blabberer
September 22nd, 2005, 06:52
well system calls are not standard through out the different versions of
operating systems
those are normally numbers which the sytem identifies as a specific function via a table that it holds (trap gate interrupt gate gdtr ldtr blah
and all such exotic undocumented or poorly documented structures
and it would be probably an useless over head coding identifiers on user mode code may be which would obviously be of no use to normal
debugging
for example a system call to ZwCreatefile() in ntdll may look like this
mov eax,0x## <-- the sytem service number
mov R32, the copy of params on stack
mov edx,0x7fffe000+304
call edx <-- which would enter system through KiFastCall
0x7ffe0000 is called KuserSharedpage
now if you are persistent you can find all those call numbers
from variety of sources
one good debugger combination could be using windbg and livekd from sysinternals or may be using local debugging in windbg
if you are on xp-sp2 and > os like w2k3
and getting it to spit those call address via
x Nt!C* etc
or loading kdex2x86 extensions and doing strct! blah
or look for papers by skape spoonm etc on the subject
metasploit project has a pretty good referance onall those system calls
and they have documented all those system call along with thier
respective numbers and prototypes of the calls and parameters
right from nt to w2k3
probably you could write a plugin to label them

inside olllydbg

or may be make a complete ntdll.arg file and make olly recognize all thos calls along with thier parameters ??

just like it recognizes MessageBoxA() hows that for a suggestion ??
hope fully you could accept those suggestion and produce
some thing in return for all of those who use olly in future
