OpenRCE_omega_red
November 24th, 2007, 18:50
Right, one gotta start somewhere. I have been lurking here for some time now, and eventually thought that I could gather various bits'n'pieces of my code and "research" stuff. Nothing really serious, but maybe someone will find it useful. 
Let's start with utility that lists all system calls exported by the Windows kernel. This project started out of my curiosity on how it all works, and after some time I managed to even finish it. On the way, I wrote my first real-world kernel driver (extremely simple one), which helped me in later project(s).
Essentially, this utility works by using abovementioned driver to access kernel memory (no \Device\PhysicalMemory hacks anymore...) and read service tables, it also uses dbghelp/symserv to retrieve kernel symbols from MS repository. Later on I fixed some bugs with different kernel flavors (UP/MP) and added x64 support. Next step will be Vista support, about time to learn WDF.
You can find the package here ("http://omeg.pl/code/syscall.zip").
It consists of MemMap driver (single source for both Win32 and Win64, just compile using proper DDK environment), and 32- & 64-bit versions of the usermode client.
Sample output:
XP 32bit ("http://omeg.pl/code/syscall-xp-32.txt")
XP 64bit ("http://omeg.pl/code/syscall-xp-64.txt")
One might expect that these lists will be quite similar, but that's not completely true. Both kernels export very similar set of functions, but they differ in ordering. 32bit kernel (PAE one on vmware in this example) has syscalls alphabetically sorted, and on 64bit they seem ordered quite randomly. At first I thought it's a bug in my code, but following snippet from 64bit ntdll shows that it's correct:
That's in line with lister's output:
Second thing that comes to mind is win32k tables are completely different. More puzzles for Gynvael Well, XP x64 kernel is the same one as in 2k3. Would it mean that GDI on both versions are so different internally? Too bad WRK doesn't contain win32k sources...
2007/07/13 - merged 32 and 64bit versions to single source and cleaned the code a bit (lister and driver). Also updated sample output.
https://www.openrce.org/blog/view/808/Syscall_lister
Let's start with utility that lists all system calls exported by the Windows kernel. This project started out of my curiosity on how it all works, and after some time I managed to even finish it.
On the way, I wrote my first real-world kernel driver (extremely simple one), which helped me in later project(s).Essentially, this utility works by using abovementioned driver to access kernel memory (no \Device\PhysicalMemory hacks anymore...) and read service tables, it also uses dbghelp/symserv to retrieve kernel symbols from MS repository. Later on I fixed some bugs with different kernel flavors (UP/MP) and added x64 support. Next step will be Vista support, about time to learn WDF.
You can find the package here ("http://omeg.pl/code/syscall.zip").
It consists of MemMap driver (single source for both Win32 and Win64, just compile using proper DDK environment), and 32- & 64-bit versions of the usermode client.
Sample output:
XP 32bit ("http://omeg.pl/code/syscall-xp-32.txt")
XP 64bit ("http://omeg.pl/code/syscall-xp-64.txt")
One might expect that these lists will be quite similar, but that's not completely true. Both kernels export very similar set of functions, but they differ in ordering. 32bit kernel (PAE one on vmware in this example) has syscalls alphabetically sorted, and on 64bit they seem ordered quite randomly. At first I thought it's a bug in my code, but following snippet from 64bit ntdll shows that it's correct:
Code:
ntdll!ZwMapUserPhysicalPagesScatter:
00000000`77ef0a10 4c8bd1 mov r10,rcx
00000000`77ef0a13 b800000000 mov eax,0
00000000`77ef0a18 0f05 syscall
00000000`77ef0a1a c3 ret
00000000`77ef0a1b 666690 xchg ax,ax
00000000`77ef0a1e 6690 xchg ax,ax
ntdll!ZwWaitForSingleObject:
00000000`77ef0a20 4c8bd1 mov r10,rcx
00000000`77ef0a23 b801000000 mov eax,1
00000000`77ef0a28 0f05 syscall
00000000`77ef0a2a c3 ret
00000000`77ef0a2b 666690 xchg ax,ax
00000000`77ef0a2e 6690 xchg ax,ax
That's in line with lister's output:
Code:
Table #0: fffff80001076e00, 0128 entries, \WINDOWS\system32\ntoskrnl.exe
0000: NtMapUserPhysicalPagesScatter (ntoskrnl.exe)
0001: NtWaitForSingleObject (ntoskrnl.exe)
Second thing that comes to mind is win32k tables are completely different. More puzzles for Gynvael
Well, XP x64 kernel is the same one as in 2k3. Would it mean that GDI on both versions are so different internally? Too bad WRK doesn't contain win32k sources... 2007/07/13 - merged 32 and 64bit versions to single source and cleaned the code a bit (lister and driver). Also updated sample output.
https://www.openrce.org/blog/view/808/Syscall_lister