A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #27108  by vietwow
 Fri Oct 30, 2015 5:25 am
Hi all,

I have used pintool to dump all system call (API) that the program used during running (http://resources.infosecinstitute.com/p ... framework/). The output included system call number likes :
Code: Select all
[entry] Syscall Number: 249(4294967295, 8, 2553908)
[exit]  Return: 0
[entry] Syscall Number: 30(92, 1, 2553972)
[exit]  Return: 0
[entry] Syscall Number: 15(2553888, 3, 2001036824)
[exit]  Return: 3221225524
[entry] Syscall Number: 15(2553904, 131097, 2001814104)
[exit]  Return: 3221225524
Now I need to traversal the ntdll.dll to get the export name of these API to get the real name for above systemcall id. And I found the article http://www.evilsocket.net/2014/02/11/on ... n-methods/ is exactly what I need. Unfortuantely,
when I try to compile it with VS 2010 Utimate on Windows 7 (SP1 - Home Basic) 32-bit, it done without error when compiling but it doesn't work when running, it just print :
Code: Select all
SYSCALL   RVA       NAME
-----------------------------------------------
and nothing more.

I have tried to debug, everything is ok when opening "ntdll.dll", create file mapping, mapping view file and check header (MZ) file. But (I'm not sure 100%) it seems that the problem occurs when the code goes into :
Code: Select all
    // loop each exported symbol by name
    for( DWORD i = 0; i < pExportDirectory->NumberOfNames; ++i )
    {
     ...
    }
I have attached my compiled binary in post (rename it to .exe plz)

Anyone could help me take a look about this issue ? Thank you so much.

Best Regards,
Attachments
(17.5 KiB) Downloaded 26 times
 #27109  by EP_X0FF
 Fri Oct 30, 2015 5:44 am
I've a strong feeling he copy-pasted Great's syscall generator code.

Which is below
Code: Select all
void scg(
	void
	)
{
	PIMAGE_DOS_HEADER mz;
	PIMAGE_FILE_HEADER pfh;
	PIMAGE_OPTIONAL_HEADER poh;
	PIMAGE_EXPORT_DIRECTORY pexd;
	PULONG AddressOfFunctions;
	PULONG AddressOfNames;
	PWORD AddressOfNameOrdinals;

	void *base;
	char *name;
	char end_char;
	unsigned int number = 0;
	unsigned int count = 0;
	unsigned int i;
	void *addr;

	//i don't think that someday ssdt will rise to 4097 entries =)
	char *SdtFunctions [0x1000] = {0};

	base = GetModuleHandle(L"ntdll.dll");
	if (!base) {

		printf_s("ntdll base not found");
		return;
	}

	__try {

		*(PBYTE *)&mz = (PBYTE)base;
		*(PBYTE *)&pfh = (PBYTE)base + mz->e_lfanew + sizeof(IMAGE_NT_SIGNATURE);
		*(PIMAGE_FILE_HEADER *)&poh = pfh + 1;
		*(PBYTE *)&pexd = (PBYTE)base + poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
		*(PBYTE *)&AddressOfFunctions = (PBYTE)base + pexd->AddressOfFunctions;
		*(PBYTE *)&AddressOfNames = (PBYTE)base + pexd->AddressOfNames;
		*(PBYTE *)&AddressOfNameOrdinals = (PBYTE)base + pexd->AddressOfNameOrdinals;

		printf_s("\nIndex\tService\n\n");

		for(i = 0; i < pexd->NumberOfNames; i++)	{

			name = ((CHAR *) base + AddressOfNames[i]);
			addr = (PVOID *)((CHAR *)base + AddressOfFunctions[AddressOfNameOrdinals[i]]);

			if ( *(USHORT*)name == 'tN' ) {

#ifdef _WIN64
				//this is simple check for "mov eax, index"
				if ( *(UCHAR*)((UCHAR*)addr + 3) == 0xB8 ) {

					number = *(ULONG*)((UCHAR*)addr + 4 );
					printf_s(PRINT_FMT, number, name);
					SdtFunctions[count++] = name;
				}
#else
				if ( *(UCHAR*)addr == 0xB8 ) {

					number = *(ULONG*)((UCHAR*)addr + 1 );
					printf_s(PRINT_FMT, number, name);
					SdtFunctions[count++] = name;
				}
#endif
			}
		}

		printf_s("\nchar* " ARRAY_NAME " [%d] = {\n", count);

		for (i = 0; i < count; i++) {

			end_char = (i == count - 1 ? ' ' : ',');

			if (SdtFunctions[i] == NULL)
				printf_s(" NULL%c\n", end_char);
			else
				printf_s(" \"%s\"%c\n", SdtFunctions[i], end_char);
		}

		printf_s("};\n\n");

	} __except (EXCEPTION_EXECUTE_HANDLER) {

		printf_s("\n\nexception: %x", GetExceptionCode());
	}
}
Here is output from my x64 2012 R2 (9200).
Code: Select all
1	NtAcceptConnectPort
98	NtAccessCheck
40	NtAccessCheckAndAuditAlarm
99	NtAccessCheckByType
88	NtAccessCheckByTypeAndAuditAlarm
100	NtAccessCheckByTypeResultList
101	NtAccessCheckByTypeResultListAndAuditAlarm
102	NtAccessCheckByTypeResultListAndAuditAlarmByHandle
70	NtAddAtom
103	NtAddAtomEx
104	NtAddBootEntry
105	NtAddDriverEntry
106	NtAdjustGroupsToken
64	NtAdjustPrivilegesToken
107	NtAdjustTokenClaimsAndDeviceGroups
108	NtAlertResumeThread
109	NtAlertThread
110	NtAlertThreadByThreadId
111	NtAllocateLocallyUniqueId
112	NtAllocateReserveObject
113	NtAllocateUserPhysicalPages
114	NtAllocateUuids
23	NtAllocateVirtualMemory
115	NtAlpcAcceptConnectPort
116	NtAlpcCancelMessage
117	NtAlpcConnectPort
118	NtAlpcConnectPortEx
119	NtAlpcCreatePort
120	NtAlpcCreatePortSection
121	NtAlpcCreateResourceReserve
122	NtAlpcCreateSectionView
123	NtAlpcCreateSecurityContext
124	NtAlpcDeletePortSection
125	NtAlpcDeleteResourceReserve
126	NtAlpcDeleteSectionView
127	NtAlpcDeleteSecurityContext
128	NtAlpcDisconnectPort
129	NtAlpcImpersonateClientOfPort
130	NtAlpcOpenSenderProcess
131	NtAlpcOpenSenderThread
132	NtAlpcQueryInformation
133	NtAlpcQueryInformationMessage
134	NtAlpcRevokeSecurityContext
135	NtAlpcSendWaitReceivePort
136	NtAlpcSetInformation
75	NtApphelpCacheControl
137	NtAreMappedFilesTheSame
138	NtAssignProcessToJobObject
139	NtAssociateWaitCompletionPacket
4	NtCallbackReturn
92	NtCancelIoFile
140	NtCancelIoFileEx
141	NtCancelSynchronousIoFile
96	NtCancelTimer
142	NtCancelTimer2
143	NtCancelWaitCompletionPacket
61	NtClearEvent
14	NtClose
58	NtCloseObjectAuditAlarm
144	NtCommitComplete
145	NtCommitEnlistment
146	NtCommitTransaction
147	NtCompactKeys
148	NtCompareTokens
149	NtCompleteConnectPort
150	NtCompressKey
151	NtConnectPort
66	NtContinue
152	NtCreateDebugObject
153	NtCreateDirectoryObject
154	NtCreateDirectoryObjectEx
155	NtCreateEnlistment
71	NtCreateEvent
156	NtCreateEventPair
84	NtCreateFile
157	NtCreateIRTimer
158	NtCreateIoCompletion
159	NtCreateJobObject
160	NtCreateJobSet
28	NtCreateKey
161	NtCreateKeyTransacted
162	NtCreateKeyedEvent
163	NtCreateLowBoxToken
164	NtCreateMailslotFile
165	NtCreateMutant
166	NtCreateNamedPipeFile
167	NtCreatePagingFile
168	NtCreatePort
169	NtCreatePrivateNamespace
170	NtCreateProcess
76	NtCreateProcessEx
171	NtCreateProfile
172	NtCreateProfileEx
173	NtCreateResourceManager
73	NtCreateSection
174	NtCreateSemaphore
175	NtCreateSymbolicLinkObject
77	NtCreateThread
176	NtCreateThreadEx
177	NtCreateTimer
178	NtCreateTimer2
179	NtCreateToken
180	NtCreateTokenEx
181	NtCreateTransaction
182	NtCreateTransactionManager
183	NtCreateUserProcess
184	NtCreateWaitCompletionPacket
185	NtCreateWaitablePort
186	NtCreateWnfStateName
187	NtCreateWorkerFactory
188	NtDebugActiveProcess
189	NtDebugContinue
51	NtDelayExecution
190	NtDeleteAtom
191	NtDeleteBootEntry
192	NtDeleteDriverEntry
193	NtDeleteFile
194	NtDeleteKey
195	NtDeleteObjectAuditAlarm
196	NtDeletePrivateNamespace
197	NtDeleteValueKey
198	NtDeleteWnfStateData
199	NtDeleteWnfStateName
6	NtDeviceIoControlFile
200	NtDisableLastKnownGood
201	NtDisplayString
202	NtDrawText
59	NtDuplicateObject
65	NtDuplicateToken
203	NtEnableLastKnownGood
204	NtEnumerateBootEntries
205	NtEnumerateDriverEntries
49	NtEnumerateKey
206	NtEnumerateSystemEnvironmentValuesEx
207	NtEnumerateTransactionObject
18	NtEnumerateValueKey
208	NtExtendSection
209	NtFilterBootOption
210	NtFilterToken
211	NtFilterTokenEx
19	NtFindAtom
74	NtFlushBuffersFile
212	NtFlushBuffersFileEx
213	NtFlushInstallUILanguage
214	NtFlushInstructionCache
215	NtFlushKey
216	NtFlushProcessWriteBuffers
217	NtFlushVirtualMemory
218	NtFlushWriteBuffer
219	NtFreeUserPhysicalPages
29	NtFreeVirtualMemory
220	NtFreezeRegistry
221	NtFreezeTransactions
56	NtFsControlFile
222	NtGetCachedSigningLevel
223	NtGetCompleteWnfStateSubscription
224	NtGetContextThread
225	NtGetCurrentProcessorNumber
226	NtGetDevicePowerState
227	NtGetMUIRegistryInfo
228	NtGetNextProcess
229	NtGetNextThread
230	NtGetNlsSectionPtr
231	NtGetNotificationResourceManager
232	NtGetWriteWatch
233	NtImpersonateAnonymousToken
30	NtImpersonateClientOfPort
234	NtImpersonateThread
235	NtInitializeNlsFiles
236	NtInitializeRegistry
237	NtInitiatePowerAction
78	NtIsProcessInJob
238	NtIsSystemResumeAutomatic
239	NtIsUILanguageComitted
240	NtListenPort
241	NtLoadDriver
242	NtLoadKey
243	NtLoadKey2
244	NtLoadKeyEx
245	NtLockFile
246	NtLockProductActivationKeys
247	NtLockRegistryKey
248	NtLockVirtualMemory
249	NtMakePermanentObject
250	NtMakeTemporaryObject
251	NtMapCMFModule
252	NtMapUserPhysicalPages
2	NtMapUserPhysicalPagesScatter
39	NtMapViewOfSection
253	NtModifyBootEntry
254	NtModifyDriverEntry
255	NtNotifyChangeDirectoryFile
256	NtNotifyChangeKey
257	NtNotifyChangeMultipleKeys
258	NtNotifyChangeSession
87	NtOpenDirectoryObject
259	NtOpenEnlistment
63	NtOpenEvent
260	NtOpenEventPair
50	NtOpenFile
261	NtOpenIoCompletion
262	NtOpenJobObject
17	NtOpenKey
263	NtOpenKeyEx
264	NtOpenKeyTransacted
265	NtOpenKeyTransactedEx
266	NtOpenKeyedEvent
267	NtOpenMutant
268	NtOpenObjectAuditAlarm
269	NtOpenPrivateNamespace
37	NtOpenProcess
270	NtOpenProcessToken
47	NtOpenProcessTokenEx
271	NtOpenResourceManager
54	NtOpenSection
272	NtOpenSemaphore
273	NtOpenSession
274	NtOpenSymbolicLinkObject
275	NtOpenThread
35	NtOpenThreadToken
46	NtOpenThreadTokenEx
276	NtOpenTimer
277	NtOpenTransaction
278	NtOpenTransactionManager
279	NtPlugPlayControl
94	NtPowerInformation
280	NtPrePrepareComplete
281	NtPrePrepareEnlistment
282	NtPrepareComplete
283	NtPrepareEnlistment
284	NtPrivilegeCheck
285	NtPrivilegeObjectAuditAlarm
286	NtPrivilegedServiceAuditAlarm
287	NtPropagationComplete
288	NtPropagationFailed
79	NtProtectVirtualMemory
289	NtPulseEvent
60	NtQueryAttributesFile
290	NtQueryBootEntryOrder
291	NtQueryBootOptions
292	NtQueryDebugFilterState
20	NtQueryDefaultLocale
67	NtQueryDefaultUILanguage
52	NtQueryDirectoryFile
293	NtQueryDirectoryObject
294	NtQueryDriverEntryOrder
295	NtQueryEaFile
85	NtQueryEvent
296	NtQueryFullAttributesFile
297	NtQueryInformationAtom
298	NtQueryInformationEnlistment
16	NtQueryInformationFile
299	NtQueryInformationJobObject
300	NtQueryInformationPort
24	NtQueryInformationProcess
301	NtQueryInformationResourceManager
36	NtQueryInformationThread
32	NtQueryInformationToken
302	NtQueryInformationTransaction
303	NtQueryInformationTransactionManager
304	NtQueryInformationWorkerFactory
305	NtQueryInstallUILanguage
306	NtQueryIntervalProfile
307	NtQueryIoCompletion
21	NtQueryKey
308	NtQueryLicenseValue
309	NtQueryMultipleValueKey
310	NtQueryMutant
15	NtQueryObject
311	NtQueryOpenSubKeys
312	NtQueryOpenSubKeysEx
48	NtQueryPerformanceCounter
313	NtQueryPortInformationProcess
314	NtQueryQuotaInformationFile
80	NtQuerySection
315	NtQuerySecurityAttributesToken
316	NtQuerySecurityObject
317	NtQuerySemaphore
318	NtQuerySymbolicLinkObject
319	NtQuerySystemEnvironmentValue
320	NtQuerySystemEnvironmentValueEx
53	NtQuerySystemInformation
321	NtQuerySystemInformationEx
55	NtQueryTimer
322	NtQueryTimerResolution
22	NtQueryValueKey
34	NtQueryVirtualMemory
72	NtQueryVolumeInformationFile
323	NtQueryWnfStateData
324	NtQueryWnfStateNameInformation
68	NtQueueApcThread
325	NtQueueApcThreadEx
326	NtRaiseException
327	NtRaiseHardError
5	NtReadFile
45	NtReadFileScatter
328	NtReadOnlyEnlistment
83	NtReadRequestData
62	NtReadVirtualMemory
329	NtRecoverEnlistment
330	NtRecoverResourceManager
331	NtRecoverTransactionManager
332	NtRegisterProtocolAddressInformation
333	NtRegisterThreadTerminatePort
334	NtReleaseKeyedEvent
31	NtReleaseMutant
9	NtReleaseSemaphore
335	NtReleaseWorkerFactoryWorker
8	NtRemoveIoCompletion
336	NtRemoveIoCompletionEx
337	NtRemoveProcessDebug
338	NtRenameKey
339	NtRenameTransactionManager
340	NtReplaceKey
341	NtReplacePartitionUnit
11	NtReplyPort
10	NtReplyWaitReceivePort
42	NtReplyWaitReceivePortEx
342	NtReplyWaitReplyPort
343	NtRequestPort
33	NtRequestWaitReplyPort
344	NtResetEvent
345	NtResetWriteWatch
346	NtRestoreKey
347	NtResumeProcess
81	NtResumeThread
348	NtRollbackComplete
349	NtRollbackEnlistment
350	NtRollbackTransaction
351	NtRollforwardTransactionManager
352	NtSaveKey
353	NtSaveKeyEx
354	NtSaveMergedKeys
355	NtSecureConnectPort
356	NtSerializeBoot
357	NtSetBootEntryOrder
358	NtSetBootOptions
359	NtSetCachedSigningLevel
360	NtSetContextThread
361	NtSetDebugFilterState
362	NtSetDefaultHardErrorPort
363	NtSetDefaultLocale
364	NtSetDefaultUILanguage
365	NtSetDriverEntryOrder
366	NtSetEaFile
13	NtSetEvent
44	NtSetEventBoostPriority
367	NtSetHighEventPair
368	NtSetHighWaitLowEventPair
369	NtSetIRTimer
370	NtSetInformationDebugObject
371	NtSetInformationEnlistment
38	NtSetInformationFile
372	NtSetInformationJobObject
373	NtSetInformationKey
91	NtSetInformationObject
27	NtSetInformationProcess
374	NtSetInformationResourceManager
12	NtSetInformationThread
375	NtSetInformationToken
376	NtSetInformationTransaction
377	NtSetInformationTransactionManager
378	NtSetInformationVirtualMemory
379	NtSetInformationWorkerFactory
380	NtSetIntervalProfile
381	NtSetIoCompletion
382	NtSetIoCompletionEx
383	NtSetLdtEntries
384	NtSetLowEventPair
385	NtSetLowWaitHighEventPair
386	NtSetQuotaInformationFile
387	NtSetSecurityObject
388	NtSetSystemEnvironmentValue
389	NtSetSystemEnvironmentValueEx
390	NtSetSystemInformation
391	NtSetSystemPowerState
392	NtSetSystemTime
393	NtSetThreadExecutionState
97	NtSetTimer
394	NtSetTimer2
395	NtSetTimerEx
396	NtSetTimerResolution
397	NtSetUuidSeed
95	NtSetValueKey
398	NtSetVolumeInformationFile
399	NtSetWnfProcessNotificationEvent
400	NtShutdownSystem
401	NtShutdownWorkerFactory
402	NtSignalAndWaitForSingleObject
403	NtSinglePhaseReject
404	NtStartProfile
405	NtStopProfile
406	NtSubscribeWnfStateChange
407	NtSuspendProcess
408	NtSuspendThread
409	NtSystemDebugControl
410	NtTerminateJobObject
43	NtTerminateProcess
82	NtTerminateThread
411	NtTestAlert
412	NtThawRegistry
413	NtThawTransactions
414	NtTraceControl
93	NtTraceEvent
415	NtTranslateFilePath
416	NtUmsThreadYield
417	NtUnloadDriver
418	NtUnloadKey
419	NtUnloadKey2
420	NtUnloadKeyEx
421	NtUnlockFile
422	NtUnlockVirtualMemory
41	NtUnmapViewOfSection
423	NtUnmapViewOfSectionEx
424	NtUnsubscribeWnfStateChange
425	NtUpdateWnfStateData
426	NtVdmControl
427	NtWaitForAlertByThreadId
428	NtWaitForDebugEvent
429	NtWaitForKeyedEvent
90	NtWaitForMultipleObjects
25	NtWaitForMultipleObjects32
3	NtWaitForSingleObject
430	NtWaitForWorkViaWorkerFactory
431	NtWaitHighEventPair
432	NtWaitLowEventPair
0	NtWorkerFactoryWorkerReady
7	NtWriteFile
26	NtWriteFileGather
86	NtWriteRequestData
57	NtWriteVirtualMemory
69	NtYieldExecution
Note it wasn't designed to work with wow64 ntdll.
 #27115  by vietwow
 Fri Oct 30, 2015 5:03 pm
Hi EP_X0FF,

Thank you for your source but could you please to share the full source or tell me where/how the variable "PRINT_FMT" is declared (in the line code "printf_s(PRINT_FMT, number, name);") ?
Code: Select all
1>c:\users\vietwow\documents\visual studio 2010\projects\extract_api\extract_api\extract_api.cpp(66): error C2065: 'PRINT_FMT' : undeclared identifier
Best Regards,