[panda-users] syscall number

Brendan Dolan-Gavitt brendandg at nyu.edu
Wed Oct 3 11:57:42 EDT 2018 

Hi,

The system call numbers are correct. Windows divides its system call
tables into two parts, one starting at 0 and one starting at 0x1000.
The latter is used for win32k calls (it's actually possible to have up
to four system call tables, which would have ranges starting at 0x2000
and 0x3000, but this isn't used in practice – I think some older
versions of IIS registered their own system calls but I haven't seen
it in a long time).

If you want to match these calls up with their names, you can subtract
off the 0x1000 part and then look it up in the second array here:

https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py

Finally, if what you want is every system call and its number, you
might want to use the on_all_sys_enter callback instead.
on_unknown_sys_enter will only give you the ones that are not already
recognized by syscalls2.

Best,
Brendan

On Wed, Oct 3, 2018 at 11:11 AM, alessandro mantovani <alk13 at hotmail.it> wrote:
> Hi guys,
>
>
> In my plugin, I need to track the syscalls invoked by a specified process in
> Windows7, x86. I'm building it on top of the "syscalls2" plugin. In
> particular, I registered the callback "on_unknown_sys_enter" in the init
> plugin in this way:
>
>
> bool init_plugin()
>
> {
>
> ...
>
> PPP_REG_CB("syscalls2", on_unknown_sys_enter, my_unknown_sys_enter_t);
>
> ...
>
> }
>
>
> and I defined such callback as follows:
>
>
> void my_unknown_sys_enter_t(CPUState *env, target_ulong pc, target_ulong
> callno)
> {
>         OsiProc* proc = get_current_process(env);
>         if (proc == NULL)
>                 return;
>         bool found = (strcmp(proc->name, proc_to_track) == 0);
>         if(found) {
>                 fprintf(mem_log, "%s invoking syscall number " TARGET_FMT_lx
> "\n", proc->name, callno);
>         }
> }
>
> where "proc_to_track" is the name of the process I want to track. When I run
> it, I'm getting unreal values of "callno". I mean that a Windows syscall
> number is in range [0, 400] (in decimal), but I'm getting larger values.
> Here I report a small portion of output:
>
> upatre_a.exe invoking syscall number 00001212
> upatre_a.exe invoking syscall number 00001203
> upatre_a.exe invoking syscall number 00001203
> upatre_a.exe invoking syscall number 00001232
> upatre_a.exe invoking syscall number 00001203
> upatre_a.exe invoking syscall number 00001203
> upatre_a.exe invoking syscall number 00001232
> upatre_a.exe invoking syscall number 00001203
>
> As you can see the hexadecimal numbers '1212' or '1203' don't match with any
> system call number in Windows7. I suppose I have to apply a mask to the
> variable "callno". What is the right mask to get correct system call
> numbers?
>
> Thanks,
> elmanto
>
>
>
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_panda-2Dusers&d=DwICAg&c=slrrB7dE8n7gBJbeO0g-IQ&r=A4wu5Zmpus3hDmokNWeJTO0SLjrxguzCAxn30Hc-o48&m=EbljjHDv8AJHEMRsA7aiTy4kWxCztF0pjZGCtP9KRr0&s=t9qZ_PZd2-Ci2e7ULiAoEveAe5SrwIJup0-IaL_jxN0&e=
>



-- 
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering

More information about the panda-users mailing list