<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<p style="margin-top:0; margin-bottom:0">Hi guys,</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">In my plugin, I need to track the syscalls invoked by a specified process in Windows7, x86. I'm building it on top of the "syscalls2" plugin. In particular, I registered the callback "on_unknown_sys_enter" in the init
plugin in this way:</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">bool init_plugin()</p>
<p style="margin-top:0; margin-bottom:0">{</p>
<p style="margin-top:0; margin-bottom:0">...<br>
</p>
<p style="margin-top:0; margin-bottom:0"><span>PPP_REG_CB("syscalls2", on_unknown_sys_enter, my_unknown_sys_enter_t);</span></p>
<p style="margin-top:0; margin-bottom:0">...</p>
<p style="margin-top:0; margin-bottom:0">}<br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">and I defined such callback as follows:</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"></p>
<div>void my_unknown_sys_enter_t(CPUState *env, target_ulong pc, target_ulong callno)<br>
{<br>
OsiProc* proc = get_current_process(env);<br>
if (proc == NULL)<br>
return;<br>
bool found = (strcmp(proc->name, proc_to_track) == 0); <span style="font-family: Calibri, Helvetica, sans-serif;">
</span> <br>
if(found) {<br>
fprintf(mem_log, "%s invoking syscall number " TARGET_FMT_lx "\n", proc->name, callno);<br>
}<br>
}<br>
<br>
where "proc_to_track" is the name of the process I want to track. When I run it, I'm getting unreal values of "callno". I mean that a Windows syscall number is in range [0, 400] (in decimal), but I'm getting larger values. Here I report a small portion of output:<br>
<br>
<div>upatre_a.exe <span>invoking</span> syscall number 00001212<br>
upatre_a.exe <span>invoking</span> syscall number 00001203<br>
upatre_a.exe <span>invoking</span> syscall number 00001203<br>
upatre_a.exe <span>invoking</span> syscall number 00001232<br>
upatre_a.exe <span>invoking</span> syscall number 00001203<br>
upatre_a.exe <span>invoking</span> syscall number 00001203<br>
upatre_a.exe <span>invoking</span> syscall number 00001232<br>
upatre_a.exe <span>invoking</span> syscall number 00001203<br>
<br>
As you can see the hexadecimal numbers '1212' or '1203' don't match with any system call number in Windows7. I suppose I have to apply a mask to the variable "callno". What is the right mask to get correct system call numbers?<br>
<br>
Thanks,<br>
elmanto<br>
</div>
<br>
<br>
</div>
<br>
<p></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
</div>
</body>
</html>