flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > [fasmg] Abstracting windows syscall function numbers ...

Author
Thread Post new topic Reply to topic
bitRAKE



Joined: 21 Jul 2003
Posts: 4121
Location: vpcmpistri
bitRAKE 16 Sep 2024, 20:34
There is a useful database of syscall numbers organized by build number. With fasmg there is a simple way to create an abstraction that utilizes these files directly:
Code:
define SYSCALLS SYSCALLS ; searchable namespace
namespace SYSCALLS
        ; the expectation is a name followed by a number
        calminstruction reader line&
                match =mvmacro?= any?,line
                jno go
                assemble line
                exit

        go:     match name= value,line
                jno unkwn
;               compute value,value ; note: `transform doesn't work with numerical values
                publish name:,value
                exit

        unkwn:  stringify line
                display "invalid syscall listing: "
                display line
                err
        end calminstruction

        ; ntoskrnl service table
        include "x86_64\NT10\ntos\" bappend SYSCALL_BUILD bappend ".txt",\
        mvmacro ?,reader
        mvmacro reader,?

        ; Win32k service table
        include "x86_64\NT10\win32k\" bappend SYSCALL_BUILD bappend ".txt",\
        mvmacro ?,reader
        mvmacro reader,?
        purge reader
end namespace ; SYSCALLS

calminstruction syscall? function
        transform function,SYSCALLS
        jyes known
        arrange function,=syscall function
        assemble function
        exit

known:  arrange function,=mov =eax, function
        assemble function
        arrange function,=syscall
        assemble function
end calminstruction    
The windows build can be configured on the command line for fasmg/2. Or prior to including the thin abstraction:
Code:
include 'syscall.g', SYSCALL_BUILD equ "22000" ; change to your system build
...

        mov r10, [hStdOut]
        syscall NtClose

        xor edx, edx ; NTSTATUS
        mov r10, NtCurrentProcess ; HANDLE, optional
        syscall NtTerminateProcess    
The typical disclaimer exists for using syscalls - they are undocumented and build specific. Yet, many system functions are consistent across many builds. For example, if one wanted to support just Windows 10/11 in 64-bit; we can look at a convenient table to see the consistency.

Syscall usage can be much more complex than the Win32 APIs. So, expect a steep learning curve.

Example on github.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 16 Sep 2024, 20:34
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.