After continuing to see new tools emerging, which rely on extracting the NTDLL syscall IDs from "mov eax, X" instruction, I wanted to remind everyone that syscall IDs can easily be calculated by sorting the addresses of Nt*/Zw* functions in NTDLL from lowest to highest. 🍻
It's neat property, but some people just don't feel safe relying on it. "Today linker sorts 'em, but tomorrow it won't; and one day PGO may move deprecated stuff far away (e.g. eventpair syscalls)" - it's that kind of thinking. So they opt for more mundane/defensive methods.
This property is not “set” by the linker. It is not a coincidence. Windows use syscall numbers to get real kernel addresses of the services. Then, to build NTDLL stubs, Windows get all the numbers in order to build an ASM file including all stubs.
Jan 11, 2023 · 1:58 AM UTC