Converted ZwQuerySystemInformation to dynamic call

src/Domito.Internal.h

@@ -7,9 +7,9 @@
 
 #pragma once
 
-//
-// SDK/WDK
-// 
+ //
+ // SDK/WDK
+ // 
 #include <ntifs.h>
 #include <ntintsafe.h>
 #include <ntimage.h>
@@ -50,14 +50,6 @@ typedef struct _SYSTEM_MODULE_INFORMATION
     SYSTEM_MODULE_INFORMATION_ENTRY Module[ANYSIZE_ARRAY];
 } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
 
-// Function prototype for ZwQuerySystemInformation
-EXTERN_C NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
-    _In_ ULONG SystemInformationClass,
-    _Inout_ PVOID SystemInformation,
-    _In_ ULONG SystemInformationLength,
-    _Out_opt_ PULONG ReturnLength
-);
-
 typedef struct _LDR_DATA_TABLE_ENTRY
 {
     LIST_ENTRY64 InLoadOrderLinks;
@@ -97,6 +89,13 @@ typedef NTSTATUS(NTAPI* t_ZwQueryInformationProcess) (
     __out_opt PULONG ReturnLength
     );
 
+typedef NTSTATUS(NTAPI* t_ZwQuerySystemInformation)(
+    _In_ ULONG SystemInformationClass,
+    _Inout_ PVOID SystemInformation,
+    _In_ ULONG SystemInformationLength,
+    _Out_opt_ PULONG ReturnLength
+    );
+
 /*   ___
  *  / __|___ _ __  _ __  ___ _ _
  * | (__/ _ \ '  \| '  \/ _ \ ' \
@@ -110,6 +109,8 @@ typedef struct
 
     t_ZwQueryInformationProcess ZwQueryInformationProcess;
 
+    t_ZwQuerySystemInformation ZwQuerySystemInformation;
+
 } DOMITO_COMMON;
 
 extern DOMITO_COMMON G_Common;
@@ -122,9 +123,9 @@ extern DOMITO_COMMON G_Common;
  *                           |__/                        |___/
  */
 
-//
-// Default pool tag
-// 
+ //
+ // Default pool tag
+ // 
 #define DOMITO_POOL_TAG     'imoD'
 
 //

src/Domito.cpp

@@ -12,6 +12,7 @@ DOMITO_COMMON G_Common = {};
 
 DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QipRoutineName, L"ZwQueryInformationProcess");
 DECLARE_GLOBAL_CONST_UNICODE_STRING(G_IdetdRoutineName, L"RtlImageDirectoryEntryToData");
+DECLARE_GLOBAL_CONST_UNICODE_STRING(G_QsiRoutineName, L"ZwQuerySystemInformation");
 
 #ifndef LOG
 #define LOG(Format, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Domito][" __FUNCTION__ "] " Format " \n", __VA_ARGS__)
@@ -32,6 +33,8 @@ DomitoInit()
         (t_ZwQueryInformationProcess)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QipRoutineName);
     G_Common.RtlImageDirectoryEntryToData =
         (t_RtlImageDirectoryEntryToData)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_IdetdRoutineName);
+    G_Common.ZwQuerySystemInformation =
+        (t_ZwQuerySystemInformation)MmGetSystemRoutineAddress((PUNICODE_STRING)&G_QsiRoutineName);
 
     return STATUS_SUCCESS; // TODO: unused currently
 }
@@ -56,10 +59,15 @@ DomitoFindModuleBaseAddress(
     ULONG bufferSize = 0;
     PSYSTEM_MODULE_INFORMATION moduleInfo = NULL;
 
+    if (!G_Common.ZwQuerySystemInformation)
+    {
+        return STATUS_NOT_IMPLEMENTED;
+    }
+
     const ULONG SystemModuleInformation = 11;
 
     // Query the required buffer size for module information
-    NTSTATUS status = ZwQuerySystemInformation(
+    NTSTATUS status = G_Common.ZwQuerySystemInformation(
         SystemModuleInformation,
         &bufferSize,
         0,
@@ -82,7 +90,7 @@ DomitoFindModuleBaseAddress(
     }
 
     // Retrieve the module information
-    status = ZwQuerySystemInformation(
+    status = G_Common.ZwQuerySystemInformation(
         SystemModuleInformation,
         moduleInfo,
         bufferSize,