Refreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released

Long time no see, huh? :-)

TL;DR: I created and released a complete Windows NT-family syscall table. See the bottom of the post for a link.

For the last couple of years, the Metasploit project (gritz skape!) has been hosting a table of the core Windows kernel services, also known as system calls (originally available at http://dev.metasploit.com/users/opcode/syscalls.html). In its final version, the table included information regarding Windows NT (all recent service packs), 2000 (all service packs), XP (up to SP2), 2003 (up to SP1) and Vista (up to SP0). As years passed, new operating system editions were being released by Microsoft, while existing ones had new Service Packs made available for them. Consequently, due to lack of active maintainance, the project has became partially outdated, and eventually disappeared from the metasploit domain around four weeks ago.

Today, I would like to present a table based on the same concept (well, even the layout doesn’t differ too much), but supplemented with information about the originally missing Windows versions, including Windows 8 Developer Preview available since less than two months. The table contains a list of every Windows kernel service found at any point in the history of Windows NT-family, together with the syscall id for all OS editions it was present on. Unfortunately, it lacks the corresponding syscall handlers’ definitions; that’s simply because most of the NTAPI interface is not publicly documented by Microsoft. As such, the project has a primarily informative purpose – you can observe how the Windows native api has evolved through all these years, what kind of functionality might have been introduced in new system versions and which parts were removed, and so on. I believe you can also use it to pick an interesting Windows internals research subject, if you feel like performing one :-)

The most recent version of the table can be found here: https://j00ru.vexillium.org/syscalls/nt/32/

As the table width has grown up to quite a large size (it didn’t fit into my laptop’s monitor), I had to narrow it. In its current form, you can expand and hide information about individual Windows editions, or simply show all of the items (check the Show all and Hide all buttons). As a remainder, I have been also hosting the Windows Graphical System Call list for both 32- and 64-bit system versions (blog post). I will do my best to fill the rest of the empty cells in a few days.

Comments? Suggestions? Feel free to drop a line.

Oh by the way, in case you haven’t noticed yet: Michal Zalewski’s (aka lcamtuf) new book called “The Tangled Web” went public just two days ago. Suffice to say it’s a very solid book, focused on all the small details and quirks the modern client-side web security is all about. For more information, see http://nostarch.com/tangledweb.htm or http://lcamtuf.coredump.cx/tangled/.

Update (22.11.2011): I have just uploaded the requested 64-bit version of the table, find it here.

14 thoughts on “Refreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released”

  1. Your syscall ids for Winodws 7 are totally wrong. I just noticed it with NtQueryInformationProcess. In your table it is 0x00ea but the correct value is 0x16.

    Please try to fix it.

  2. @Plum: No dude, you are totally wrong :-)

    But seriously – you are referring to the 64-bit version of Windows 7, while this table is only specific to the X86 platform. I guess I should have noted it in the post, apologies for the confusion.

  3. Thanks for the information. Are you going to add the 64-bit versions of the operating systems too? This is already a great table but without 64-bit sys calls the table is kind of useless due to incompleteness.

    Who the hell is using windows 7 x86? :O

  4. Thank you very much. I have one little question. Is “Windows 2008 Server” the R2 edition (6.1) or the old one (6.0)?

  5. jooru,
    U have not provided the arguments of the system calls And data type details of the arguments. I need them seriously. I know, u know that very well, can u send the arguments details of system call. I am creating a portable system call interface for all popular OS.

    I am doing very hard work. If u give me a helping hand, we can make a great thing…

    By the way really really thank u for the information….

  6. U have not provided the arguments of the system calls And data type details of the arguments. I need them seriously. I know, u know that very well, can u send the arguments details of system call. I am creating a portable system call interface for all popular OS.

    I am doing very hard work. If u give me a helping hand, we can make a great thing…

    By the way really really thank u for the information….

Comments are closed.