[panda-users] syscall number
alessandro mantovani
alk13 at hotmail.it
Wed Oct 3 11:11:53 EDT 2018
Hi guys,
In my plugin, I need to track the syscalls invoked by a specified process in Windows7, x86. I'm building it on top of the "syscalls2" plugin. In particular, I registered the callback "on_unknown_sys_enter" in the init plugin in this way:
bool init_plugin()
{
...
PPP_REG_CB("syscalls2", on_unknown_sys_enter, my_unknown_sys_enter_t);
...
}
and I defined such callback as follows:
void my_unknown_sys_enter_t(CPUState *env, target_ulong pc, target_ulong callno)
{
OsiProc* proc = get_current_process(env);
if (proc == NULL)
return;
bool found = (strcmp(proc->name, proc_to_track) == 0);
if(found) {
fprintf(mem_log, "%s invoking syscall number " TARGET_FMT_lx "\n", proc->name, callno);
}
}
where "proc_to_track" is the name of the process I want to track. When I run it, I'm getting unreal values of "callno". I mean that a Windows syscall number is in range [0, 400] (in decimal), but I'm getting larger values. Here I report a small portion of output:
upatre_a.exe invoking syscall number 00001212
upatre_a.exe invoking syscall number 00001203
upatre_a.exe invoking syscall number 00001203
upatre_a.exe invoking syscall number 00001232
upatre_a.exe invoking syscall number 00001203
upatre_a.exe invoking syscall number 00001203
upatre_a.exe invoking syscall number 00001232
upatre_a.exe invoking syscall number 00001203
As you can see the hexadecimal numbers '1212' or '1203' don't match with any system call number in Windows7. I suppose I have to apply a mask to the variable "callno". What is the right mask to get correct system call numbers?
Thanks,
elmanto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20181003/6c8875ff/attachment.html
More information about the panda-users
mailing list