Results 1 to 4 of 4

Thread: Question to Trace-Log

Hybrid View

  1. #1
    squareD
    Guest

    Question to Trace-Log

    What does this mean in a Trace-Log?

    "KiFastSystemCallR"

    I don't know what there happens...

    Regards,
    squareD
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15

    Question to Trace-Log

    KiFastSystemCall is used to enter Exceutive (also called kernel or ring 0
    or in otherwords ntoskrnl.exe) to run code that is privileged and not accessible by user mode code
    for example you code CreateFileA(blah blah blah)
    which in turn calls CreateFileW CreateFileW after some initialization
    ends in ntoskrnl via ntdll.dll with a system call using KiFastSystemCall
    in earlier procesors and os it was using a interrupt (aka int 2e system services interrupt) newer processors have eliminated some overheads
    and improved performance is obtained by using KiFastSystemCall

    if you meant you want to trace inside this call using ollydbg
    you cant do it because olly is not a kernel debugger but an application debugger that runs in normal ring 3 privilege

    you would need a kernel debugger (windbgs kdb or softice for example)
    to trace through those calls

    in trace log if you see that then it means a system call was executed

    now if you are not interested in system calls but user mode code only
    you can setup a break point on the system calls return and do
    ctrl+f11 or ctrl+f12 again once the break point is hit
    if it was recovering from an exception it would use ZwContinue
    in ntdll you can find the return address from the context structure that was passed to that call and break there

  3. #3
    squareD
    Guest

    Question to Trace-Log

    OK, I understood that...

    It would be only helpful, if Olly would indicate which system call was executed.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15

    Question to Trace-Log

    well system calls are not standard through out the different versions of
    operating systems
    those are normally numbers which the sytem identifies as a specific function via a table that it holds (trap gate interrupt gate gdtr ldtr blah
    and all such exotic undocumented or poorly documented structures
    and it would be probably an useless over head coding identifiers on user mode code may be which would obviously be of no use to normal
    debugging

    for example a system call to ZwCreatefile() in ntdll may look like this
    mov eax,0x## <-- the sytem service number
    mov R32, the copy of params on stack
    mov edx,0x7fffe000+304
    call edx <-- which would enter system through KiFastCall

    0x7ffe0000 is called KuserSharedpage

    now if you are persistent you can find all those call numbers
    from variety of sources
    one good debugger combination could be using windbg and livekd from sysinternals or may be using local debugging in windbg
    if you are on xp-sp2 and > os like w2k3

    and getting it to spit those call address via
    x Nt!C* etc
    or loading kdex2x86 extensions and doing strct! blah

    or look for papers by skape spoonm etc on the subject
    metasploit project has a pretty good referance onall those system calls
    and they have documented all those system call along with thier
    respective numbers and prototypes of the calls and parameters
    right from nt to w2k3

    probably you could write a plugin to label them inside olllydbg
    or may be make a complete ntdll.arg file and make olly recognize all thos calls along with thier parameters ?? just like it recognizes MessageBoxA() hows that for a suggestion ??
    hope fully you could accept those suggestion and produce
    some thing in return for all of those who use olly in future

Similar Threads

  1. Run Trace
    By tutenKam in forum The Newbie Forum
    Replies: 7
    Last Post: January 19th, 2014, 01:28
  2. Run Trace: stangest behavior
    By Anonymous in forum OllyDbg Support Forums
    Replies: 1
    Last Post: August 13th, 2003, 08:34
  3. Run Trace question
    By Anonymous in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 21st, 2003, 21:53
  4. Run Trace problem
    By Anonymous in forum OllyDbg Support Forums
    Replies: 3
    Last Post: June 26th, 2003, 08:07
  5. How to Trace Our Module
    By Zkhan13 in forum The Newbie Forum
    Replies: 3
    Last Post: May 3rd, 2003, 06:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •