## 概述 Syscaller 是一个极简、无依赖、无 CRT 的 C++ 库，可动态解析并执行 Windows Native API 系统调用。 它通过解析系统 DLL（例如 ntdll.dll）在运行时提取 syscall ID，然后生成一个包含原生 syscall 指令的微型可执行 stub。 这实现了绕过高级用户模式 API 封装（如 kernel32.dll）的直接内核调用。 由于 syscall 编号是动态解析的，Syscaller 避免了硬编码的 syscall 表在不同 Windows 更新之间失效的问题。 兼容 x64 Windows，使用内核的系统调用约定（第一个参数通过 R10 传递）。 ## 文档 ``` /** * @brief Retrieves a system call from ntdll.dll. * * @param name (LPCSTR/const char*) The name of the system call. * @param type (type) The function signature/type of the system call. * * @return Pointer to the system call function cast to the specified type. */ auto pFn = MAKE_SYSCALL(name, type) auto pFn = MAKE_SYSCALL("NtCreateFile", func_t) /** * @brief Retrieves a system call from a specific dll. * * @param dll (LPCWSTR/const wchar_t*) -> Path or name of the dll containing the system call. (e.g. win32u.dll, ntdll.dll) * @param name (LPCSTR/const char*) -> The name of the system call. * @param type (type) The function signature/type of the system call. * * @return Pointer to the system call function cast to the specified type. */ auto pFn = MAKE_SYSCALLEX(dll, name, type) auto pFn = MAKE_SYSCALLEX("win32u.dll", "NtUserWaitMessage", func_t) /** * @brief Retrieves a system call from ntdll.dll using indirect execution. * * @param name The name of the system call. * @param type The function signature/type of the system call. * * @return Pointer to the indirect system call stub cast to the specified type. */ auto pFn = MAKE_SYSCALL_INDIRECT(name, type) auto pFn = MAKE_SYSCALL_INDIRECT("NtCreateFile", func_t) /** * @brief Retrieves a system call from a specific dll using indirect execution. * * @param dll Path or name of the dll containing the system call. (e.g. win32u.dll, ntdll.dll) * @param name The name of the system call. * @param type The function signature/type of the system call. * * @return Pointer to the indirect system call stub cast to the specified type. */ auto pFn = MAKE_SYSCALL_INDIRECTEX(dll, name, type) auto pFn = MAKE_SYSCALL_INDIRECTEX("win32u.dll", "NtUserWaitMessage", func_t) ``` ## 快速示例 ``` #include "syscaller/syscaller.hpp" #include typedef NTSTATUS(NTAPI* NtCreateFile_t)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength ); int MainEntry() { HANDLE fileHandle; IO_STATUS_BLOCK ioStatusBlock; UNICODE_STRING fileName; OBJECT_ATTRIBUTES objAttr; RtlInitUnicodeString(&fileName, L"\\??\\C:\\test.txt"); InitializeObjectAttributes( &objAttr, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); // Or MAKE_SYSCALL_INDIRECT auto pNtCreateFile = MAKE_SYSCALL("NtCreateFile", NtCreateFile_t); NTSTATUS status = pNtCreateFile( &fileHandle, FILE_GENERIC_READ, &objAttr, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OVERWRITE_IF, FILE_RANDOM_ACCESS | FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (status == 0) { MessageBoxW(0, L"Opened Successfully!", L"Success", MB_OK); CloseHandle(fileHandle); } return 0; } ``` ## 许可证 Syscaller 在 MIT 许可证下供个人和商业免费使用。 您可以将其使用、修改并集成到您的引擎或工具中。 非常鼓励 Fork 和贡献！

标签：C++, Chrome扩展, CRT-less, EDR绕过, Header-only, Hpfeeds, Native API, ntdll.dll, Syscall, Web开发, win32u.dll, x64汇编, XML 请求, 中高交互蜜罐, 云资产清单, 内核编程, 动态解析, 子域名枚举, 安全AI, 安全开发, 恶意软件开发, 数据展示, 数据擦除, 端口监听, 系统安全, 系统调用, 红队, 规避防御, 逆向工程, 高交互蜜罐, 高危端口监控