5
Windows syscall stubs
source link: https://gist.github.com/wbenny/b08ef73b35782a1f57069dff2327ee4d
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Windows system calls
...by stub
Windows XP
B8 ?? ?? ?? ?? mov eax, ??
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
[C2 ?? ?? | C3] retn [??]
Windows XP (SP3), Windows 7, Windows 7 (SP1)
B8 ?? ?? ?? ?? mov eax, ??
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
[C2 ?? ?? | C3] retn [??]
Windows 8, Windows 8.1, Windows 10
B8 ?? ?? ?? ?? mov eax, ??
E8 ?? 00 00 00 call $+??
[C2 ?? ?? | C3] retn [??]
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
WoW64
Windows XP
B8 ?? ?? ?? ?? mov eax, ??
[33 C9 | B9 ?? ?? ?? ??] [xor ecx, ecx | mov ecx, ??]
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
[C2 ?? ?? | C3] retn [??]
Windows 7, Windows 7 (SP1)
B8 ?? ?? ?? ?? mov eax, ??
[33 C9 | B9 ?? ?? ?? ??] [xor ecx, ecx | mov ecx, ??]
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
[C2 ?? ?? | C3] retn [??]
Windows 8, Windows 8.1
B8 ?? ?? ?? ?? mov eax, ??
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
[C2 ?? ?? | C3] retn [??]
Windows 10
B8 ?? ?? ?? ?? mov eax, ??
BA ?? ?? ?? ?? mov edx, ??
FF D2 call edx
[C2 ?? ?? | C3] retn [??]
All (Windows XP, Windows 7, Windows 7 (SP1), Windows 8, Windows 8.1, Windows 10)
4C 8B D1 mov r10, rcx
B8 ?? ?? ?? ?? mov eax, ??
0F 05 syscall
C3 retn
...by Windows version
There are always portrayed stubs for 3 functions:
- NtOpenFile (function with arguments + zero index to the wow64cpu translation table)
- NtFsControlFile (function with arguments + index to the wow64cpu translation table)
- NtTestAlert (function without arguments)
Windows XP
B8 74 00 00 00 mov eax, 74h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C2 18 00 retn 18h
B8 54 00 00 00 mov eax, 54h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C2 28 00 retn 28h
B8 03 01 00 00 mov eax, 103h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C3 retn
Windows XP (SP3)
B8 74 00 00 00 mov eax, 74h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 54 00 00 00 mov eax, 54h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 03 01 00 00 mov eax, 103h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
Windows 7
B8 B3 00 00 00 mov eax, 0B3h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 86 00 00 00 mov eax, 86h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 74 01 00 00 mov eax, 174h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
Windows 7 (SP1)
B8 B3 00 00 00 mov eax, 0B3h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 86 00 00 00 mov eax, 86h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 74 01 00 00 mov eax, 174h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
Windows 8
B8 E8 00 00 00 mov eax, 0E8h ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 15 01 00 00 mov eax, 115h ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 21 00 00 00 mov eax, 21h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
Windows 8.1
B8 EB 00 00 00 mov eax, 0EBh ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 19 01 00 00 mov eax, 119h ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 21 00 00 00 mov eax, 21h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
Windows 10
B8 EE 00 00 00 mov eax, 0EEh ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 1E 01 00 00 mov eax, 11Eh ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 22 00 00 00 mov eax, 22h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
WoW64
Windows XP
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 1B 01 00 00 mov eax, 11Bh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
Windows 7
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 28 00 retn 28h
B8 7E 01 00 00 mov eax, 17Eh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C3 retn
Windows 7 (SP1)
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 28 00 retn 28h
B8 7E 01 00 00 mov eax, 17Eh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C3 retn
Windows 8
B8 31 00 00 00 mov eax, 31h ; NtOpenFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 37 00 1B 00 mov eax, 1B0037h ; NtFsControlFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 96 01 02 00 mov eax, 20196h ; NtTestAlert
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
Windows 8.1
B8 32 00 00 00 mov eax, 32h ; NtOpenFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 38 00 1B 00 mov eax, 1B0038h ; NtFsControlFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 9B 01 02 00 mov eax, 2019Bh ; NtTestAlert
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
Windows 10
B8 33 00 00 00 mov eax, 33h ; NtOpenFile
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C2 18 00 retn 18h
B8 39 00 1B 00 mov eax, 1B0039h ; NtFsControlFile
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C2 28 00 retn 28h
B8 A3 01 02 00 mov eax, 201A3h ; NtTestAlert
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C3 retn
Windows XP
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 1B 01 00 00 mov eax, 11Bh
0F 05 syscall
C3 retn
Windows 7
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 7E 01 00 00 mov eax, 17Eh
0F 05 syscall
C3 retn
Windows 7 (SP1)
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 7E 01 00 00 mov eax, 17Eh
0F 05 syscall
C3 retn
Windows 8
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 31 00 00 00 mov eax, 31h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 37 00 00 00 mov eax, 37h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 96 01 00 00 mov eax, 196h
0F 05 syscall
C3 retn
Windows 8.1
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 32 00 00 00 mov eax, 32h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 38 00 00 00 mov eax, 38h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 9B 01 00 00 mov eax, 19Bh
0F 05 syscall
C3 retn
Windows 10
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 33 00 00 00 mov eax, 33h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 39 00 00 00 mov eax, 39h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 A3 01 00 00 mov eax, 1A3h
0F 05 syscall
C3 retn
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK