Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I access Windows Kernel system calls directly?

Tags:

c++

c

windows

system-calls

windows-kernel

I have been doing research into Windows internals, and have just recently learned about system calls and I am wondering if it is possible to use these system calls like functions? I understand they aren't really meant to be accessed externally.

For instance: NtUserEmptyClipboard is a system call in Win32k.sys, and it's address is 0x117f

If I wanted to use this call like a function, how could I do so?

like image 834
user1632018 Avatar asked Jan 11 '23 06:01

user1632018

2 Answers

What you want to do depends heavily on the architecture you're interested, but the thing to know is, that ntdll.dll is the user-mode trampoline for every syscall - i.e. the only one who actually makes syscalls at the end of the day is ntdll.

So, let's disassemble one of these methods in WinDbg, by opening up any old exe (I picked notepad). First, use x ntdll!* to find the symbols exported by ntdll:

0:000> x ntdll!*
00007ff9`ed1aec20 ntdll!RtlpMuiRegCreateLanguageList (void)
00007ff9`ed1cf194 ntdll!EtwDeliverDataBlock (void)
00007ff9`ed20fed0 ntdll!shortsort_s (void)
00007ff9`ed22abbf ntdll!RtlUnicodeStringToOemString$fin$0 (void)
00007ff9`ed1e9af0 ntdll!LdrpAllocateDataTableEntry (void)
...

So, let's pick one at random, NtReadFile looks neato. Let's disassemble it:

0:000> uf ntdll!NtReadFile

ntdll!NtReadFile:
00007ff9`ed21abe0 4c8bd1          mov     r10,rcx
00007ff9`ed21abe3 b805000000      mov     eax,5
00007ff9`ed21abe8 0f05            syscall
00007ff9`ed21abea c3              ret

Here, we see that we stuff away rcx, put the syscall number into eax, then call the syscall instruction. Every syscall has a number that is assigned arbitrarily by Windows (i.e. this number is a secret handshake between ntdll and the kernel, and changes whenever Microsoft wants)

None of these instructions are "magic", you could execute them in your app directly too (but there's no practical reason to do so, of course - just for funsies)

like image 123
Ana Betts Avatar answered Jan 21 '23 03:01

Ana Betts

EmptyClipboard is one of so-called "Win32 API" and NtUserEmptyClipboard is a corresponding "native API".

  • http://en.wikipedia.org/wiki/Native_API

Unlike Linux syscall(2), we are rarely supposed to directly call "native API". I heard they are in ntdll.dll rather than win32k.sys. But we should be able to invoke them just like normal functions defined in a normal DLL.

  • Is there any way to call the Windows Native API functions from the user mode?
like image 33
nodakai Avatar answered Jan 21 '23 03:01

nodakai
Sign in to Comment

Related questions

Mixing constructors with fixed parameters and constructors with constructor templates
why are the addresses of these variables printing as ab@ and b@?
Thread synchronization with mixed C and C++
Extern declaration on an extern "C" global variable
compiler error expected nested-name specifier
QSharedPointer from a raw pointer
Declaration of variables within a loop
Correct usage of atomics
Cmake CHECK_INCLUDE_FILES not finding header file
C++ string equivalent for strrchr
C++ index into string map without allocation
UnicodeString compatibility issue
why cppcheck say "Function parameter should be passed by reference"?
Difference between “static const”, “#define”, and “enum” in performance and memory usage aspects
Why Non-Unicode apps system locale makes Unicode fonts with symbol charset displayed incorrectly?
How malloc allocates memory less than 4KB?
Why can two implicit conversions exist that differ only by return constness?
Qt Creator - Code is running but I get an error message from the IDE
SIGFPE Shenanigans
Correct answer for "Jumping into C++" chapter 13, quiz 3?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!