flat assembler
Message board for the users of flat assembler.

Index > Windows > Is there a list of syscall?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz 10 Sep 2012, 06:29
Sorry for a newbie question.
When debugging, I traced the ExitProcess function of kernel32.dll. I can traced it to the following code, and then it ended.

mov r8, ecx
mov rax, 0x29
syscall

Would somebody help me with the follwoing question?

1. Is there a way to trace into syscall?
2. Is there a reference of all syscall functions for windows 7?
3. I have seen sever posts mentioned sysenter, what actually does this instruction do?
Post 10 Sep 2012, 06:29
View user's profile Send private message AIM Address Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 10 Sep 2012, 07:03
znatz wrote:
1. Is there a way to trace into syscall?
Use a kernel mode debugger.
znatz wrote:
2. Is there a reference of all syscall functions for windows 7?
Yes. But I doubt that MS will let you see it.
znatz wrote:
3. I have seen sever posts mentioned sysenter, what actually does this instruction do?
See either the Intel or AMD manuals. They explain the functions of all instructions.
Post 10 Sep 2012, 07:03
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 10 Sep 2012, 13:50
some references, here,
http://j00ru.vexillium.org/ntapi/
Cheers,

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 10 Sep 2012, 13:50
View user's profile Send private message Visit poster's website Reply with quote
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz 10 Sep 2012, 15:03
hopcode wrote:
some references, here,
http://j00ru.vexillium.org/ntapi/
Cheers,


Thank you all!

And as to the reference, I had seen it before, but I had no idea what the ID means in the table.
Does it mean the calling convention of windows syscall is as follows?

mov rax, ID
syscall
Post 10 Sep 2012, 15:03
View user's profile Send private message AIM Address Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 10 Sep 2012, 15:13
znatz: Note that any list of syscall numbers can only ever be considered approximate. MS have never published such a list and therefore might just decide to change them in the next patch-Tuesday. So use at your own risk.
Post 10 Sep 2012, 15:13
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode 10 Sep 2012, 15:42
Quote:
Does it mean the calling convention of windows syscall is as follows?
mov rax, ID
syscall
yes,in EAX exactly for Windows. for example the
Code:
ntdll.NtReadFile:
mov r10,rcx
mov eax,3
syscall
ret    
the id function 3, is common to all the following 64bit OS versions
Windows XP
Windows 2003 Server
Windows Vista
Windows 2008 Server
Windows 7
Windows 8

for the rest of used registers/flags, OS must conform to the CPU.
this makes code not only OS-dependent but CPU-dependent too.
also, use carefully by conditional compilation, and after the above warning.

Cheers,

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 10 Sep 2012, 15:42
View user's profile Send private message Visit poster's website Reply with quote
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz 11 Sep 2012, 08:20
Thanks a lot!!
Post 11 Sep 2012, 08:20
View user's profile Send private message AIM Address Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 12 Jun 2023, 13:57
hopcode wrote:
some references, here,
http://j00ru.vexillium.org/ntapi/
Cheers,


The syscall numbers change from release to release, not reliable to use syscall.

I have seen a reverse-engineering tutorial that actually shows how to generate syscall table in current release of Windows.

But it is cool to have that table nonetheless!
Post 12 Jun 2023, 13:57
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 12 Jun 2023, 15:01
Are both the same? From my preliminary research, the exit code returned are the same.

Runs on my Windows 10:
Code:
format PE64 console
entry start

section ".code" code executable readable

start:

    mov rdx, 7
    or  rcx, 0xFFFFFFFFFFFFFFFF
    ;xor rcx, rcx
    mov r10, rcx
    mov rax, 0x2C
    syscall            


Normal code:
Code:
format PE64 console
entry start

include "win64a.inc"

section ".code" code executable readable

start:

    mov  rcx, 7
    call [ExitProcess]

section ".idata" import readable

    library kernel, "kernel32.dll"

    import kernel, ExitProcess, "ExitProcess"        


No import table if use syscall, Laughing
Post 12 Jun 2023, 15:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 12 Jun 2023, 15:48
Using syscalls has one advantage that I know of. You can bypass the normal APIs to create arbitrary filenames, including nulls. Because internally NT doesn't use c-strings with zero termination, you pass the length instead.

This also creates a headache for anyone trying to open/read/write/delete such files with the normal APIs. It isn't possible to name them using c-strings because the name never matches a null.

However that one advantage isn't enough outweigh all the other disadvantages IMO. The code is unreliable, untransferable and sensitive to any changes. Have fun. Razz
Post 12 Jun 2023, 15:48
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4046
Location: vpcmpistri
bitRAKE 12 Jun 2023, 19:38
I wonder if MS uses some of the syscalls? Especially in cases where they don't seem to change?

https://hfiref0x.github.io/NT10_syscalls.html
hfiref0x wrote:
410 NtTerminateProcess 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44
... there does appear to be a subset which are constant thru a large number of builds. Of course, no guarantees and little/no documentation. (Looks like <103 is constant through Win10/11.)

I think they should totally randomize them on each build.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 12 Jun 2023, 19:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 13 Jun 2023, 02:03
bitRAKE wrote:
I think they should totally randomize them on each build.
And then claim it is "for security".
Post 13 Jun 2023, 02:03
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 13 Jun 2023, 05:56
revolution wrote:
Using syscalls has one advantage that I know of. You can bypass the normal APIs to create arbitrary filenames, including nulls. Because internally NT doesn't use c-strings with zero termination, you pass the length instead.

As long as you're not writing shellcode, why not just link against the Nt* APIs in ntdll.dll?

_________________
Image - carpe noctem
Post 13 Jun 2023, 05:56
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2519
Furs 13 Jun 2023, 13:16
revolution wrote:
Using syscalls has one advantage that I know of. You can bypass the normal APIs to create arbitrary filenames, including nulls. Because internally NT doesn't use c-strings with zero termination, you pass the length instead.

This also creates a headache for anyone trying to open/read/write/delete such files with the normal APIs. It isn't possible to name them using c-strings because the name never matches a null.

However that one advantage isn't enough outweigh all the other disadvantages IMO. The code is unreliable, untransferable and sensitive to any changes. Have fun. Razz
Damn, that's actually worse than Linux (which allows control characters in filenames, like newlines, but not NULs at least).
Post 13 Jun 2023, 13:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 13 Jun 2023, 13:25
Not just nulls, but all 2^16 word values are allowable. So null, forward/backward slashes, etc. are all good as far as NTFS is concerned. And it has no encoding, just raw words. So invalid UTF-16 is fine.

Which, BTW, I forgot to mention, you also need the backend FS to support such ugliness. Using FAT or EXT4 is not going to work.
Post 13 Jun 2023, 13:25
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 802
Location: Russian Federation, Sochi
ProMiNick 13 Jun 2023, 13:50
Flier-Mate wrote:
Are both the same? From my preliminary research, the exit code returned are the same.

Runs on my Windows 10:
Code:
format PE64 console
entry start

section ".code" code executable readable

start:

    mov rdx, 7
    or  rcx, 0xFFFFFFFFFFFFFFFF
    ;xor rcx, rcx
    mov r10, rcx
    mov rax, 0x2C
    syscall            


Normal code:
Code:
format PE64 console
entry start

include "win64a.inc"

section ".code" code executable readable

start:

    mov  rcx, 7
    call [ExitProcess]

section ".idata" import readable

    library kernel, "kernel32.dll"

    import kernel, ExitProcess, "ExitProcess"        


No import table if use syscall, :lol:


No import table, no syscall, just return of exit code in eax
Code:
format PE64 console
entry start

section ".code" code executable readable

start:

    mov eax, 7
    ret     

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 13 Jun 2023, 13:50
View user's profile Send private message Send e-mail Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 13 Jun 2023, 14:27
ProMiNick wrote:

No import table, no syscall, just return of exit code in eax
Code:
format PE64 console
entry start

section ".code" code executable readable

start:

    mov eax, 7
    ret     


Yes, it works, but is "ret" a reliable way to end a Windows program?

The purpose of my code in this thread was to learn syscall, but yeah, it is good to know your code also work.
Post 13 Jun 2023, 14:27
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 13 Jun 2023, 15:56
[quote="Flier-Mate"]
ProMiNick wrote:
Yes, it works, but is "ret" a reliable way to end a Windows program?

No, it's not part of the specification – it works only because of an implementation detail.

Unless you're doing 4k intros, import and call ExitProcess.

_________________
Image - carpe noctem
Post 13 Jun 2023, 15:56
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8356
Location: Kraków, Poland
Tomasz Grysztar 13 Jun 2023, 16:27
f0dder wrote:
Flier-Mate wrote:
Yes, it works, but is "ret" a reliable way to end a Windows program?

No, it's not part of the specification – it works only because of an implementation detail.

Unless you're doing 4k intros, import and call ExitProcess.
Any thread started with CreateThread can be closed this way:
Quote:
The thread execution begins at the function specified by the lpStartAddress parameter. If this function returns, the DWORD return value is used to terminate the thread in an implicit call to the ExitThread function.
So the only detail that is open for interpretation is whether the first thread of the process is treated specially. My stance was that unless it is plainly stated somewhere, this thread should not behave differently from others. Otherwise, if it was special, how could you be sure that it would obey ExitThread, for example? But that's mostly an issue with how documentation is written - it may not give a strong argument for exiting the main thread with RET, but in my opinion it is an argument for improving the documentation.

In any case, the best you can assume is that RET exits the thread, not the process. It only happens to end the process when there are no other threads - another implicit (and potentially unsafe) assumption.
Post 13 Jun 2023, 16:27
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 13 Jun 2023, 16:51
Imported libraries can start their own threads. Your app has no control over that.

So if you import a library that creates a new thread you find that your app doesn't exit when using ret because there are other threads still running.

I say there is no advantage to using ret except for "hacker points" or something. If you just want your stuff to work without any unexpected weird behaviours use ExitProcess and sleep soundly.

The same goes for Linux with "exit". Your app can hang if a .so import makes a new thread. Use "exit_group". Sleep soundly.
Post 13 Jun 2023, 16:51
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.