[panda-users] Extend plugin syscalls2

Brendan Dolan-Gavitt brendandg at nyu.edu
Fri Sep 29 10:09:43 EDT 2017 

Yep, this is correct. Nt* and Zw* ones are equivalent. See

https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines

for more details.

-Brendan

On Fri, Sep 29, 2017 at 9:48 AM, Leek, Timothy - 0559 - MITLL
<tleek at ll.mit.edu> wrote:
> Hello.  I think this is perhaps slightly simpler than you are thinking…
>
> The Zw* routines are the names for the publicly accessible versions of the system calls in windows.  That is, ZwReadFile is a function you can call from C or C++ with named, typed arguments
>
> NTSTATUS ZwReadFile( HANDLE FileHandle, HANDLE Event, …)
>
> This isn’t a system call but it calls the actual system call NtReadFile. That is, NtReadFile is a system call that is invoked with ASM instruction ‘sysenter’ when EAX=178.  There is no way to invoke ZwReadFile via syscall with EAX set to some different number.  Its not a system call.
>
> However, if you write a PANDA plugin that sits on NtReadFile, I believe you will intercept all calls to ZwReadFile.  It’s true that you may get some other stuff, i.e., when something directly invokes NtReadFile without using the ZwReadFile interface.
>
> Syscalls2 can’t really be used to intercept calls to ZwReadFile itself since it’s a kernel function and not actually a system call. I’m not sure exactly why you’d want to sit on ZwReadFile specifically.  To do that you’d have to know ZwReadFile’s address and know when someone had called it.
>
> At least … this is my understanding!
>
> Cheers.
>
> Tim
>
>
>
> --
> Tim Leek
> Technical Staff
> Cyber System Assessments
> MIT Lincoln Laboratory
> 781-981-2975
>
>
>
>
> On 9/29/17, 8:59 AM, "panda-users-bounces at mit.edu on behalf of aicardi at eurecom.fr" <panda-users-bounces at mit.edu on behalf of aicardi at eurecom.fr> wrote:
>
>     Hello everyone!
>
>     I am working on Windows7 32bit replays and I would like to monitor all
>     the Zw* system calls. I saw that with the syscalls2 plugin it's
>     possible to hook all the Nt* system calls and I would like to do the
>     same with the Zw* ones.
>     If I got it correctly, in gen_syscall_switch_enter_windows7_x86.cpp
>     there is a huge switch case that determines which system call has been
>     called based on the value of EAX (which contains the system call
>     number (?)).
>     Is it possible to do the same thing for the Zw* system calls?
>
>     Thank you in advance,
>     samaicardi
>
>     -------------------------------------------------------------------------------
>     This message was sent using EURECOM Webmail: http://webmail.eurecom.fr
>
>     _______________________________________________
>     panda-users mailing list
>     panda-users at mit.edu
>     http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list