Improve syscall search

[sivaramaaa]

0x01057924      b806000002     mov eax, 0x2000006
0x01057929      0f05           syscall

After @radare 's PR, there was bunch syscall missing due to the rax and eax miss-match issue in 64 bits bins, the PR tries to fix that issue!

[sivaramaaa]

@jacobrosenthal hi , after this PR , i am able to retrieve a few more syscall i guess (from the go bin u provided ) ,

[0x01057890]> /as
0x010578a9 exit
0x010578da bsdthread_terminate
0x01057912 open
0x01057929 close
0x01057952 read
0x01057973 write
0x010579b3 getpid
0x010579c6 kill
0x010579f3 setitimer
0x01057a13 madvise
0x01057bf1 gettimeofday
0x01057c33 __pthread_sigmask
0x01057c6d sigaction
0x01057ceb sigreturn
0x01057d12 mmap
0x01057d4f munmap
0x01057d71 sigaltstack
0x01057dd3 select
0x01057e0b bsdthread_create
0x01057ea1 bsdthread_register
0x01057fb2 sysctl
0x01057fea kqueue
0x01058021 kevent
0x01058047 fcntl

but still maybe missing some idk , can u check this and tell me what else is missing , it would very helpfull to me !

[jacobrosenthal]

Yeah I think youve got them all!

For posterity there are a few more that I find odd. Theres 3 helper functions that build a syscall, not sure thats in the scope of this command though.. it looks like

[0x01077be4]> pdf
/ (fcn) sym.syscall.Syscall 110
|   sym.syscall.Syscall (int arg_8h, int arg_10h, int arg_18h, int arg_20h, int arg_28h, int arg_30h, int arg_38h);
|           ; arg int arg_8h @ rsp+0x8
|           ; arg int arg_10h @ rsp+0x10
|           ; arg int arg_18h @ rsp+0x18
|           ; arg int arg_20h @ rsp+0x20
|           ; arg int arg_28h @ rsp+0x28
|           ; arg int arg_30h @ rsp+0x30
|           ; arg int arg_38h @ rsp+0x38
|           ; XREFS(35)
|           0x01077bb0      e86bbefbff     call sym.runtime.entersyscall ; rsp=0x177ff8 ; rip=0x1033a20 -> 0x18ec8348
|           0x01077bb5      488b7c2410     mov rdi, qword [arg_10h]    ; [0x10:8]=-1 ; 16 ; rdi=0x0
|           0x01077bba      488b742418     mov rsi, qword [arg_18h]    ; [0x18:8]=-1 ; 24 ; rsi=0x0
|           0x01077bbf      488b542420     mov rdx, qword [arg_20h]    ; [0x20:8]=-1 ; 32 ; rdx=0x0
|           0x01077bc4      49c7c2000000.  mov r10, 0                  ; r10=0x0
|           0x01077bcb      49c7c0000000.  mov r8, 0                   ; r8=0x0
|           0x01077bd2      49c7c1000000.  mov r9, 0                   ; r9=0x0
|           0x01077bd9      488b442408     mov rax, qword [arg_8h]     ; [0x8:8]=-1 ; 8 ; rax=0x0
|           0x01077bde      480500000002   add rax, 0x2000000          ; rax=0x2000000 ; of=0x0 ; sf=0x0 ; zf=0x0 ; cf=0x0 ; pf=0x1
|           ;-- hit0_36.syscall:
|           0x01077be4      0f05           syscall                     ; 33554432 = unknown ()
|       ,=< 0x01077be6      731d           jae 0x1077c05               ; rip=0x1077c05 -> 0x24448948 ; likely
|       |   0x01077be8      48c7442428ff.  mov qword [arg_28h], 0xffffffffffffffff
|       |   0x01077bf1      48c744243000.  mov qword [arg_30h], 0
|       |   0x01077bfa      4889442438     mov qword [arg_38h], rax
|       |   0x01077bff      e8ccc1fbff     call sym.runtime.exitsyscall ; rsp=0x177ff0 ; rip=0x1033dd0 -> 0x28ec8348
|       |   0x01077c04      c3             ret                         ; rip=0x0 ; rsp=0x177ff8
|       `-> 0x01077c05      4889442428     mov qword [arg_28h], rax
|           0x01077c0a      4889542430     mov qword [arg_30h], rdx
|           0x01077c0f      48c744243800.  mov qword [arg_38h], 0
|           0x01077c18      e8b3c1fbff     call sym.runtime.exitsyscall ; rsp=0x177ff0 ; rip=0x1033dd0 -> 0x28ec8348
\           0x01077c1d      c3             ret                         ; rip=0x0 ; rsp=0x177ff8

/ (fcn) sym.syscall.Syscall6 104
|   sym.syscall.Syscall6 (int arg_8h, int arg_10h, int arg_18h, int arg_20h, int arg_28h, int arg_30h, int arg_38h, int arg_40h, int arg_48h, int arg_50h);
|           ; arg int arg_8h @ rsp+0x8
|           ; arg int arg_10h @ rsp+0x10
|           ; arg int arg_18h @ rsp+0x18
|           ; arg int arg_20h @ rsp+0x20
|           ; arg int arg_28h @ rsp+0x28
|           ; arg int arg_30h @ rsp+0x30
|           ; arg int arg_38h @ rsp+0x38
|           ; arg int arg_40h @ rsp+0x40
|           ; arg int arg_48h @ rsp+0x48
|           ; arg int arg_50h @ rsp+0x50
|           ; XREFS: CALL 0x01072b14  CALL 0x010730f4  CALL 0x01074369  CALL 0x010748e4  CALL 0x01074a07  CALL 0x01074e71  
|           ; XREFS: CALL 0x01074fe0  CALL 0x0107538b  CALL 0x01076202  CALL 0x010768d5  CALL 0x01076a25  CALL 0x010777e1  
|           ; XREFS: CALL 0x0128a03b  
|           0x01077c20      e8fbbdfbff     call sym.runtime.entersyscall ; rsp=0x177ff8 ; rip=0x1033a20 -> 0x18ec8348
|           0x01077c25      488b7c2410     mov rdi, qword [arg_10h]    ; [0x10:8]=-1 ; 16 ; rdi=0x0
|           0x01077c2a      488b742418     mov rsi, qword [arg_18h]    ; [0x18:8]=-1 ; 24 ; rsi=0x0
|           0x01077c2f      488b542420     mov rdx, qword [arg_20h]    ; [0x20:8]=-1 ; 32 ; rdx=0x0
|           0x01077c34      4c8b542428     mov r10, qword [arg_28h]    ; [0x28:8]=-1 ; '(' ; 40 ; r10=0x0
|           0x01077c39      4c8b442430     mov r8, qword [arg_30h]     ; [0x30:8]=-1 ; '0' ; 48 ; r8=0x0
|           0x01077c3e      4c8b4c2438     mov r9, qword [arg_38h]     ; [0x38:8]=-1 ; '8' ; 56 ; r9=0x0
|           0x01077c43      488b442408     mov rax, qword [arg_8h]     ; [0x8:8]=-1 ; 8 ; rax=0x0
|           0x01077c48      480500000002   add rax, 0x2000000          ; rax=0x2000000 ; of=0x0 ; sf=0x0 ; zf=0x0 ; cf=0x0 ; pf=0x1
|           ;-- hit0_37.syscall:
|           0x01077c4e      0f05           syscall                     ; 33554432 = unknown ()
|       ,=< 0x01077c50      731d           jae 0x1077c6f               ; rip=0x1077c6f -> 0x24448948 ; likely
|       |   0x01077c52      48c7442440ff.  mov qword [arg_40h], 0xffffffffffffffff
|       |   0x01077c5b      48c744244800.  mov qword [arg_48h], 0
|       |   0x01077c64      4889442450     mov qword [arg_50h], rax
|       |   0x01077c69      e862c1fbff     call sym.runtime.exitsyscall ; rsp=0x177ff0 ; rip=0x1033dd0 -> 0x28ec8348
|       |   0x01077c6e      c3             ret                         ; rip=0x0 ; rsp=0x177ff8
|       `-> 0x01077c6f      4889442440     mov qword [arg_40h], rax
|           0x01077c74      4889542448     mov qword [arg_48h], rdx
|           0x01077c79      48c744245000.  mov qword [arg_50h], 0
|           0x01077c82      e849c1fbff     call sym.runtime.exitsyscall ; rsp=0x177ff0 ; rip=0x1033dd0 -> 0x28ec8348
\           0x01077c87      c3             ret                         ; rip=0x0 ; rsp=0x177ff8
[0x01077c4e]> 

[0x01077cbf]> pdf
/ (fcn) sym.syscall.RawSyscall 95
|   sym.syscall.RawSyscall (int arg_8h, int arg_10h, int arg_18h, int arg_20h, int arg_28h, int arg_30h, int arg_38h);
|           ; arg int arg_8h @ rsp+0x8
|           ; arg int arg_10h @ rsp+0x10
|           ; arg int arg_18h @ rsp+0x18
|           ; arg int arg_20h @ rsp+0x20
|           ; arg int arg_28h @ rsp+0x28
|           ; arg int arg_30h @ rsp+0x30
|           ; arg int arg_38h @ rsp+0x38
|           ; XREFS(29)
|           0x01077c90      488b7c2410     mov rdi, qword [arg_10h]    ; [0x10:8]=-1 ; 16 ; rdi=0x0
|           0x01077c95      488b742418     mov rsi, qword [arg_18h]    ; [0x18:8]=-1 ; 24 ; rsi=0x0
|           0x01077c9a      488b542420     mov rdx, qword [arg_20h]    ; [0x20:8]=-1 ; 32 ; rdx=0x0
|           0x01077c9f      49c7c2000000.  mov r10, 0                  ; r10=0x0
|           0x01077ca6      49c7c0000000.  mov r8, 0                   ; r8=0x0
|           0x01077cad      49c7c1000000.  mov r9, 0                   ; r9=0x0
|           0x01077cb4      488b442408     mov rax, qword [arg_8h]     ; [0x8:8]=-1 ; 8 ; rax=0x0
|           0x01077cb9      480500000002   add rax, 0x2000000          ; rax=0x2000000 ; of=0x0 ; sf=0x0 ; zf=0x0 ; cf=0x0 ; pf=0x1
|           ;-- hit0_38.syscall:
|           0x01077cbf      0f05           syscall                     ; 33554432 = unknown ()
|       ,=< 0x01077cc1      7318           jae 0x1077cdb               ; rip=0x1077cdb -> 0x24448948 ; likely
|       |   0x01077cc3      48c7442428ff.  mov qword [arg_28h], 0xffffffffffffffff
|       |   0x01077ccc      48c744243000.  mov qword [arg_30h], 0
|       |   0x01077cd5      4889442438     mov qword [arg_38h], rax
|       |   0x01077cda      c3             ret                         ; rip=0x0 ; rsp=0x178008
|       `-> 0x01077cdb      4889442428     mov qword [arg_28h], rax
|           0x01077ce0      4889542430     mov qword [arg_30h], rdx
|           0x01077ce5      48c744243800.  mov qword [arg_38h], 0
\           0x01077cee      c3             ret                         ; rip=0x0 ; rsp=0x178010
[0x01077cbf]> 

And then theres this which I dont cant seem to google a shellcode offset of 0x3000000 so no idea what 0x3000003 might be?? so not sure how to add it to the sdb.txt shrug...

[0x01057f7a]> pdf
/ (fcn) sym.runtime.settls 38
|   sym.runtime.settls ();
|           ; var int local_20h @ rsp+0x20
|           ; CALL XREF from sym.runtime.skipPleaseUseCallersFrames (0x1053c78)
|           ; CALL XREF from sym.runtime.bsdthread_start (0x1057e3d)
|           0x01057f60      4883ec28       sub rsp, 0x28               ; '(' ; rsp=0x177fd8 ; of=0x0 ; sf=0x0 ; zf=0x0 ; pf=0x1 ; cf=0x1
|           0x01057f64      48896c2420     mov qword [local_20h], rbp
|           0x01057f69      488d6c2420     lea rbp, [local_20h]        ; 0x20 ; 32 ; rbp=0x177ff8
|           0x01057f6e      4881efa00800.  sub rdi, 0x8a0              ; rdi=0xfffffffffffff760 ; of=0x0 ; sf=0x1 ; zf=0x0 ; pf=0x1 ; cf=0x1
|           0x01057f75      b803000003     mov eax, 0x3000003          ; eax=0x3000003 ; rax=0x3000003
|           ;-- hit0_31.syscall:
|           0x01057f7a      0f05           syscall                     ; 50331651 = unknown ()
|           0x01057f7c      488b6c2420     mov rbp, qword [local_20h]  ; [0x20:8]=-1 ; 32 ; rbp=0x0
|           0x01057f81      4883c428       add rsp, 0x28               ; '(' ; rsp=0x178000 ; of=0x0 ; sf=0x0 ; zf=0x0 ; cf=0x0 ; pf=0x1
\           0x01057f85      c3             ret                         ; rip=0x0 ; rsp=0x178008
[0x01057f7a]> 

[jacobrosenthal]

Closes #10978