View Full Version : Win32k.SYS system call table

j00ru vx tech blog
November 11th, 2009, 13:17
Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list (together with the handlers’ definitions). As one of the most important part of the communication process between user’s applications and kernel, SSDT is commonly used for both clearly practical purposes (such as hooking* system services in order to modify the OS behavior in certain situations), as well as theoretical research or discussions.

Considering the above facts, the popularity of a (mostly) full* system call list created by the Metasploit Project ("http://www.metasploit.com/users/opcode/syscalls.html") shouldn’t be a surprise. Their list covers most of the modern Windows NT-family systems, from Windows NT4, up to Windows Vista SP0. What is more, apart from the syscall numbers corresponding to certain kernel functions, the table also provides complete definitions of these functions.

What should be noted is that the described table contains information about only a part of all system calls – the ones exported by the kernel executable (ntoskrnl.exe). The graphical syscalls - exported by an external module called win32k.sys – have not been taken into account, at all. During my research on how some of the Windows user interface functions work,* a need to access information about system calls IDs greater than 0×1000 (values of this kind are used to communicate with the graphical part of the kernel) appeared. Since I failed to find a list, that could be compared with what Metasploit presents, I decided to create one on my own!

The current version of the Windows Graphical System Call List can be found under the following address: http://j00ru.vexillium.org/win32k_syscalls/.

The initial idea of the project is to cover all the x86 Microsoft Windows NT-family systems, including Windows 7. The empty holes easily noticeable inside the table are a consequence of the fact that I don’t have access to all the OS versions placed on the site. However, the list is going to be continuously filled with information retrieved from new systems as I get access to those; the final purpose is to create a syscall collation at least as good as what Metasploit presents. On the other hand, I am not yet able to provide the handling functions’ definitions – as for now, it is still in my TODO list – one must keep in mind that this project is still in its “alpha state”.

While I have done my best to ensure that the information provided by the list is accurate, it is possible that one or more mistakes might remain. I want to encourage every interested person to report any bug figured out, as well as any other kind of oversights present on the website. Furthermore, all comments (or complementary data) regarding the project are obviously very welcome!

Thanks in advance && have fun!

http://www.woodmann.com/forum/data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAYAAADgdz34AAADsElEQVR4nK2VTW9VVRSGn33OPgWpYLARbKWhQlCHT ogoSkjEkQwclEQcNJEwlfgD/AM6NBo1xjhx5LyJ0cYEDHGkJqhtBGKUpm3SFii3vb2956wPB/t+9raEgSs52fuus89613rftdcNH8/c9q9++oe/Vzb5P+3McyNcfm2CcPj9af9w6gwjTwzvethx3Bx3x8xwd1wNM8dMcTNUHTfFLPnX6nVmZpeIYwf3cWD/PhbrvlPkblAzVFurKS6GmmGqqComaS+qmBoTI0Ncu3mXuGvWnrJ+ZSxweDgnkHf8ndVTdbiT3M7cQp2Z31dRTecHAfqydp4ejhwa zh6Zezfnu98E1WIQwB3crEuJ2Y45PBTAQUVR9X4At66AppoEVO1Q8sgAOKJJjw6Am6OquDmvHskZ3R87gW+vlHz98zpmiqphkkRV bQtsfPTOC30lJKFbFTgp83bWh7Zx/uX1B6w3hI3NkkZTqEpBRDBRzG2AQHcwcYwEkOGkTERREbLQ/8HxJwuW7zdYrzfZ2iopy4qqEspKaDYravVm33k1R91Q69FA1VBRzFIVvXbx5AgXT44A8MWP81yfu0utIR2aVK3vfCnGrcUNxp8a7 gKYKiLCvY2SUvo/aNtnM3e49ucK9S3p0aDdaT0UAVsKi2tVi6IWwNL9JvdqTdihaz79/l+u/rHMxmaJVMLkS2OoKKLWacdeE3IsSxctc2D5Qcl6vUlVVgNt+fkPPcFFmTw1xruvT7SCd7nuVhDQvECzJH90h0azRKoKFRkAmP5lK TWAGRdefoZL554FQNUxB92WvYeA5UN4PtSqwB2phKqsqMpBgAunRhFR3j49zuU3jnX8k6fHEQKXzh1jbmGDuYU6s4t1rt6socUeL LZHhYO2AHSHmzt19ihTZ48O8Hzl/AmunD/BjTvrvPfNX3hWsNpwJCvwYm+ngug4UilSCSq6k8YPtxDwfA+WRawIWFbgscDiULcCEaWqBFOlrLazurupOSHLqGnEKJAY8TwBEHu mqUirAjNm52vEPPRV4p01XXMPAQhUBjcWm9QZwijwokgAeYHlHYA06KR1cT6ZvoV56pDUJQEjw0KeaMgj1hPEY4vz2A4eW0/e1qA7KtQdsxTYAG0H3iG4xyK1Y+xm7XmEPOJZDiENzLi2WZHngeOjj2Pe+sMg4GRYyLAsx7ME4FnsyTD9pr0PEc8zPGRAwKXBkYO PEd96cZRvf11g9MDe7e3R4Z4Q+vyEnn3P4t0XzK/W+ODN5/kPfRLewAJVEQ0AAAAASUVORK5CYII%3D


November 16th, 2009, 04:56
For the most part the shadow services require heavy wrapping, as the manipulation is performed at a low level, such as pointers and require recalculation of the kernel displacement on user memory.. Services of a basic sst actively used both in the form hardkode and dynamically stabilized by calling directly, or retrieving them from room service, with a subsequent call to them. It is native to the system level. Win32k uses work usermode part of a subsystem can not be separated - this callbacks could such mechanisms for the delivery of any events/messages, manipulation handles, etc. Also, use hard-sewn in the code numbers of services, shifts in the structures, constants, and so will lead to incompatibility of code. There are two ways to solve these problems, this tracing and morphing. These are two ways to circumvent the graph to the target location, respectively dynamic and static. The latter is an alternative way. In both cases, processing begins with WinApi. This is a convenient, simple and reliable technique.