Log in

View Full Version : Question to Trace-Log


squareD
September 21st, 2005, 09:52
What does this mean in a Trace-Log?

"KiFastSystemCallR"

I don't know what there happens...

Regards,
squareD

blabberer
September 21st, 2005, 11:29
KiFastSystemCall is used to enter Exceutive (also called kernel or ring 0
or in otherwords ntoskrnl.exe) to run code that is privileged and not accessible by user mode code
for example you code CreateFileA(blah blah blah)
which in turn calls CreateFileW CreateFileW after some initialization
ends in ntoskrnl via ntdll.dll with a system call using KiFastSystemCall
in earlier procesors and os it was using a interrupt (aka int 2e system services interrupt) newer processors have eliminated some overheads
and improved performance is obtained by using KiFastSystemCall

if you meant you want to trace inside this call using ollydbg
you cant do it because olly is not a kernel debugger but an application debugger that runs in normal ring 3 privilege

you would need a kernel debugger (windbgs kdb or softice for example)
to trace through those calls

in trace log if you see that then it means a system call was executed

now if you are not interested in system calls but user mode code only
you can setup a break point on the system calls return and do
ctrl+f11 or ctrl+f12 again once the break point is hit
if it was recovering from an exception it would use ZwContinue
in ntdll you can find the return address from the context structure that was passed to that call and break there

squareD
September 21st, 2005, 12:11
OK, I understood that...

It would be only helpful, if Olly would indicate which system call was executed.

blabberer
September 22nd, 2005, 06:52
well system calls are not standard through out the different versions of
operating systems
those are normally numbers which the sytem identifies as a specific function via a table that it holds (trap gate interrupt gate gdtr ldtr blah
and all such exotic undocumented or poorly documented structures
and it would be probably an useless over head coding identifiers on user mode code may be which would obviously be of no use to normal
debugging

for example a system call to ZwCreatefile() in ntdll may look like this
mov eax,0x## <-- the sytem service number
mov R32, the copy of params on stack
mov edx,0x7fffe000+304
call edx <-- which would enter system through KiFastCall

0x7ffe0000 is called KuserSharedpage

now if you are persistent you can find all those call numbers
from variety of sources
one good debugger combination could be using windbg and livekd from sysinternals or may be using local debugging in windbg
if you are on xp-sp2 and > os like w2k3

and getting it to spit those call address via
x Nt!C* etc
or loading kdex2x86 extensions and doing strct! blah

or look for papers by skape spoonm etc on the subject
metasploit project has a pretty good referance onall those system calls
and they have documented all those system call along with thier
respective numbers and prototypes of the calls and parameters
right from nt to w2k3

probably you could write a plugin to label them inside olllydbg
or may be make a complete ntdll.arg file and make olly recognize all thos calls along with thier parameters ?? just like it recognizes MessageBoxA() hows that for a suggestion ??
hope fully you could accept those suggestion and produce
some thing in return for all of those who use olly in future