[panda-users] Extend plugin syscalls2

Leek, Timothy - 0559 - MITLL tleek at ll.mit.edu
Fri Sep 29 09:48:03 EDT 2017 

Hello.  I think this is perhaps slightly simpler than you are thinking…  

The Zw* routines are the names for the publicly accessible versions of the system calls in windows.  That is, ZwReadFile is a function you can call from C or C++ with named, typed arguments

NTSTATUS ZwReadFile( HANDLE FileHandle, HANDLE Event, …)

This isn’t a system call but it calls the actual system call NtReadFile. That is, NtReadFile is a system call that is invoked with ASM instruction ‘sysenter’ when EAX=178.  There is no way to invoke ZwReadFile via syscall with EAX set to some different number.  Its not a system call.

However, if you write a PANDA plugin that sits on NtReadFile, I believe you will intercept all calls to ZwReadFile.  It’s true that you may get some other stuff, i.e., when something directly invokes NtReadFile without using the ZwReadFile interface. 

Syscalls2 can’t really be used to intercept calls to ZwReadFile itself since it’s a kernel function and not actually a system call. I’m not sure exactly why you’d want to sit on ZwReadFile specifically.  To do that you’d have to know ZwReadFile’s address and know when someone had called it.  

At least … this is my understanding!

Cheers.

Tim



-- 
Tim Leek
Technical Staff
Cyber System Assessments
MIT Lincoln Laboratory
781-981-2975




On 9/29/17, 8:59 AM, "panda-users-bounces at mit.edu on behalf of aicardi at eurecom.fr" <panda-users-bounces at mit.edu on behalf of aicardi at eurecom.fr> wrote:

    Hello everyone!
    
    I am working on Windows7 32bit replays and I would like to monitor all  
    the Zw* system calls. I saw that with the syscalls2 plugin it's  
    possible to hook all the Nt* system calls and I would like to do the  
    same with the Zw* ones.
    If I got it correctly, in gen_syscall_switch_enter_windows7_x86.cpp  
    there is a huge switch case that determines which system call has been  
    called based on the value of EAX (which contains the system call  
    number (?)).
    Is it possible to do the same thing for the Zw* system calls?
    
    Thank you in advance,
    samaicardi
    
    -------------------------------------------------------------------------------
    This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
    
    _______________________________________________
    panda-users mailing list
    panda-users at mit.edu
    http://mailman.mit.edu/mailman/listinfo/panda-users
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3096 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20170929/6242073a/attachment.bin

More information about the panda-users mailing list