Skip to content

Windows 8 Syscall Interface and Export Table diffing fun

Due to my forthcoming move to Switzerland, I haven’t had much time to post anything new here for quite some time. Hopefully, this will change soon after I am set up in my new location. In the meanwhile, I would like to share several tables presenting the differences in the export table symbols and native + graphical System Call Interface, found between a fully patched Windows 7 64-bit platform and the recently released Windows 8 Developer Preview. Since only x64 binaries are currently available to me, the tables are only based on this one architecture; I will soon supplement the set with 32-bit comparisons (as long as there are any changes between those two).

An exemplary table (Windows 7 vs Windows 8 executive services) is presented below:

Added in new ntoskrnl.exe
Removed from new ntoskrnl.exe
NtAddAtomEx
NtAlertThreadByThreadId
NtAlpcConnectPortEx
NtAssociateWaitCompletionPacket
NtCancelWaitCompletionPacket
NtCreateDirectoryObjectEx
NtCreateLowBoxToken
NtCreateTokenEx
NtCreateWaitCompletionPacket
NtCreateWnfStateName
NtDeleteWnfStateData
NtDeleteWnfStateName
NtFlushBuffersFileEx
NtPrefetchVirtualMemory
NtQueryWnfStateData
NtQueryWnfStateNameInformation
NtSetSystemCodeIntegrityRoots
NtSubscribeWnfStateChange
NtUnmapViewOfSectionEx
NtUnsubscribeWnfStateChange
NtUpdateWnfStateData
NtWaitForAlertByThreadId
NtWaitForWnfNotifications
NtCreateJobSet
NtFlushInstructionCache
NtGetPlugPlayEvent

 

A semi-complete (more diffs will follow) set of tables can be found here.

The list of files which have already been processed and uploaded is as follows:

Plus the two system service providers:

Aaaand… that’s about it, have fun! :)

{ 3 } Comments

  1. K_K | 21-Sep-11 at 18:54:15 | Permalink

    Thank you for sharing your research! Have you pay attention to MS11-063?

  2. LordDoskiass | 22-Sep-11 at 03:57:08 | Permalink

    Hi, I’m curious as to how did you find the SSDT? Did you perform pattern-matching or there is a convenient way in which it is exported in a structure or something? Because on 7 x64 SSDT is not exported so you have to resort to pattern matching?

  3. j00ru | 22-Sep-11 at 04:22:29 | Permalink

    @LordDoskiass: Well to be honest, there was no magic behind it. As you noted, it might have been difficult (or at least not the most convenient) to find the SSDT and shadow SSDT at run-time, so I just loaded the modules into IDA and dumped the tables “statically”.

Post a Comment

Your email is never published nor shared. Required fields are marked *