Shulou(Shulou.com)06/03 Report--

This article is about how to use IDA Python to enumerate Windows system call tables. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

background knowledge

All system calls that occur in Windows systems are assigned an ID, which is a unique value that identifies which function a system call uses when executed. These IDs can vary considerably between Windows versions, and for Windows 10, these IDs are different in each release. However, for normal applications, the ID does not change because the code base in user mode is used.

Manually enumerate Windows system call tables

There are three more important symbols to recognize when parsing a system call table: the base address of the table, the size of the table, and the byte size of the parameters in the stack. For ntoskrnl.exe, the names of these three parameters are KiServiceTable, KiServiceLimit, and KiArgumentTable. For win32k.sys, these three parameters become W32pServiceTable, W32pServiceLimit, and W32pArgumentTable. In the 32-bit system architecture, these symbol names contain underscores.

For example, let's take a look at ntoskrnl.exe (version 6.1.7601.24117) in Windows 7 64-bit version. KiServiceLimit data is shown in Figure 1:

Based on this information, we can see that there are 401 system calls (0x191). KiServiceTable data is shown in Figure 2:

Based on the data in Figure 2, we can manually map functions and their IDs. The ID corresponding to NtMapUserPhysicalPagesScatter is 0x0000, the ID corresponding to NtWaitForSingleObject is 0x0001, the ID corresponding to NtCallbackReturn is 0x0002, and so on.

There are two special situations that need to be dealt with specifically. If we analyze win32k.sys, we need to add 0x1000 to the table address when enumerating function IDs. Similarly, for 64-bit Windows 10 (build 1607) we need to do something different. In this version of the system, the system call table contains four-byte function offsets.

The following information is given for ntoskrnl.exe version 10.0.17134.48. KiServiceTable data is shown in Figure 3:

This means that we need to read four bytes at a time and add them to the base address.

Automated mapping with IDA

First let's take a look at the IDA function that needs to be called:

1. idaapi.get_imagebase: This function returns the base address of the module we are looking at.

2. idc.GetInputFile: This function returns the name of the file IDB loaded.

3. idc.BADADDR: This is a constant with a value of-1 (unsigned shaping), which can also be used to determine whether the current system is in 32-bit or 64-bit mode.

4. idc.Name: This function returns the name of a given address.

5. idc.LocByName: This is the exact opposite of idc.Name, and is used to return the address of a given name.

6. idc.Dword: This function returns a four-byte value for a given address.

7. idc.Qword: This function returns an eight-byte value for a given address.

8. idautils.DataRefsFrom: This function enumerates a given address based on any data reference.

First, we need to determine whether the object being analyzed is ntoskrnl.exe or win32k.sys:

Next, we need to decide which symbol name to use and whether we need to underline variables:

LocByName returns BADADDR if the table doesn't exist, so we can use this to test whether the symbol name exists or needs to be underlined.

Once we have the correct symbol name, we need to get the actual size of the table:

First get the address of LocByName, then use Dword to get the address value. Here's how to handle 64-bit Windows 10:

DataRefsFrom will traverse the base address of the table using data references, but if the target is a new version of Windows 10, we need to add the corresponding value to the base address. The next thing you need to do is read consecutive values starting at the base address of the table. We can use the Qword function for 64-bit versions and Dword for 32-bit versions. Below is a sample of the output:

Thank you for reading! About "how to use IDA Python to enumerate Windows system call table" This article is shared here, I hope the above content can be of some help to everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.