📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> ero's Blog

Created: Thursday, March 6 2008 21:12.00 CST Modified: Friday, March 7 2008 12:26.19 CST
This is an imported entry. View original. Printer Friendly ...
Digging up system call ordinals
Author: ero # Views: 4986

Today I was hacking a small tool and I needed a list of all the system call ordinals corresponding to the APIs exported by NTDLL.DLL. A bit of googling didnt come up with anything too interesting so I wrote a small IDAPython script to harvest them out of a disassembly of NTDLL.DLL.
The script will simply iterate through every segment and every function and try to find the byte pattern corresponding to the prolog of API functions calling the stub doing the SYSENTER, SYSCALL or INT 2Eh.
At least in Windows XP SP2 they will have the form:

MOV eax, XXwhere XX is the syscall ordinal
MOV edx, 7FFE0300hthe stub doing the transition to kernel mode, the actual code reached depends on the underlying processor
CALL [edx]


Those instructions correspond to the byte sequence B8 ? 00 00 00 BA 00 03 FE 7F. Ill just tell IDAPython to look for it at the beginning of each function and, if found, Ill extract the value of the system call ordinal and the name of the function and print a list of them:

syscall_ordinal_code = b8 ? 00 00 00 ba 00 03 fe 7f

for seg in Segments():
  for func in Functions(seg, SegEnd(seg)):
    address = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code)
    if address == func:
      print %08x: Syscall ordinal %04x for %s (%s) % (
        func, Dword(func+1), Name(func), Comment(func))


And the outcome of running the script on IDA with NTDLL.DLL looks like this:

7c90d379: Syscall ordinal 0000 for ZwAcceptConnectPort (NtAcceptConnectPort)
7c90d38e: Syscall ordinal 0001 for ZwAccessCheck (NtAccessCheck)
7c90d3a3: Syscall ordinal 0002 for ZwAccessCheckAndAuditAlarm (NtAccessCheckAndAuditAlarm)
7c90d3b8: Syscall ordinal 0003 for ZwAccessCheckByType (NtAccessCheckByType)
7c90d3cd: Syscall ordinal 0004 for ZwAccessCheckByTypeAndAuditAlarm (NtAccessCheckByTypeAndAuditAlarm)
7c90d3e2: Syscall ordinal 0005 for ZwAccessCheckByTypeResultList (NtAccessCheckByTypeResultList)
7c90d3f7: Syscall ordinal 0006 for ZwAccessCheckByTypeResultListAndAuditAlarm (NtAccessCheckByTypeResultListAndAuditAlarm)
7c90d40c: Syscall ordinal 0007 for ZwAccessCheckByTypeResultListAndAuditAlarmByHandle (NtAccessCheckByTypeResultListAndAuditAlarmByHandle)
7c90d421: Syscall ordinal 0008 for ZwAddAtom (NtAddAtom)
7c90d436: Syscall ordinal 0009 for ZwAddBootEntry (NtAddBootEntry)
7c90d44b: Syscall ordinal 000a for ZwAdjustGroupsToken (NtAdjustGroupsToken)
7c90d460: Syscall ordinal 000b for ZwAdjustPrivilegesToken (NtAdjustPrivilegesToken)
7c90d475: Syscall ordinal 000c for ZwAlertResumeThread (NtAlertResumeThread)
7c90d48a: Syscall ordinal 000d for ZwAlertThread (NtAlertThread)
7c90d49f: Syscall ordinal 000e for ZwAllocateLocallyUniqueId (NtAllocateLocallyUniqueId)
7c90d4b4: Syscall ordinal 000f for ZwAllocateUserPhysicalPages (NtAllocateUserPhysicalPages)
7c90d4c9: Syscall ordinal 0010 for ZwAllocateUuids (NtAllocateUuids)
7c90d4de: Syscall ordinal 0011 for ZwAllocateVirtualMemory (NtAllocateVirtualMemory)
7c90d4f3: Syscall ordinal 0012 for ZwAreMappedFilesTheSame (NtAreMappedFilesTheSame)
7c90d508: Syscall ordinal 0013 for ZwAssignProcessToJobObject (NtAssignProcessToJobObject)
7c90d51d: Syscall ordinal 0014 for ZwCallbackReturn (NtCallbackReturn)
7c90d532: Syscall ordinal 0015 for ZwCancelDeviceWakeupRequest (NtCancelDeviceWakeupRequest)
7c90d547: Syscall ordinal 0016 for ZwCancelIoFile (NtCancelIoFile)
7c90d55c: Syscall ordinal 0017 for ZwCancelTimer (NtCancelTimer)
7c90d571: Syscall ordinal 0018 for ZwClearEvent (NtClearEvent)
7c90d586: Syscall ordinal 0019 for ZwClose (NtClose)
7c90d59b: Syscall ordinal 001a for ZwCloseObjectAuditAlarm (NtCloseObjectAuditAlarm)
7c90d5b0: Syscall ordinal 001b for ZwCompactKeys (NtCompactKeys)
7c90d5c5: Syscall ordinal 001c for ZwCompareTokens (NtCompareTokens)
7c90d5da: Syscall ordinal 001d for ZwCompleteConnectPort (NtCompleteConnectPort)
7c90d5ef: Syscall ordinal 001e for ZwCompressKey (NtCompressKey)
7c90d604: Syscall ordinal 001f for ZwConnectPort (NtConnectPort)
7c90d619: Syscall ordinal 0020 for ZwContinue (NtContinue)
7c90d62e: Syscall ordinal 0021 for ZwCreateDebugObject (NtCreateDebugObject)
7c90d643: Syscall ordinal 0022 for ZwCreateDirectoryObject (NtCreateDirectoryObject)
7c90d658: Syscall ordinal 0023 for ZwCreateEvent (NtCreateEvent)
7c90d66d: Syscall ordinal 0024 for ZwCreateEventPair (NtCreateEventPair)
7c90d682: Syscall ordinal 0025 for ZwCreateFile (NtCreateFile)
7c90d697: Syscall ordinal 0026 for ZwCreateIoCompletion (NtCreateIoCompletion)
7c90d6ac: Syscall ordinal 0027 for ZwCreateJobObject (NtCreateJobObject)
7c90d6c1: Syscall ordinal 0028 for ZwCreateJobSet (NtCreateJobSet)
7c90d6d6: Syscall ordinal 0029 for ZwCreateKey (NtCreateKey)
7c90d6eb: Syscall ordinal 002a for ZwCreateMailslotFile (NtCreateMailslotFile)
7c90d700: Syscall ordinal 002b for ZwCreateMutant (NtCreateMutant)
7c90d715: Syscall ordinal 002c for ZwCreateNamedPipeFile (NtCreateNamedPipeFile)
7c90d72a: Syscall ordinal 002d for ZwCreatePagingFile (NtCreatePagingFile)
7c90d73f: Syscall ordinal 002e for ZwCreatePort (NtCreatePort)
7c90d754: Syscall ordinal 002f for ZwCreateProcess (NtCreateProcess)
7c90d769: Syscall ordinal 0030 for ZwCreateProcessEx (NtCreateProcessEx)
7c90d77e: Syscall ordinal 0031 for ZwCreateProfile (NtCreateProfile)
7c90d793: Syscall ordinal 0032 for ZwCreateSection (NtCreateSection)
7c90d7a8: Syscall ordinal 0033 for ZwCreateSemaphore (NtCreateSemaphore)
7c90d7bd: Syscall ordinal 0034 for ZwCreateSymbolicLinkObject (NtCreateSymbolicLinkObject)
7c90d7d2: Syscall ordinal 0035 for ZwCreateThread (NtCreateThread)
7c90d7e7: Syscall ordinal 0036 for ZwCreateTimer (NtCreateTimer)
7c90d7fc: Syscall ordinal 0037 for ZwCreateToken (NtCreateToken)
7c90d811: Syscall ordinal 0038 for ZwCreateWaitablePort (NtCreateWaitablePort)
7c90d826: Syscall ordinal 0039 for ZwDebugActiveProcess (NtDebugActiveProcess)
7c90d83b: Syscall ordinal 003a for ZwDebugContinue (NtDebugContinue)
7c90d850: Syscall ordinal 003b for ZwDelayExecution (NtDelayExecution)
7c90d865: Syscall ordinal 003c for ZwDeleteAtom (NtDeleteAtom)
7c90d87a: Syscall ordinal 003d for ZwDeleteBootEntry (NtDeleteBootEntry)
7c90d88f: Syscall ordinal 003e for ZwDeleteFile (NtDeleteFile)
7c90d8a4: Syscall ordinal 003f for ZwDeleteKey (NtDeleteKey)
7c90d8b9: Syscall ordinal 0040 for ZwDeleteObjectAuditAlarm (NtDeleteObjectAuditAlarm)
7c90d8ce: Syscall ordinal 0041 for ZwDeleteValueKey (NtDeleteValueKey)
7c90d8e3: Syscall ordinal 0042 for ZwDeviceIoControlFile (NtDeviceIoControlFile)
7c90d8f8: Syscall ordinal 0043 for ZwDisplayString (NtDisplayString)
7c90d90d: Syscall ordinal 0044 for ZwDuplicateObject (NtDuplicateObject)
7c90d922: Syscall ordinal 0045 for ZwDuplicateToken (NtDuplicateToken)
7c90d937: Syscall ordinal 0046 for ZwEnumerateBootEntries (NtEnumerateBootEntries)
7c90d94c: Syscall ordinal 0047 for ZwEnumerateKey (NtEnumerateKey)
7c90d961: Syscall ordinal 0048 for ZwEnumerateSystemEnvironmentValuesEx (NtEnumerateSystemEnvironmentValuesEx)
7c90d976: Syscall ordinal 0049 for ZwEnumerateValueKey (NtEnumerateValueKey)
7c90d98b: Syscall ordinal 004a for ZwExtendSection (NtExtendSection)
7c90d9a0: Syscall ordinal 004b for ZwFilterToken (NtFilterToken)
7c90d9b5: Syscall ordinal 004c for ZwFindAtom (NtFindAtom)
7c90d9ca: Syscall ordinal 004d for ZwFlushBuffersFile (NtFlushBuffersFile)
7c90d9df: Syscall ordinal 004e for ZwFlushInstructionCache (NtFlushInstructionCache)
7c90d9f4: Syscall ordinal 004f for ZwFlushKey (NtFlushKey)
7c90da09: Syscall ordinal 0050 for ZwFlushVirtualMemory (NtFlushVirtualMemory)
7c90da1e: Syscall ordinal 0051 for ZwFlushWriteBuffer (NtFlushWriteBuffer)
7c90da33: Syscall ordinal 0052 for ZwFreeUserPhysicalPages (NtFreeUserPhysicalPages)
7c90da48: Syscall ordinal 0053 for ZwFreeVirtualMemory (NtFreeVirtualMemory)
7c90da5d: Syscall ordinal 0054 for ZwFsControlFile (NtFsControlFile)
7c90da72: Syscall ordinal 0055 for ZwGetContextThread (NtGetContextThread)
7c90da87: Syscall ordinal 0056 for ZwGetDevicePowerState (NtGetDevicePowerState)
7c90da9c: Syscall ordinal 0057 for ZwGetPlugPlayEvent (NtGetPlugPlayEvent)
7c90dab1: Syscall ordinal 0058 for ZwGetWriteWatch (NtGetWriteWatch)
7c90dac6: Syscall ordinal 0059 for ZwImpersonateAnonymousToken (NtImpersonateAnonymousToken)
7c90dadb: Syscall ordinal 005a for ZwImpersonateClientOfPort (NtImpersonateClientOfPort)
7c90daf0: Syscall ordinal 005b for ZwImpersonateThread (NtImpersonateThread)
7c90db05: Syscall ordinal 005c for ZwInitializeRegistry (NtInitializeRegistry)
7c90db1a: Syscall ordinal 005d for ZwInitiatePowerAction (NtInitiatePowerAction)
7c90db2f: Syscall ordinal 005e for ZwIsProcessInJob (NtIsProcessInJob)
7c90db44: Syscall ordinal 005f for ZwIsSystemResumeAutomatic (NtIsSystemResumeAutomatic)
7c90db59: Syscall ordinal 0060 for ZwListenPort (NtListenPort)
7c90db6e: Syscall ordinal 0061 for ZwLoadDriver (NtLoadDriver)
7c90db83: Syscall ordinal 0062 for ZwLoadKey (NtLoadKey)
7c90db98: Syscall ordinal 0063 for ZwLoadKey2 (NtLoadKey2)
7c90dbad: Syscall ordinal 0064 for ZwLockFile (NtLockFile)
7c90dbc2: Syscall ordinal 0065 for ZwLockProductActivationKeys (NtLockProductActivationKeys)
7c90dbd7: Syscall ordinal 0066 for ZwLockRegistryKey (NtLockRegistryKey)
7c90dbec: Syscall ordinal 0067 for ZwLockVirtualMemory (NtLockVirtualMemory)
7c90dc01: Syscall ordinal 0068 for ZwMakePermanentObject (NtMakePermanentObject)
7c90dc16: Syscall ordinal 0069 for ZwMakeTemporaryObject (NtMakeTemporaryObject)
7c90dc2b: Syscall ordinal 006a for ZwMapUserPhysicalPages (NtMapUserPhysicalPages)
7c90dc40: Syscall ordinal 006b for ZwMapUserPhysicalPagesScatter (NtMapUserPhysicalPagesScatter)
7c90dc55: Syscall ordinal 006c for ZwMapViewOfSection (NtMapViewOfSection)
7c90dc6a: Syscall ordinal 006d for ZwModifyBootEntry (NtModifyBootEntry)
7c90dc7f: Syscall ordinal 006e for ZwNotifyChangeDirectoryFile (NtNotifyChangeDirectoryFile)
7c90dc94: Syscall ordinal 006f for ZwNotifyChangeKey (NtNotifyChangeKey)
7c90dca9: Syscall ordinal 0070 for ZwNotifyChangeMultipleKeys (NtNotifyChangeMultipleKeys)
7c90dcbe: Syscall ordinal 0071 for ZwOpenDirectoryObject (NtOpenDirectoryObject)
7c90dcd3: Syscall ordinal 0072 for ZwOpenEvent (NtOpenEvent)
7c90dce8: Syscall ordinal 0073 for ZwOpenEventPair (NtOpenEventPair)
7c90dcfd: Syscall ordinal 0074 for ZwOpenFile (NtOpenFile)
7c90dd12: Syscall ordinal 0075 for ZwOpenIoCompletion (NtOpenIoCompletion)
7c90dd27: Syscall ordinal 0076 for ZwOpenJobObject (NtOpenJobObject)
7c90dd3c: Syscall ordinal 0077 for ZwOpenKey (NtOpenKey)
7c90dd51: Syscall ordinal 0078 for ZwOpenMutant (NtOpenMutant)
7c90dd66: Syscall ordinal 0079 for ZwOpenObjectAuditAlarm (NtOpenObjectAuditAlarm)
7c90dd7b: Syscall ordinal 007a for ZwOpenProcess (NtOpenProcess)
7c90dd90: Syscall ordinal 007b for ZwOpenProcessToken (NtOpenProcessToken)
7c90dda5: Syscall ordinal 007c for ZwOpenProcessTokenEx (NtOpenProcessTokenEx)
7c90ddba: Syscall ordinal 007d for ZwOpenSection (NtOpenSection)
7c90ddcf: Syscall ordinal 007e for ZwOpenSemaphore (NtOpenSemaphore)
7c90dde4: Syscall ordinal 007f for ZwOpenSymbolicLinkObject (NtOpenSymbolicLinkObject)
7c90ddf9: Syscall ordinal 0080 for ZwOpenThread (NtOpenThread)
7c90de0e: Syscall ordinal 0081 for ZwOpenThreadToken (NtOpenThreadToken)
7c90de23: Syscall ordinal 0082 for ZwOpenThreadTokenEx (NtOpenThreadTokenEx)
7c90de38: Syscall ordinal 0083 for ZwOpenTimer (NtOpenTimer)
7c90de4d: Syscall ordinal 0084 for ZwPlugPlayControl (NtPlugPlayControl)
7c90de62: Syscall ordinal 0085 for ZwPowerInformation (NtPowerInformation)
7c90de77: Syscall ordinal 0086 for ZwPrivilegeCheck (NtPrivilegeCheck)
7c90de8c: Syscall ordinal 0087 for ZwPrivilegeObjectAuditAlarm (NtPrivilegeObjectAuditAlarm)
7c90dea1: Syscall ordinal 0088 for ZwPrivilegedServiceAuditAlarm (NtPrivilegedServiceAuditAlarm)
7c90deb6: Syscall ordinal 0089 for ZwProtectVirtualMemory (NtProtectVirtualMemory)
7c90decb: Syscall ordinal 008a for ZwPulseEvent (NtPulseEvent)
7c90dee0: Syscall ordinal 008b for ZwQueryAttributesFile (NtQueryAttributesFile)
7c90def5: Syscall ordinal 008c for ZwQueryBootEntryOrder (NtQueryBootEntryOrder)
7c90df0a: Syscall ordinal 008d for ZwQueryBootOptions (NtQueryBootOptions)
7c90df1f: Syscall ordinal 008e for ZwQueryDebugFilterState (NtQueryDebugFilterState)
7c90df34: Syscall ordinal 008f for ZwQueryDefaultLocale (NtQueryDefaultLocale)
7c90df49: Syscall ordinal 0090 for ZwQueryDefaultUILanguage (NtQueryDefaultUILanguage)
7c90df5e: Syscall ordinal 0091 for ZwQueryDirectoryFile (NtQueryDirectoryFile)
7c90df73: Syscall ordinal 0092 for ZwQueryDirectoryObject (NtQueryDirectoryObject)
7c90df88: Syscall ordinal 0093 for ZwQueryEaFile (NtQueryEaFile)
7c90df9d: Syscall ordinal 0094 for ZwQueryEvent (NtQueryEvent)
7c90dfb2: Syscall ordinal 0095 for ZwQueryFullAttributesFile (NtQueryFullAttributesFile)
7c90dfc7: Syscall ordinal 0096 for ZwQueryInformationAtom (NtQueryInformationAtom)
7c90dfdc: Syscall ordinal 0097 for ZwQueryInformationFile (NtQueryInformationFile)
7c90dff1: Syscall ordinal 0098 for ZwQueryInformationJobObject (NtQueryInformationJobObject)
7c90e006: Syscall ordinal 0099 for ZwQueryInformationPort (NtQueryInformationPort)
7c90e01b: Syscall ordinal 009a for ZwQueryInformationProcess (NtQueryInformationProcess)
7c90e030: Syscall ordinal 009b for ZwQueryInformationThread (NtQueryInformationThread)
7c90e045: Syscall ordinal 009c for ZwQueryInformationToken (NtQueryInformationToken)
7c90e05a: Syscall ordinal 009d for ZwQueryInstallUILanguage (NtQueryInstallUILanguage)
7c90e06f: Syscall ordinal 009e for ZwQueryIntervalProfile (NtQueryIntervalProfile)
7c90e084: Syscall ordinal 009f for ZwQueryIoCompletion (NtQueryIoCompletion)
7c90e099: Syscall ordinal 00a0 for ZwQueryKey (NtQueryKey)
7c90e0ae: Syscall ordinal 00a1 for ZwQueryMultipleValueKey (NtQueryMultipleValueKey)
7c90e0c3: Syscall ordinal 00a2 for ZwQueryMutant (NtQueryMutant)
7c90e0d8: Syscall ordinal 00a3 for ZwQueryObject (NtQueryObject)
7c90e0ed: Syscall ordinal 00a4 for ZwQueryOpenSubKeys (NtQueryOpenSubKeys)
7c90e102: Syscall ordinal 00a5 for ZwQueryPerformanceCounter (NtQueryPerformanceCounter)
7c90e117: Syscall ordinal 00a6 for ZwQueryQuotaInformationFile (NtQueryQuotaInformationFile)
7c90e12c: Syscall ordinal 00a7 for ZwQuerySection (NtQuerySection)
7c90e141: Syscall ordinal 00a8 for ZwQuerySecurityObject (NtQuerySecurityObject)
7c90e156: Syscall ordinal 00a9 for ZwQuerySemaphore (NtQuerySemaphore)
7c90e16b: Syscall ordinal 00aa for ZwQuerySymbolicLinkObject (NtQuerySymbolicLinkObject)
7c90e180: Syscall ordinal 00ab for ZwQuerySystemEnvironmentValue (NtQuerySystemEnvironmentValue)
7c90e195: Syscall ordinal 00ac for ZwQuerySystemEnvironmentValueEx (NtQuerySystemEnvironmentValueEx)
7c90e1aa: Syscall ordinal 00ad for ZwQuerySystemInformation (NtQuerySystemInformation
RtlGetNativeSystemInformation)
7c90e1bf: Syscall ordinal 00ae for ZwQuerySystemTime (NtQuerySystemTime)
7c90e1d4: Syscall ordinal 00af for ZwQueryTimer (NtQueryTimer)
7c90e1e9: Syscall ordinal 00b0 for ZwQueryTimerResolution (NtQueryTimerResolution)
7c90e1fe: Syscall ordinal 00b1 for ZwQueryValueKey (NtQueryValueKey)
7c90e213: Syscall ordinal 00b2 for ZwQueryVirtualMemory (NtQueryVirtualMemory)
7c90e228: Syscall ordinal 00b3 for ZwQueryVolumeInformationFile (NtQueryVolumeInformationFile)
7c90e23d: Syscall ordinal 00b4 for ZwQueueApcThread (NtQueueApcThread)
7c90e252: Syscall ordinal 00b5 for ZwRaiseException (NtRaiseException)
7c90e267: Syscall ordinal 00b6 for ZwRaiseHardError (NtRaiseHardError)
7c90e27c: Syscall ordinal 00b7 for ZwReadFile (NtReadFile)
7c90e291: Syscall ordinal 00b8 for ZwReadFileScatter (NtReadFileScatter)
7c90e2a6: Syscall ordinal 00b9 for ZwReadRequestData (NtReadRequestData)
7c90e2bb: Syscall ordinal 00ba for ZwReadVirtualMemory (NtReadVirtualMemory)
7c90e2d0: Syscall ordinal 00bb for ZwRegisterThreadTerminatePort (NtRegisterThreadTerminatePort)
7c90e2e5: Syscall ordinal 00bc for ZwReleaseMutant (NtReleaseMutant)
7c90e2fa: Syscall ordinal 00bd for ZwReleaseSemaphore (NtReleaseSemaphore)
7c90e30f: Syscall ordinal 00be for ZwRemoveIoCompletion (NtRemoveIoCompletion)
7c90e324: Syscall ordinal 00bf for ZwRemoveProcessDebug (NtRemoveProcessDebug)
7c90e339: Syscall ordinal 00c0 for ZwRenameKey (NtRenameKey)
7c90e34e: Syscall ordinal 00c1 for ZwReplaceKey (NtReplaceKey)
7c90e363: Syscall ordinal 00c2 for ZwReplyPort (NtReplyPort)
7c90e378: Syscall ordinal 00c3 for ZwReplyWaitReceivePort (NtReplyWaitReceivePort)
7c90e38d: Syscall ordinal 00c4 for ZwReplyWaitReceivePortEx (NtReplyWaitReceivePortEx)
7c90e3a2: Syscall ordinal 00c5 for ZwReplyWaitReplyPort (NtReplyWaitReplyPort)
7c90e3b7: Syscall ordinal 00c6 for ZwRequestDeviceWakeup (NtRequestDeviceWakeup)
7c90e3cc: Syscall ordinal 00c7 for ZwRequestPort (NtRequestPort)
7c90e3e1: Syscall ordinal 00c8 for ZwRequestWaitReplyPort (NtRequestWaitReplyPort)
7c90e3f6: Syscall ordinal 00c9 for ZwRequestWakeupLatency (NtRequestWakeupLatency)
7c90e40b: Syscall ordinal 00ca for ZwResetEvent (NtResetEvent)
7c90e420: Syscall ordinal 00cb for ZwResetWriteWatch (NtResetWriteWatch)
7c90e435: Syscall ordinal 00cc for ZwRestoreKey (NtRestoreKey)
7c90e44a: Syscall ordinal 00cd for ZwResumeProcess (NtResumeProcess)
7c90e45f: Syscall ordinal 00ce for ZwResumeThread (NtResumeThread)
7c90e474: Syscall ordinal 00cf for ZwSaveKey (NtSaveKey)
7c90e489: Syscall ordinal 00d0 for ZwSaveKeyEx (NtSaveKeyEx)
7c90e49e: Syscall ordinal 00d1 for ZwSaveMergedKeys (NtSaveMergedKeys)
7c90e4b3: Syscall ordinal 00d2 for ZwSecureConnectPort (NtSecureConnectPort)
7c90e4c8: Syscall ordinal 00d3 for ZwSetBootEntryOrder (NtSetBootEntryOrder)
7c90e4dd: Syscall ordinal 00d4 for ZwSetBootOptions (NtSetBootOptions)
7c90e4f2: Syscall ordinal 00d5 for ZwSetContextThread (NtSetContextThread)
7c90e507: Syscall ordinal 00d6 for ZwSetDebugFilterState (NtSetDebugFilterState)
7c90e51c: Syscall ordinal 00d7 for ZwSetDefaultHardErrorPort (NtSetDefaultHardErrorPort)
7c90e531: Syscall ordinal 00d8 for ZwSetDefaultLocale (NtSetDefaultLocale)
7c90e546: Syscall ordinal 00d9 for ZwSetDefaultUILanguage (NtSetDefaultUILanguage)
7c90e55b: Syscall ordinal 00da for ZwSetEaFile (NtSetEaFile)
7c90e570: Syscall ordinal 00db for ZwSetEvent (NtSetEvent)
7c90e585: Syscall ordinal 00dc for ZwSetEventBoostPriority (NtSetEventBoostPriority)
7c90e59a: Syscall ordinal 00dd for ZwSetHighEventPair (NtSetHighEventPair)
7c90e5af: Syscall ordinal 00de for ZwSetHighWaitLowEventPair (NtSetHighWaitLowEventPair)
7c90e5c4: Syscall ordinal 00df for ZwSetInformationDebugObject (NtSetInformationDebugObject)
7c90e5d9: Syscall ordinal 00e0 for ZwSetInformationFile (NtSetInformationFile)
7c90e5ee: Syscall ordinal 00e1 for ZwSetInformationJobObject (NtSetInformationJobObject)
7c90e603: Syscall ordinal 00e2 for ZwSetInformationKey (NtSetInformationKey)
7c90e618: Syscall ordinal 00e3 for ZwSetInformationObject (NtSetInformationObject)
7c90e62d: Syscall ordinal 00e4 for ZwSetInformationProcess (NtSetInformationProcess)
7c90e642: Syscall ordinal 00e5 for ZwSetInformationThread (NtSetInformationThread)
7c90e657: Syscall ordinal 00e6 for ZwSetInformationToken (NtSetInformationToken)
7c90e66c: Syscall ordinal 00e7 for ZwSetIntervalProfile (NtSetIntervalProfile)
7c90e681: Syscall ordinal 00e8 for ZwSetIoCompletion (NtSetIoCompletion)
7c90e696: Syscall ordinal 00e9 for ZwSetLdtEntries (NtSetLdtEntries)
7c90e6ab: Syscall ordinal 00ea for ZwSetLowEventPair (NtSetLowEventPair)
7c90e6c0: Syscall ordinal 00eb for ZwSetLowWaitHighEventPair (NtSetLowWaitHighEventPair)
7c90e6d5: Syscall ordinal 00ec for ZwSetQuotaInformationFile (NtSetQuotaInformationFile)
7c90e6ea: Syscall ordinal 00ed for ZwSetSecurityObject (NtSetSecurityObject)
7c90e6ff: Syscall ordinal 00ee for ZwSetSystemEnvironmentValue (NtSetSystemEnvironmentValue)
7c90e714: Syscall ordinal 00ef for ZwSetSystemEnvironmentValueEx (NtSetSystemEnvironmentValueEx)
7c90e729: Syscall ordinal 00f0 for ZwSetSystemInformation (NtSetSystemInformation)
7c90e73e: Syscall ordinal 00f1 for ZwSetSystemPowerState (NtSetSystemPowerState)
7c90e753: Syscall ordinal 00f2 for ZwSetSystemTime (NtSetSystemTime)
7c90e768: Syscall ordinal 00f3 for ZwSetThreadExecutionState (NtSetThreadExecutionState)
7c90e77d: Syscall ordinal 00f4 for ZwSetTimer (NtSetTimer)
7c90e792: Syscall ordinal 00f5 for ZwSetTimerResolution (NtSetTimerResolution)
7c90e7a7: Syscall ordinal 00f6 for ZwSetUuidSeed (NtSetUuidSeed)
7c90e7bc: Syscall ordinal 00f7 for ZwSetValueKey (NtSetValueKey)
7c90e7d1: Syscall ordinal 00f8 for ZwSetVolumeInformationFile (NtSetVolumeInformationFile)
7c90e7e6: Syscall ordinal 00f9 for ZwShutdownSystem (NtShutdownSystem)
7c90e7fb: Syscall ordinal 00fa for ZwSignalAndWaitForSingleObject (NtSignalAndWaitForSingleObject)
7c90e810: Syscall ordinal 00fb for ZwStartProfile (NtStartProfile)
7c90e825: Syscall ordinal 00fc for ZwStopProfile (NtStopProfile)
7c90e83a: Syscall ordinal 00fd for ZwSuspendProcess (NtSuspendProcess)
7c90e84f: Syscall ordinal 00fe for ZwSuspendThread (NtSuspendThread)
7c90e864: Syscall ordinal 00ff for ZwSystemDebugControl (NtSystemDebugControl)
Update: As somebody pointed out in the comments, theres a really good compilation of system call ordinals up at Metasploits site.


If you wish to comment on this blog entry, please do so on the original site it was imported from.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit