#include int main() { PDWORD functionAddress = (PDWORD)0; HMODULE libraryBase = LoadLibraryA(OBFUSCATE("ntdll")); PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)libraryBase; PIMAGE_NT_HEADERS imageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD_PTR)libraryBase + dosHeader->e_lfanew); DWORD_PTR exportDirectoryRVA = imageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; PIMAGE_EXPORT_DIRECTORY imageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)libraryBase + exportDirectoryRVA); PDWORD addresOfFunctionsRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfFunctions); PDWORD addressOfNamesRVA = (PDWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNames); PWORD addressOfNameOrdinalsRVA = (PWORD)((DWORD_PTR)libraryBase + imageExportDirectory->AddressOfNameOrdinals); for (DWORD i = 0; i < imageExportDirectory->NumberOfNames; i++) { DWORD functionNameRVA = addressOfNamesRVA[i]; DWORD_PTR functionNameVA = (DWORD_PTR)libraryBase + functionNameRVA; char *functionName = (char *)functionNameVA; DWORD_PTR functionAddressRVA = 0; functionAddressRVA = addresOfFunctionsRVA[addressOfNameOrdinalsRVA[i]]; functionAddress = (PDWORD)((DWORD_PTR)libraryBase + functionAddressRVA); unsigned char syscallPrologue[4] = {0x4c, 0x8b, 0xd1, 0xb8}; if (strncmp(functionName, (char *)OBFUSCATE("Nt"), 2) == 0 || strncmp(functionName, (char *)OBFUSCATE("Zw"), 2) == 0) { if (memcmp(functionAddress, syscallPrologue, 4) != 0) { if (*((unsigned char *)functionAddress) == 0xE9) { DWORD jumpTargetRelative = *((PDWORD)((char *)functionAddress + 1)); PDWORD jumpTarget = functionAddress + 5 + jumpTargetRelative; char moduleNameBuffer[512]; GetMappedFileNameA(GetCurrentProcess(), jumpTarget, moduleNameBuffer, 512); ExitProcess(-1); } } } } }