Converted ZwQuerySystemInformation to dynamic call

src/Domito.cpp

@@ -12,6 +12,7 @@ DOMITO_COMMON G_Common = {};
 
 DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
 DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
+DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QsiRoutineName, L"ZwQuerySystemInformation");
 
 #ifndef LOG
 #define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__)
@@ -32,6 +33,8 @@ DomitoInit()
         (t_ZwQueryInformationProcess)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QipRoutineName);
     G_Common.RtlImageDirectoryEntryToData =
         (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
+    G_Common.ZwQuerySystemInformation =
+        (t_ZwQuerySystemInformation)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QsiRoutineName);
 
     return STATUS_SUCCESS; // TODO: unused currently
 }
@@ -56,10 +59,15 @@ DomitoFindModuleBaseAddress(
     ULONG bufferSize = 0;
     PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
 
+    if (!G_Common.ZwQuerySystemInformation)
+    {
+        return STATUS_NOT_IMPLEMENTED;
+    }
+
     const ULONG SystemModuleInformation = 11;
 
     // Query the required buffer size for module information
-    NTSTATUS status = ZwQuerySystemInformation(
+    NTSTATUS status = G_Common.ZwQuerySystemInformation(
         SystemModuleInformation,
         &bufferSize,
         0,
@@ -82,7 +90,7 @@ DomitoFindModuleBaseAddress(
     }
 
     // Retrieve the module information
-    status = ZwQuerySystemInformation(
+    status = G_Common.ZwQuerySystemInformation(
         SystemModuleInformation,
         moduleInfo,
         bufferSize,
@@ -133,7 +141,7 @@ DomitoFindExportedFunctionAddress(
 {
     NTSTATUS status = STATUS_NOT_FOUND;
     ULONG exportSize;
-    
+
     if (G_Common.RtlImageDirectoryEntryToData == NULL)
     {
         return STATUS_NOT_IMPLEMENTED;