NO

Author Topic: Direct system calls  (Read 3365 times)

Offline bitcoin

  • Member
  • *
  • Posts: 179
Direct system calls
« on: June 23, 2020, 04:56:04 PM »
I try to use direct NT system calls (low level api calls). "Usual" code is (example):

Code: [Select]
.data
memInfo MEMORY_BASIC_INFORMATION  <>
numBytes dd 16d

.data?
pMem dd ?
oldProtect dd ?

.code
start:
invoke GetModuleHandle,chr$("kernel32.dll")
mov pMem,eax
invoke VirtualQuery,pMem,addr memInfo,sizeof MEMORY_BASIC_INFORMATION

32 bit syscall is:
Code: [Select]
push offset oldProtect
push PAGE_EXECUTE_READWRITE
push offset numBytes;  IN OUT PULONG           NumberOfBytesToProtect,
push offset pMem
push 0FFFFFFFFh ;current process handle


push offset @f ;dont know about this
push offset @f ;stack aligment???


mov eax,89h ;number of syscall
mov edx,esp
sysenter
@@:add esp,5*4

Parameters is five, because we use Nt-api NtProtectVirtualMemory.

In 64 bit there is:
Code: [Select]
mov rcx,INVALID_HANDLE_VALUE ;first argument
mov rdx,ppMem
lea r8,numBytes
mov r9,PAGE_EXECUTE_READWRITE
lea rax,oldProtect
mov qword ptr [rsp+32],rax;mov qword ptr [rsp+20h],rax 
push rax ; dont know about this, stack aligment??

mov     r10, rcx
mov     eax, 50h ;syscall number
syscall

Syscall numbers you can get here https://j00ru.vexillium.org/syscalls/nt/32/ , or parse NTDLL export table.