctions::Register("strlen", ValueTypeNumber, { ValueTypeString }, Exprfunc::strlen);

    ExpressionFunctions::Register("syscall.name", ValueTypeString, { ValueTypeNumber }, Exprfunc::syscall_name);
+    ExpressionFunctions::Register("syscall.id", ValueTypeNumber, { ValueTypeString }, Exprfunc::syscall_id);
 }

 bool ExpressionFunctions::Register(const String & name, const ValueType & returnType, const std::vector<ValueType> & argTypes, const CBEXPRESSIONFUNCTION & cbFunction, void* userdata)
--- a/src/dbg/exprfunc.cpp
+++ b/src/dbg/exprfunc.cpp
@ -819,4 +819,14 @@ namespace Exprfunc
        *result = ValueString(SyscallToName(argv[0].number));
        return true;
    }
+
+    bool syscall_id(ExpressionValue* result, int argc, const ExpressionValue* argv, void* userdata)
+    {
+        auto id = SyscallToId(argv[0].string.ptr);
+        if(id == -1)
+            return false;
+
+        *result = ValueNumber(id);
+        return true;
+    }
 }
--- a/src/dbg/exprfunc.h
+++ b/src/dbg/exprfunc.h
@ -103,4 +103,5 @@ namespace Exprfunc
    bool utf16_strict(ExpressionValue* result, int argc, const ExpressionValue* argv, void* userdata);

    bool syscall_name(ExpressionValue* result, int argc, const ExpressionValue* argv, void* userdata);
+    bool syscall_id(ExpressionValue* result, int argc, const ExpressionValue* argv, void* userdata);
 }