Kuba Gretzky · Jan 10, 2023 · 4:09 PM UTC

Kuba Gretzky

Kuba Gretzky @mrgretzky

Jan 10

After continuing to see new tools emerging, which rely on extracting the NTDLL syscall IDs from "mov eax, X" instruction, I wanted to remind everyone that syscall IDs can easily be calculated by sorting the addresses of Nt*/Zw* functions in NTDLL from lowest to highest. 🍻

278

sixtyvividtails · Jan 10, 2023 · 11:11 PM UTC

sixtyvividtails @sixtyvividtails

Jan 10

It's neat property, but some people just don't feel safe relying on it. "Today linker sorts 'em, but tomorrow it won't; and one day PGO may move deprecated stuff far away (e.g. eventpair syscalls)" - it's that kind of thinking. So they opt for more mundane/defensive methods.

ElephantSe4l · Jan 11, 2023 · 1:58 AM UTC

ElephantSe4l · Jan 11, 2023 · 1:58 AM UTC

ElephantSe4l @ElephantSe4l

Jan 11

Replying to @sixtyvividtails @mrgretzky

This property is not “set” by the linker. It is not a coincidence. Windows use syscall numbers to get real kernel addresses of the services. Then, to build NTDLL stubs, Windows get all the numbers in order to build an ASM file including all stubs.

Jan 11, 2023 · 1:58 AM UTC

ElephantSe4l · Jan 11, 2023 · 1:58 AM UTC

ElephantSe4l @ElephantSe4l

Jan 11

Replying to @ElephantSe4l @sixtyvividtails @mrgretzky

Later, this file will be compiled resulting in all stubs being ordered by the service number.

more replies