/AtomicSyscall

Tools and PoCs for Windows syscall investigation.

Primary LanguageC#BSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

AtomicSyscall

Tools and PoCs for Windows syscall investigation.

Table Of Contents

SyscallDumper

Back to Top

Project

This tool is to dump Windows syscall from ntdll.dll or win32u.dll:

C:\Tools>SyscallDumper.exe


SyscallDumper - Tool to dump syscall.

Usage: SyscallDumper.exe [Options] [INPUT_DLL_1] [INPUT_DLL_2]

        -h, --help   : Displays this help message.
        -d, --dump   : Flag to dump syscall from ntdll.dll or win32u.dll.
        -D, --diff   : Flag to take diff between 2 dlls.
        -f, --filter : Specifies search filter (e.g. "-f createfile").
        -o, --output : Specifies output file (e.g. "-o result.txt").
        INPUT_DLL_1  : Specifies path of ntdll.dll or win32u.dll. Older one in diffing.
        INPUT_DLL_2  : Specifies path of ntdll.dll or win32u.dll. Newer one in diffing.


[!] Should be specified -d or -D option.

To dump syscall numbers from ntdll.dll or win32u.dll, use -d (--dump) option. If you don't specifies source DLL, this tool dumps syscall numbers from C:\Windows\System32\ntdll.dll and C:\Windows\System32\win32u.dll:

C:\Tools>SyscallDumper.exe -d

[*] No target is specified.
[>] Dumping from system default ntdll.dll and win32u.dll.
[>] Loading C:\Windows\System32\ntdll.dll.
[+] C:\Windows\System32\ntdll.dll is loaded successfully.
    |-> Architecture : x64
    |-> Image Name   : ntdll.dll
[+] Got 463 syscall(s).
[>] Loading C:\Windows\System32\win32u.dll.
[+] C:\Windows\System32\win32u.dll is loaded successfully.
    |-> Architecture : x64
    |-> Image Name   : win32u.dll
[+] Got 1258 syscall(s).

[Syscall Table from C:\Windows\System32\ntdll.dll]

---------------------------------------------------------------------------------
| Syscall Name                                          | Number | Number (hex) |
---------------------------------------------------------------------------------
| NtAcceptConnectPort                                   | 2      | 0x0002       |
| NtAccessCheck                                         | 0      | 0x0000       |

--snip--

| NtWriteVirtualMemory                                  | 58     | 0x003A       |
| NtYieldExecution                                      | 70     | 0x0046       |
---------------------------------------------------------------------------------

[*] Found 463 syscall(s).


[Syscall Table from C:\Windows\System32\win32u.dll]

-----------------------------------------------------------------------------------
| Syscall Name                                            | Number | Number (hex) |
-----------------------------------------------------------------------------------
| NtBindCompositionSurface                                | 4373   | 0x1115       |
| NtCloseCompositionInputSink                             | 4374   | 0x1116       |

--snip--

| NtValidateCompositionSurfaceHandle                      | 5350   | 0x14E6       |
| NtVisualCaptureBits                                     | 5351   | 0x14E7       |
-----------------------------------------------------------------------------------

[*] Found 1258 syscall(s).

If you want to filter syscall name from dump result, use -f (--filter) option. And you can save result to a file with -o (--output) option as follows:

C:\Tools>SyscallDumper.exe -d C:\SyscallSamples\1809x64\ntdll.dll -f token -o result.txt

[>] Loading C:\SyscallSamples\1809x64\ntdll.dll.
[+] C:\SyscallSamples\1809x64\ntdll.dll is loaded successfully.
    |-> Architecture : x64
    |-> Image Name   : ntdll.dll
[+] Got 462 syscall(s).
[>] Trying to save results.
    |-> Output File Path : c:\Tools\result.txt
[+] Results are saved successfully.

c:\Tools>type result.txt
[Syscall Table from C:\SyscallSamples\1809x64\ntdll.dll]

--------------------------------------------------------------
| Syscall Name                       | Number | Number (hex) |
--------------------------------------------------------------
| NtAdjustGroupsToken                | 107    | 0x006B       |
| NtAdjustPrivilegesToken            | 65     | 0x0041       |
| NtAdjustTokenClaimsAndDeviceGroups | 108    | 0x006C       |
| NtCompareTokens                    | 155    | 0x009B       |
| NtCreateLowBoxToken                | 172    | 0x00AC       |
| NtCreateToken                      | 191    | 0x00BF       |
| NtCreateTokenEx                    | 192    | 0x00C0       |
| NtDuplicateToken                   | 66     | 0x0042       |
| NtFilterToken                      | 222    | 0x00DE       |
| NtFilterTokenEx                    | 223    | 0x00DF       |
| NtImpersonateAnonymousToken        | 246    | 0x00F6       |
| NtOpenProcessToken                 | 290    | 0x0122       |
| NtOpenProcessTokenEx               | 48     | 0x0030       |
| NtOpenThreadToken                  | 36     | 0x0024       |
| NtOpenThreadTokenEx                | 47     | 0x002F       |
| NtQueryInformationToken            | 33     | 0x0021       |
| NtQuerySecurityAttributesToken     | 339    | 0x0153       |
| NtSetInformationToken              | 404    | 0x0194       |
--------------------------------------------------------------

[*] Found 18 syscall(s).
[*] Filter String : "token"

To take difference between 2 DLL's syscall tables, use -D (--diff) option as follows:

C:\Tools>SyscallDumper.exe -D C:\SyscallSamples\1809x64\ntdll.dll C:\SyscallSamples\1903x64\ntdll.dll

[>] Trying to take diff.
    |-> Old File : C:\SyscallSamples\1809x64\ntdll.dll
    |-> New File : C:\SyscallSamples\1903x64\ntdll.dll
[>] Loading C:\SyscallSamples\1809x64\ntdll.dll.
[+] C:\SyscallSamples\1809x64\ntdll.dll is loaded successfully.
    |-> Architecture : x64
    |-> Image Name   : ntdll.dll
[+] Got 462 syscall(s).
[>] Loading C:\SyscallSamples\1903x64\ntdll.dll.
[+] C:\SyscallSamples\1903x64\ntdll.dll is loaded successfully.
    |-> Architecture : x64
    |-> Image Name   : ntdll.dll
[+] Got 463 syscall(s).

################################################
#               MODIFIED SYSCALLS              #
################################################

----------------------------------------------------------------
| Syscall Name                         | Number | Number (hex) |
----------------------------------------------------------------
| NtCreateDebugObject                  | 161    | 0x00A1       |
| NtCreateDirectoryObject              | 162    | 0x00A2       |

--snip--

| NtWaitHighEventPair                  | 462    | 0x01CE       |
| NtWaitLowEventPair                   | 463    | 0x01CF       |
----------------------------------------------------------------

[*] Modified 303 syscall(s).


################################################
#                 NEW SYSCALLS                 #
################################################

------------------------------------------------
| Syscall Name         | Number | Number (hex) |
------------------------------------------------
| NtCreateCrossVmEvent | 160    | 0x00A0       |
------------------------------------------------

[*] Added 1 syscall(s).

SyscallPoCs

Back to Top

Project

The purpose of this project is to investigate how attackers resolve and execute Windows syscall. All PoCs are list kernel modules by NtQuerySystemInformation syscall.

PoC Name Description
PhysicalResolvePoC This PoC simply resolves the syscall numbers of NtQuerySystemInformation from C:\Windows\System32\ntdll.dll.
HellsGatePoC This PoC resolves the syscall numbers of NtQuerySystemInformation by the Hell's Gate technique.
HalosGatePoC This PoC resolves the syscall numbers of NtQuerySystemInformation by the Halo's Gate technique.

Reference

Back to Top

Fundamentals

Hell's Gate

Halo's Gate

Acknowledgments

Back to Top

Thanks for your research and blog posts: