Tools and PoCs for Windows syscall investigation.
This tool is to dump Windows syscall from ntdll.dll or win32u.dll:
C:\Tools>SyscallDumper.exe
SyscallDumper - Tool to dump syscall.
Usage: SyscallDumper.exe [Options] [INPUT_DLL_1] [INPUT_DLL_2]
-h, --help : Displays this help message.
-d, --dump : Flag to dump syscall from ntdll.dll or win32u.dll.
-D, --diff : Flag to take diff between 2 dlls.
-f, --filter : Specifies search filter (e.g. "-f createfile").
-o, --output : Specifies output file (e.g. "-o result.txt").
INPUT_DLL_1 : Specifies path of ntdll.dll or win32u.dll. Older one in diffing.
INPUT_DLL_2 : Specifies path of ntdll.dll or win32u.dll. Newer one in diffing.
[!] Should be specified -d or -D option.
To dump syscall numbers from ntdll.dll or win32u.dll, use -d
(--dump
) option.
If you don't specifies source DLL, this tool dumps syscall numbers from C:\Windows\System32\ntdll.dll
and C:\Windows\System32\win32u.dll
:
C:\Tools>SyscallDumper.exe -d
[*] No target is specified.
[>] Dumping from system default ntdll.dll and win32u.dll.
[>] Loading C:\Windows\System32\ntdll.dll.
[+] C:\Windows\System32\ntdll.dll is loaded successfully.
|-> Architecture : x64
|-> Image Name : ntdll.dll
[+] Got 463 syscall(s).
[>] Loading C:\Windows\System32\win32u.dll.
[+] C:\Windows\System32\win32u.dll is loaded successfully.
|-> Architecture : x64
|-> Image Name : win32u.dll
[+] Got 1258 syscall(s).
[Syscall Table from C:\Windows\System32\ntdll.dll]
---------------------------------------------------------------------------------
| Syscall Name | Number | Number (hex) |
---------------------------------------------------------------------------------
| NtAcceptConnectPort | 2 | 0x0002 |
| NtAccessCheck | 0 | 0x0000 |
--snip--
| NtWriteVirtualMemory | 58 | 0x003A |
| NtYieldExecution | 70 | 0x0046 |
---------------------------------------------------------------------------------
[*] Found 463 syscall(s).
[Syscall Table from C:\Windows\System32\win32u.dll]
-----------------------------------------------------------------------------------
| Syscall Name | Number | Number (hex) |
-----------------------------------------------------------------------------------
| NtBindCompositionSurface | 4373 | 0x1115 |
| NtCloseCompositionInputSink | 4374 | 0x1116 |
--snip--
| NtValidateCompositionSurfaceHandle | 5350 | 0x14E6 |
| NtVisualCaptureBits | 5351 | 0x14E7 |
-----------------------------------------------------------------------------------
[*] Found 1258 syscall(s).
If you want to filter syscall name from dump result, use -f
(--filter
) option.
And you can save result to a file with -o
(--output
) option as follows:
C:\Tools>SyscallDumper.exe -d C:\SyscallSamples\1809x64\ntdll.dll -f token -o result.txt
[>] Loading C:\SyscallSamples\1809x64\ntdll.dll.
[+] C:\SyscallSamples\1809x64\ntdll.dll is loaded successfully.
|-> Architecture : x64
|-> Image Name : ntdll.dll
[+] Got 462 syscall(s).
[>] Trying to save results.
|-> Output File Path : c:\Tools\result.txt
[+] Results are saved successfully.
c:\Tools>type result.txt
[Syscall Table from C:\SyscallSamples\1809x64\ntdll.dll]
--------------------------------------------------------------
| Syscall Name | Number | Number (hex) |
--------------------------------------------------------------
| NtAdjustGroupsToken | 107 | 0x006B |
| NtAdjustPrivilegesToken | 65 | 0x0041 |
| NtAdjustTokenClaimsAndDeviceGroups | 108 | 0x006C |
| NtCompareTokens | 155 | 0x009B |
| NtCreateLowBoxToken | 172 | 0x00AC |
| NtCreateToken | 191 | 0x00BF |
| NtCreateTokenEx | 192 | 0x00C0 |
| NtDuplicateToken | 66 | 0x0042 |
| NtFilterToken | 222 | 0x00DE |
| NtFilterTokenEx | 223 | 0x00DF |
| NtImpersonateAnonymousToken | 246 | 0x00F6 |
| NtOpenProcessToken | 290 | 0x0122 |
| NtOpenProcessTokenEx | 48 | 0x0030 |
| NtOpenThreadToken | 36 | 0x0024 |
| NtOpenThreadTokenEx | 47 | 0x002F |
| NtQueryInformationToken | 33 | 0x0021 |
| NtQuerySecurityAttributesToken | 339 | 0x0153 |
| NtSetInformationToken | 404 | 0x0194 |
--------------------------------------------------------------
[*] Found 18 syscall(s).
[*] Filter String : "token"
To take difference between 2 DLL's syscall tables, use -D
(--diff
) option as follows:
C:\Tools>SyscallDumper.exe -D C:\SyscallSamples\1809x64\ntdll.dll C:\SyscallSamples\1903x64\ntdll.dll
[>] Trying to take diff.
|-> Old File : C:\SyscallSamples\1809x64\ntdll.dll
|-> New File : C:\SyscallSamples\1903x64\ntdll.dll
[>] Loading C:\SyscallSamples\1809x64\ntdll.dll.
[+] C:\SyscallSamples\1809x64\ntdll.dll is loaded successfully.
|-> Architecture : x64
|-> Image Name : ntdll.dll
[+] Got 462 syscall(s).
[>] Loading C:\SyscallSamples\1903x64\ntdll.dll.
[+] C:\SyscallSamples\1903x64\ntdll.dll is loaded successfully.
|-> Architecture : x64
|-> Image Name : ntdll.dll
[+] Got 463 syscall(s).
################################################
# MODIFIED SYSCALLS #
################################################
----------------------------------------------------------------
| Syscall Name | Number | Number (hex) |
----------------------------------------------------------------
| NtCreateDebugObject | 161 | 0x00A1 |
| NtCreateDirectoryObject | 162 | 0x00A2 |
--snip--
| NtWaitHighEventPair | 462 | 0x01CE |
| NtWaitLowEventPair | 463 | 0x01CF |
----------------------------------------------------------------
[*] Modified 303 syscall(s).
################################################
# NEW SYSCALLS #
################################################
------------------------------------------------
| Syscall Name | Number | Number (hex) |
------------------------------------------------
| NtCreateCrossVmEvent | 160 | 0x00A0 |
------------------------------------------------
[*] Added 1 syscall(s).
The purpose of this project is to investigate how attackers resolve and execute Windows syscall.
All PoCs are list kernel modules by NtQuerySystemInformation
syscall.
PoC Name | Description |
---|---|
PhysicalResolvePoC | This PoC simply resolves the syscall numbers of NtQuerySystemInformation from C:\Windows\System32\ntdll.dll . |
HellsGatePoC | This PoC resolves the syscall numbers of NtQuerySystemInformation by the Hell's Gate technique. |
HalosGatePoC | This PoC resolves the syscall numbers of NtQuerySystemInformation by the Halo's Gate technique. |
Thanks for your research and blog posts:
-
Paul Laîné (@am0nsec)
-
smelly__vx (@RtlMateusz)
-
reenz0h (@sektor7net)
-
Jack Halon (@jack_halon)