Native API

namespace syscall::native

constexpr HANDLE getCurrentProcess() noexcept;

inline PPEB getCurrentPEB();

auto pPeb = syscall::native::getCurrentPEB();
if (pPeb && pPeb->Ldr) {
    // Access loader data
}

inline HMODULE getModuleBase(const wchar_t* wzModuleName);

HMODULE hNtdll = syscall::native::getModuleBase(L"ntdll.dll");

inline HMODULE getModuleBase(hashing::Hash_t uModuleHash);

auto hash = syscall::hashing::calculateHash("ntdll.dll");
HMODULE hNtdll = syscall::native::getModuleBase(hash);

inline void* getExportAddress(HMODULE hModuleBase, const char* szExportName);

HMODULE hNtdll = syscall::native::getModuleBase(L"ntdll.dll");
auto pFunc = syscall::native::getExportAddress(hNtdll, "NtAllocateVirtualMemory");

inline void* getExportAddress(HMODULE hModuleBase, hashing::Hash_t uExportHash);

HMODULE hNtdll = syscall::native::getModuleBase(L"ntdll.dll");
auto hash = SYSCALL_ID("NtAllocateVirtualMemory");
auto pFunc = syscall::native::getExportAddress(hNtdll, hash);

inline hashing::Hash_t calculateHashRuntimeCi(const wchar_t* wzData);

inline hashing::Hash_t calculateHashRuntimeCi(const char* szData);

SYSCALL_FORCE_INLINE uint64_t rdtscp();

// Generate random index based on TSC
size_t randomIndex = syscall::native::rdtscp() % count;

struct LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    // ... additional fields
};

// Section management
using NtCreateSection_t = NTSTATUS(NTAPI*)(
    PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, 
    POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, 
    ULONG SectionPageProtection, ULONG AllocationAttributes, 
    HANDLE FileHandle
);

using NtMapViewOfSection_t = NTSTATUS(NTAPI*)(
    HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress,
    ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset,
    PSIZE_T ViewSize, ESectionInherit InheritDisposition, 
    ULONG AllocationType, ULONG Win32Protect
);

using NtUnmapViewOfSection_t = NTSTATUS(NTAPI*)(
    HANDLE ProcessHandle, PVOID BaseAddress
);

// Memory management
using NtAllocateVirtualMemory_t = NTSTATUS(NTAPI*)(
    HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits,
    PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect
);

using NtProtectVirtualMemory_t = NTSTATUS(NTAPI*)(
    HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize,
    ULONG NewProtect, PULONG OldProtect
);

using NtFreeVirtualMemory_t = NTSTATUS(NTAPI*)(
    HANDLE ProcessHandle, PVOID* BaseAddress, PSIZE_T RegionSize, 
    ULONG FreeType
);

// Heap management
using RtlCreateHeap_t = PVOID(NTAPI*)(
    ULONG Flags, PVOID HeapBase, SIZE_T ReserveSize, 
    SIZE_T CommitSize, PVOID Lock, PVOID Parameters
);

using RtlAllocateHeap_t = PVOID(NTAPI*)(
    PVOID HeapHandle, ULONG Flags, SIZE_T Size
);

using RtlDestroyHeap_t = PVOID(NTAPI*)(
    PVOID HeapHandle
);

// Handle management
using NtClose_t = NTSTATUS(NTAPI*)(
    HANDLE Handle
);

enum class ESectionInherit : DWORD 
{
    VIEW_SHARE = 1,
    VIEW_UNMAP = 2
};

enum class ESectionAllocAttributes : ULONG 
{
    SECTION_COMMIT = SEC_COMMIT,
    SECTION_IMAGE = SEC_IMAGE,
    SECTION_IMAGE_NO_EXECUTE = SEC_IMAGE_NO_EXECUTE,
    SECTION_LARGE_PAGES = SEC_LARGE_PAGES,
    SECTION_NO_CHANGE = 0x00400000,
    SECTION_RESERVE = SEC_RESERVE,
};

constexpr NTSTATUS STATUS_SUCCESS = 0x00000000L;
constexpr NTSTATUS STATUS_UNSUCCESSFUL = 0xC0000001L;
constexpr NTSTATUS STATUS_PROCEDURE_NOT_FOUND = 0xC000007A;

constexpr bool isSuccess(NTSTATUS status) noexcept;

// Get ntdll.dll base address
auto hNtdll = syscall::native::getModuleBase(
    syscall::hashing::calculateHash("ntdll.dll")
);

if (hNtdll) {
    // Resolve NtAllocateVirtualMemory
    auto pNtAllocate = syscall::native::getExportAddress(
        hNtdll, 
        SYSCALL_ID("NtAllocateVirtualMemory")
    );
    
    if (pNtAllocate) {
        auto fNtAllocate = reinterpret_cast<NtAllocateVirtualMemory_t>(pNtAllocate);
        // Use the function
    }
}