Skip to content

FS_SysInfo_Syscall

Jump to bottom
ufrisk edited this page Mar 2, 2023 · 4 revisions

The sys/syscall directory

The directory sys/syscall exists as a sub-directory to the file system root.

The directory contain files with the syscalls of the system. The files are derived from parsing the System Service Dispatch Table (SSDT).

The files in the sys/syscall directory are listed in the table below:

File Description
syscall_nt.txt Syscall table for kernel (ntoskrnl.exe) functionality.
syscall_nt_shadow.txt Syscall shadow table for kernel (ntoskrnl.exe) functionality.
syscall_win32k.txt Syscall table for GDI/GUI (win32k.sys) functionality.

Files in the sys/syscall directory are read-only.

Files: syscall_nt.txt, syscall_nt_shadow.txt and syscall_win32k.txt:

The files syscall_nt.txt, syscall_nt_shadow.txt and syscall_win32k.txt contains syscall information as described below:

SYSCALL#  TABLE_DATA  OFFSET   VIRTUAL_ADDRESS   TYPE   FUNCTION_NAME
=====================================================================
0000      fced6104    +1122d0  fffff8070f1122d0  nt     NtAccessCheck
0001      fcf76a00    +11c360  fffff8070f11c360  nt     NtWorkerFactoryWorkerReady
0002      02b81c02    +6dce80  fffff8070f6dce80  nt     NtAcceptConnectPort
...
14e7      ff9c43a5    +00843a  ffff80956fd9843a  win32k NtVisualCaptureBits
14e8      ff99d380    +005d38  ffff80956fd95d38  win32k NtUserSetClassLongPtr
14e9      ff99d4a0    +005d4a  ffff80956fd95d4a  win32k NtUserSetWindowLongPtr

Where TABLE_DATA is the raw entry in the SSDT and OFFSET is the function offset from the start of either ntoskrnl.exe or win32k.sys.

Example

The example shows the sys/syscall directory with the files syscall_nt.txt and syscall_win32k.txt. The files contains the syscall tables for the kernel syscalls (nt) and the GUI related syscalls (win32k).

For Developers

The sys/syscall sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_sys_syscall.c in the vmm project.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally