0

I am using Pintool to analyze a 32-bit program under Windows, and now I want to capture the system calls generated by the program. I know how to use PIN_ AddSyscallEntryFunction() and PIN_ GetSyscallNumber() gets the number of the system call, but I don't know how to get the specific name.

For example, I analyzed some system calls triggered by the program using ida: GetModuleFileNameA, OpenSCManagerA, OpenServiceA, CreateServiceA and so on

cui yukun
  • 1
  • You can't do that directly from your pintool; the syscall numbers change (given a specific name) between different releases of Windows. Instead you can easily parse the kernel binary for the variable named `KiServiceTable` (you'll need symbolic information for that; also be wary that at least since Windows 10, the pointers in this table as "compacted" and not direct pointers to functions). Once you have the function pointers, the 1st entry (index 0) will point to a function; get that function's name from symbols. Repeat until table's end. The index is the syscall number. – Neitsa Jun 08 '23 at 13:46

0 Answers0