Assembly language > Assembly discussions

Direct system calls

(1/1)

bitcoin:
I try to use direct NT system calls (low level api calls). "Usual" code is (example):


--- Code: ---.data
memInfo MEMORY_BASIC_INFORMATION  <>
numBytes dd 16d

.data?
pMem dd ?
oldProtect dd ?

.code
start:
invoke GetModuleHandle,chr$("kernel32.dll")
mov pMem,eax
invoke VirtualQuery,pMem,addr memInfo,sizeof MEMORY_BASIC_INFORMATION
--- End code ---

32 bit syscall is:

--- Code: ---push offset oldProtect
push PAGE_EXECUTE_READWRITE
push offset numBytes;  IN OUT PULONG           NumberOfBytesToProtect,
push offset pMem
push 0FFFFFFFFh ;current process handle


push offset @f ;dont know about this
push offset @f ;stack aligment???


mov eax,89h ;number of syscall
mov edx,esp
sysenter
@@:add esp,5*4
--- End code ---

Parameters is five, because we use Nt-api NtProtectVirtualMemory.

In 64 bit there is:

--- Code: ---mov rcx,INVALID_HANDLE_VALUE ;first argument
mov rdx,ppMem
lea r8,numBytes
mov r9,PAGE_EXECUTE_READWRITE
lea rax,oldProtect
mov qword ptr [rsp+32],rax;mov qword ptr [rsp+20h],rax 
push rax ; dont know about this, stack aligment??

mov     r10, rcx
mov     eax, 50h ;syscall number
syscall

--- End code ---

Syscall numbers you can get here https://j00ru.vexillium.org/syscalls/nt/32/ , or parse NTDLL export table.

Navigation

[0] Message Index