flat assembler
Message board for the users of flat assembler.

Index > Windows > Is there a list of syscall?

Author
Thread Post new topic Reply to topic
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz
Sorry for a newbie question.
When debugging, I traced the ExitProcess function of kernel32.dll. I can traced it to the following code, and then it ended.

mov r8, ecx
mov rax, 0x29
syscall

Would somebody help me with the follwoing question?

1. Is there a way to trace into syscall?
2. Is there a reference of all syscall functions for windows 7?
3. I have seen sever posts mentioned sysenter, what actually does this instruction do?
Post 10 Sep 2012, 06:29
View user's profile Send private message AIM Address Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
znatz wrote:
1. Is there a way to trace into syscall?
Use a kernel mode debugger.
znatz wrote:
2. Is there a reference of all syscall functions for windows 7?
Yes. But I doubt that MS will let you see it.
znatz wrote:
3. I have seen sever posts mentioned sysenter, what actually does this instruction do?
See either the Intel or AMD manuals. They explain the functions of all instructions.
Post 10 Sep 2012, 07:03
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode
some references, here,
http://j00ru.vexillium.org/ntapi/
Cheers,

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 10 Sep 2012, 13:50
View user's profile Send private message Visit poster's website Reply with quote
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz
hopcode wrote:
some references, here,
http://j00ru.vexillium.org/ntapi/
Cheers,


Thank you all!

And as to the reference, I had seen it before, but I had no idea what the ID means in the table.
Does it mean the calling convention of windows syscall is as follows?

mov rax, ID
syscall
Post 10 Sep 2012, 15:03
View user's profile Send private message AIM Address Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
znatz: Note that any list of syscall numbers can only ever be considered approximate. MS have never published such a list and therefore might just decide to change them in the next patch-Tuesday. So use at your own risk.
Post 10 Sep 2012, 15:13
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode
Quote:
Does it mean the calling convention of windows syscall is as follows?
mov rax, ID
syscall
yes,in EAX exactly for Windows. for example the
Code:
ntdll.NtReadFile:
mov r10,rcx
mov eax,3
syscall
ret    
the id function 3, is common to all the following 64bit OS versions
Windows XP
Windows 2003 Server
Windows Vista
Windows 2008 Server
Windows 7
Windows 8

for the rest of used registers/flags, OS must conform to the CPU.
this makes code not only OS-dependent but CPU-dependent too.
also, use carefully by conditional compilation, and after the above warning.

Cheers,

_________________
⠓⠕⠏⠉⠕⠙⠑
Post 10 Sep 2012, 15:42
View user's profile Send private message Visit poster's website Reply with quote
znatz



Joined: 08 Jul 2012
Posts: 13
Location: 日本
znatz
Thanks a lot!!
Post 11 Sep 2012, 08:20
View user's profile Send private message AIM Address Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.