Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.
Considering the above facts, the popularity of a (mostly) full system call list created by the Metasploit Project shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.
What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls – exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work, a need to access information about system calls IDs greater than 0x1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!
The current version of the Windows Graphical System Call List can be found under the following address: https://j00ru.vexillium.org/syscalls/win32k/32/.
The initial idea of the project is to cover all the x86 Microsoft Windows NT-family systems, including Windows 7. The empty holes easily noticeable inside the table are a consequence of the fact that I don’t have access to all the OS versions placed on the site. However, the list is going to be continuously filled with information retrieved from new systems as I get access to those; the final purpose is to create a syscall collation at least as good as what Metasploit presents. On the other hand, I am not yet able to provide the handling functions’ definitions – as for now, it is still in my TODO list – one must keep in mind that this project is still in its “alpha state”.
While I have done my best to ensure that the information provided by the list is accurate, it is possible that one or more mistakes might remain. I want to encourage every interested person to report any bug figured out, as well as any other kind of oversights present on the website. Furthermore, all comments (or complementary data) regarding the project are obviously very welcome!
Thanks in advance && have fun!
Po przeczytaniu tego wpisu od razu pomyślałem o innym projekcie, który od dawna chodził mi po głowie. Jakiś czas temu powstał fuzzer o nazwie BSoDHook, który umożliwia test filtrowanych syscalli. Program ten posiada kilka mankamentów, a mianowicie: nie zawiera definicji wszystkich usług macierzystych (można dodać je ręcznie) oraz umożliwia test wyłącznie usług przechwytywanych na poziomie SDT. A przecież zdarza się oprogramowanie, które korzysta z inline hookingu.
Postaram się w najbliższym czasie podesłać numery syscalli dla Windows 2k3 SP1.
Pozdrawiam,
Alex
@Alex: Thx za info, nie znalem tego ;> Inna sprawa, czy to ma szanse w ogole dac jakies realne wyniki….
Co do syscalli, to wszystkie brakujace listy bardzo mile widziane ;>
The horror… the very first call in the table is called DestroyPhysicalMonitor.
And that beast is exposed via user mode as well: http://msdn.microsoft.com/en-us/library/dd692936(v=vs.85).aspx