Pluto
A manual system call library that supports functions from both ntdll.dll and win32u.dll
Notable features
- Dynamic resolution of syscall indices
- x86 and x64 support
Getting started
The example below demonstrates a basic implementation of the library
[SyscallImport("ntdll.dll", "NtFlushInstructionCache")]
public delegate NtStatus Signature(SafeProcessHandle processHandle, IntPtr address, int bytes);
var syscall = new Syscall<Signature>();
var processHandle = Process.GetProcessesByName("")[0].SafeHandle;
var status = syscall.Method(processHandle, IntPtr.Zero, 0); Syscall Class
Provides the functionality to syscall a function in a DLL
public sealed class Syscall<T> where T : DelegateConstructors
Initialises an instance of the Syscall<T> class with the syscall delegate
public Syscall();Properties
A delegate wrapping the syscall
public T Method { get; }SyscallImportAttribute Class
Indicates that the attributed delegate represents a syscall signature
[AttributeUsage(AttributeTargets.Delegate)]
public sealed class SyscallImportAttribute : AttributeConstructors
Initialises an instance of the SyscallImportAttribute class with the DLL name and function name
public SyscallImportAttribute(string, string);