Dump syscall numbers assigned to NtXxx() routines exported by NTDLL.DLL library.
- binary prebuild v.1.1.20201019 (x86-64, Windows 7/8/10) (md5 32a1ab93ab98eb801ad189a2c88dc07f)
- source code:
git clone https://github.com/dzik143/syscall-dump
- Load NTDLL.DLL library,
- finds its exports table,
- process each exported functions one-by-one and search for below code pattern at their entry-points:
functionEntryPoint:
4c 8b d1 | mov r10, rcx
b8 xx xx xx xx | mov eax, <syscall id>
f6 04 25 yy yy yy yy zz | test byte [yy yy yy yy], zz
75 03 | jnz +3
0f 05 | syscall
c3 | ret
- if pattern code matched, then read xx xx xx xx DWORD (4 bytes) value - it's a SYSCALL ID used on your OS.
- Basic system routines are implemented in KERNEL CODE (non-user mode, ring 0),
- USER CODE (ring 3) calls them using SYSCALL (64-bit OS) or INT xx (older 32-bit OS) opcodes,
- due to above, many low-level functions in user mode are a DUMB WRAPPERS to syscall opcode with function ID passed in RAX register.
- To call system routine via syscall on 64-bit Windows (x86-64, AMD64) you can use below code:
mov r10, <first param> ; r10 = 1st param, rcx cannot be used with syscall api
... ;
mov eax, <syscall id> ; eax = routine id to be execute
syscall ; call kernel routine
- for full example go to syscall-example.asm file.
- Generally NO, because syscall ids VARY from one OS version to another,
- official API given by microsoft is WINAPI delivered via FUNCTION NAMES exported by system DLLs,
- syscall numbers are used INTERNALLY - it's NOT an official API delivered by system vendor.