Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.
Considering the above facts, the popularity of a (mostly) full system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.
What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls – exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work, a need to access information about system calls IDs greater than 0x1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!
The current version of the Windows Graphical System Call List can be found under the following address: https://j00ru.vexillium.org/syscalls/win32k/32/.