How do you find out what number each sys call is? Like on SP3 ZwCreateFile is
ZwCreateFile:
mov eax, 0x25
mov edx, 0x7ffe0300
call [edx]
retn 0x2c
How do you find out that ZwCreateFile is 0x25?
views:
107answers:
2
A:
Have your compiler generate a map file. The map file contains function names and their locations (offsets, addresses or both). Search the map file for an address and you should come up with a name for that address.
In your example, ZwCreateFile is not 0x25. The processor dereferences the {pointer} value in edx and uses that value as the address for ZwCreateFile. The address of ZwCreateFile cannot be obtained from the assembly language you posted. The address of ZwCreateFile is stored in location 0x7ffe0300, which must have been initialized before this assembly language fragment.
Again, consult your map file.
Thomas Matthews
2010-01-08 20:27:50
I am not talking about the address. I am talking about ZwCreateFile's syscall id which is 0x25 on my version of windows.
2010-01-08 20:29:18
+3
A:
Windows System Call Table (NT/2000/XP/2003/Vista) says that NtCreateFile (the same function as ZwCreateFile, see MSDN and many others) is
Windows NT Windows 2000 Windows XP W2K3 Vista
SP3 SP4 SP5 SP6 SP0 SP1 SP2 SP3 SP4 SP0 SP1 SP2 SP0 SP1 SP0
0x17 0x17 0x17 0x17 0x20 0x20 0x20 0x20 0x20 0x25 0x25 0x25 0x27 0x27 0x3b
You can easily discover these for yourself by dumping the syscall table nt!KiServiceTable using kd or WinDbg.
Information from the Sysinternals forums.
ephemient
2010-01-08 23:29:39