Windows System Call and CSR API tables updated

Having the first spare weekend in a really long time, I have decided it was high time to update some (all) of the tables related to Windows system calls and CSR API I once created and now try to maintain. This includes NT API syscalls for the 32-bit and 64-bit Intel platforms, win32k.sys syscalls for 32-bit and 64-bit Intel platforms, as well as CSR API information formatted in two different ways for convenience (a list and a table). Without further ado, all of the tables now contain up-to-date data covering all operating systems available to me at the time, including Windows 8, 8.1 and Server 2012. The links are as follows:

NT system calls

Win32k.sys system calls

CSR API calls

Pointers to all tables can also be found in the left pane under the “OS Structures” section. If you spot a bug in any of the tables or have any other comments, let me know. I hope you find them useful!

3 thoughts on “Windows System Call and CSR API tables updated”

  1. Hi,
    I recently decided to generate lib with all ntstubs\shadowstubs for my project, and used your tables to quickly (visually) check if there are any obvious discrepancies in my api indeces. What I noticed is you have some extra functions in your tables (like xHalGetInterruptTranslator), and some others are missing (like NtFilterTokenEx, which has index 0x00d1 in my table x64_62_9200). It’s probably not a big deal, coz discrepancies are probably present only in clashed functions (the ones which map to same useless one-line kernel functions, despite having different index), but in case you’d want to update your tables here is pack of mine (with all clashes scriptually resolved): https://mega.co.nz/#!5t1DxI4J!XP_r0GmWFnBeDslckHs6ARmIflFur-Z3UGPJ_5gP6DM
    I generated stuff only for supported by MS nt6: 60_6002, 61_7601, 62_9200, 63_9600; x32 and x64; nt and win32k. To produce them for other OS versions, I can give you my idapython script, althought it became really messy by now ^)

  2. Hey sixtyvividtails,

    Thanks for dropping a line. I am aware of the fact that some of the system calls clash and have nonsensical names as a result (these of stub functions in the kernel), though as you mentioned, these are rare cases that only occur for syscalls that are not useful, and it’s unlikely anyone would ever want to use them (unless one wants to create a 100% accurate list of system calls). Back when generating the tables for the first time I decided to just disregard these corner cases, and resolving the clashes would probably take some time at this point. I’ll keep that in mind and try to clean up the table as soon as I have some spare time.

    The idapython script would surely come in handy to save some time. ;)

    Cheers,
    -j.

Comments are closed.