3

I am trying to do some reversing to find out a function call behind the scene.

While debugging using windbg I came across a call, 

mov     edx,offset SharedUserData!SystemCallStub
call    dword ptr [edx]

call leads to code below,

ntdll!KiFastSystemCall:

8bd4        mov     edx,esp
0f34        sysenter

According to this documentation, eax contains the system call ordinal. and the value in eax is 11CC.

I am trying to figure out, what actually is this function which will be called. Does anyone has any idea how can I proceed further?

RLT
  • 4,219
  • 4
  • 37
  • 91

2 Answers2

4

Basically you need a way of dumping the SSDT - on x32 this can be done easily. Probably the easiest way is do look for a utility which would dump the SSDT along the necessary indexes and you will see what corresponds to this particular index. Basically eax would store an index in a function table so the system disaptcher would at some point do call FunctionTable[eax] A up-to-date listing of call tables can be found here

LordDoskias
  • 3,121
  • 3
  • 30
  • 44
  • Thanks for response. Are you referring to [this](http://undocumented.rawol.com/sbs-w2k-b-kernel-api-functions.pdf)? – RLT Jan 27 '12 at 10:57
  • That's fantastic. But sadly I cannot find entry for 11CC. :( – RLT Jan 27 '12 at 11:17
  • Are you sure you are parsing the value in eax in the correct way? Also - is this 32 bit or 64bit because in 64 the disaptch mechanism wash changed slightly. E.g. the function table doesn't have indexes to functions but rather offsets from the beginning of the shadow table? In any case I recommend you first read Windows Internals latest edition by Mark Russinovich to get a high-level overview of the call dispatching and then when armed with the knowledge delve into the debugger's output – LordDoskias Jan 27 '12 at 11:44
  • I was debugging on XP 32bit. (I was not having any success on win7). I will debug again. – RLT Jan 27 '12 at 11:51
2

0x1xxx range is for Win32k syscalls. See here for a list.

Igor Skochinsky
  • 24,629
  • 2
  • 72
  • 109