OpenRCE Blog Entry

omeg <omegared

pl>

Monday, July 9 2007 16:04.45 CDT

Right, one gotta start somewhere. I have been lurking here for some time now, and eventually thought that I could gather various bits'n'pieces of my code and "research" stuff. Nothing really serious, but maybe someone will find it useful. ;)

Let's start with utility that lists all system calls exported by the Windows kernel. This project started out of my curiosity on how it all works, and after some time I managed to even finish it. ;) On the way, I wrote my first real-world kernel driver (extremely simple one), which helped me in later project(s).

Essentially, this utility works by using abovementioned driver to access kernel memory (no \Device\PhysicalMemory hacks anymore...) and read service tables, it also uses dbghelp/symserv to retrieve kernel symbols from MS repository. Later on I fixed some bugs with different kernel flavors (UP/MP) and added x64 support. Next step will be Vista support, about time to learn WDF. :)

You can find the package here.
It consists of MemMap driver (single source for both Win32 and Win64, just compile using proper DDK environment), and 32- & 64-bit versions of the usermode client.

Sample output:
XP 32bit
XP 64bit

One might expect that these lists will be quite similar, but that's not completely true. Both kernels export very similar set of functions, but they differ in ordering. 32bit kernel (PAE one on vmware in this example) has syscalls alphabetically sorted, and on 64bit they seem ordered quite randomly. At first I thought it's a bug in my code, but following snippet from 64bit ntdll shows that it's correct:

ntdll!ZwMapUserPhysicalPagesScatter:

00000000`77ef0a10 4c8bd1          mov     r10,rcx

00000000`77ef0a13 b800000000      mov     eax,0

00000000`77ef0a18 0f05            syscall

00000000`77ef0a1a c3              ret

00000000`77ef0a1b 666690          xchg    ax,ax

00000000`77ef0a1e 6690            xchg    ax,ax

ntdll!ZwWaitForSingleObject:

00000000`77ef0a20 4c8bd1          mov     r10,rcx

00000000`77ef0a23 b801000000      mov     eax,1

00000000`77ef0a28 0f05            syscall

00000000`77ef0a2a c3              ret

00000000`77ef0a2b 666690          xchg    ax,ax

00000000`77ef0a2e 6690            xchg    ax,ax

That's in line with lister's output:

Table #0: fffff80001076e00, 0128 entries, \WINDOWS\system32\ntoskrnl.exe

0000: NtMapUserPhysicalPagesScatter (ntoskrnl.exe)

0001: NtWaitForSingleObject (ntoskrnl.exe)

Second thing that comes to mind is win32k tables are completely different. More puzzles for Gynvael ;) Well, XP x64 kernel is the same one as in 2k3. Would it mean that GDI on both versions are so different internally? Too bad WRK doesn't contain win32k sources... ;)

2007/07/13 - merged 32 and 64bit versions to single source and cleaned the code a bit (lister and driver). Also updated sample output.

GynvaelColdwind	Posted: Tuesday, July 10 2007 03:08.39 CDT
Nice piece of work ;> Hehe puzzles _ ;>

omeg	Posted: Tuesday, July 10 2007 05:32.15 CDT
Small update as of 2007/07/12.