OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, July 9 2007 16:04.45 CDT Modified: Thursday, July 12 2007 17:09.07 CDT

Printer Friendly ...

Syscall lister

Author: omeg

# Views: 7788

Right, one gotta start somewhere. I have been lurking here for some time now, and eventually thought that I could gather various bits'n'pieces of my code and "research" stuff. Nothing really serious, but maybe someone will find it useful. ;)

Let's start with utility that lists all system calls exported by the Windows kernel. This project started out of my curiosity on how it all works, and after some time I managed to even finish it. ;) On the way, I wrote my first real-world kernel driver (extremely simple one), which helped me in later project(s).

Essentially, this utility works by using abovementioned driver to access kernel memory (no \Device\PhysicalMemory hacks anymore...) and read service tables, it also uses dbghelp/symserv to retrieve kernel symbols from MS repository. Later on I fixed some bugs with different kernel flavors (UP/MP) and added x64 support. Next step will be Vista support, about time to learn WDF. :)

You can find the package here.
It consists of MemMap driver (single source for both Win32 and Win64, just compile using proper DDK environment), and 32- & 64-bit versions of the usermode client.

Sample output:
XP 32bit
XP 64bit

One might expect that these lists will be quite similar, but that's not completely true. Both kernels export very similar set of functions, but they differ in ordering. 32bit kernel (PAE one on vmware in this example) has syscalls alphabetically sorted, and on 64bit they seem ordered quite randomly. At first I thought it's a bug in my code, but following snippet from 64bit ntdll shows that it's correct:

ntdll!ZwMapUserPhysicalPagesScatter:

00000000`77ef0a10 4c8bd1          mov     r10,rcx

00000000`77ef0a13 b800000000      mov     eax,0

00000000`77ef0a18 0f05            syscall

00000000`77ef0a1a c3              ret

00000000`77ef0a1b 666690          xchg    ax,ax

00000000`77ef0a1e 6690            xchg    ax,ax

ntdll!ZwWaitForSingleObject:

00000000`77ef0a20 4c8bd1          mov     r10,rcx

00000000`77ef0a23 b801000000      mov     eax,1

00000000`77ef0a28 0f05            syscall

00000000`77ef0a2a c3              ret

00000000`77ef0a2b 666690          xchg    ax,ax

00000000`77ef0a2e 6690            xchg    ax,ax

That's in line with lister's output:

Table #0: fffff80001076e00, 0128 entries, \WINDOWS\system32\ntoskrnl.exe

0000: NtMapUserPhysicalPagesScatter (ntoskrnl.exe)

0001: NtWaitForSingleObject (ntoskrnl.exe)

Second thing that comes to mind is win32k tables are completely different. More puzzles for Gynvael ;) Well, XP x64 kernel is the same one as in 2k3. Would it mean that GDI on both versions are so different internally? Too bad WRK doesn't contain win32k sources... ;)

2007/07/13 - merged 32 and 64bit versions to single source and cleaned the code a bit (lister and driver). Also updated sample output.

Blog Comments

GynvaelColdwind	Posted: Tuesday, July 10 2007 03:08.39 CDT
Nice piece of work ;> Hehe puzzles _ ;>

omeg	Posted: Tuesday, July 10 2007 05:32.15 CDT
Small update as of 2007/07/12.

There are 31,314 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit