understanding system call dispatcher for windows?
-
14-11-2019 - |
Question
I am trying to do some reversing to find out a function call behind the scene.
While debugging using windbg I came across a call,
mov edx,offset SharedUserData!SystemCallStub
call dword ptr [edx]
call leads to code below,
ntdll!KiFastSystemCall:
8bd4 mov edx,esp
0f34 sysenter
According to this documentation, eax contains the system call ordinal. and the value in eax is 11CC.
I am trying to figure out, what actually is this function which will be called. Does anyone has any idea how can I proceed further?
Solution
Basically you need a way of dumping the SSDT - on x32 this can be done easily. Probably the easiest way is do look for a utility which would dump the SSDT along the necessary indexes and you will see what corresponds to this particular index. Basically eax would store an index in a function table so the system disaptcher would at some point do call FunctionTable[eax]
A up-to-date listing of call tables can be found here
OTHER TIPS
0x1xxx range is for Win32k syscalls. See here for a list.