having fun with ntdll

ez_ntdll.c

/** calling ntdll stuff from usermode **/

#include <stdio.h>
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>
#include "win_structs.h"
// for this example, win_structs.h contains the structs and enums that can be found
// here: https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntquerysysteminformation

// function pointer for NtQuerySystemInformation
typedef NTSTATUS (WINAPI* PNQSI)(
	SYSTEM_INFORMATION_CLASS,
	PVOID,
	ULONG,
	PULONG
	);

int main()
{ 
	PNQSI NtQuerySystemInformation;
	HMODULE ntdll;

	ntdll = LoadLibrary(L"ntdll.dll");

	if (ntdll == NULL) {
		printf("ntdll could not be loaded.\n");
		exit(-1);
	}
	NtQuerySystemInformation = (PNQSI)GetProcAddress(ntdll, "NtQuerySystemInformation");

	if (NtQuerySystemInformation != NULL) {
		printf("NtQuerySystemInformation => 0x%p\n", NtQuerySystemInformation);
	}

	SYSTEM_KERNEL_VA_SHADOW_INFORMATION* ssci = (SYSTEM_KERNEL_VA_SHADOW_INFORMATION*)malloc(sizeof(SYSTEM_KERNEL_VA_SHADOW_INFORMATION));

	// 196 = enum of kvashadow info
	NTSTATUS NQS = NtQuerySystemInformation(196, ssci, sizeof(ssci), 0);

	if (NQS != STATUS_SUCCESS) {
		printf("NtQuerySystemInformation did not succeed. NTSTATUS = %lu\n", NQS);
		exit(-1);
	}

  	// EXAMPLE -> check if KvaShadowRequired field is supported by OS
  	printf("KvaShadowRequired = %d\n", ssci->KvaShadowFlags.KvaShadowRequired);

 	 // clean up
  	free(ssci);
  	FreeLibrary(ntdll);

  	exit(0);
}

3 revisions because i've never hit tab before