您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

2.2KB


title: “Syscall64” description: “Doing direct syscalls on all platforms” date: 2019-11-10T00:00:00+01:00

draft: false

A slightly hacky way (C macros) to do direct syscalls on either x86 or x64 windows, without any code change.

http://vcs.wacked.codes/wacked/syscall64

Use with this:

;http://blogs.msdn.com/b/oldnewthing/archive/2004/01/14/58579.aspx
format ms coff

include 'u:\fasm\INCLUDE\win32wx.inc'
public _syscall64
section '.text' code readable executable

; Converts the arguments and then executes SYSCALL
; 1. Param: Count of args to pass to syscall
; 2. Param: Syscall id
; 3. - X. Param: Params for syscall
_syscall64:
        ; Those registers are pushed here so that the LEAVE instr cleans up the converted params without me needing to
        ; calc how much space those needed. Seriously what's 4*3 again?
        push edi
        push ebx
        push edx ; used by the x64 code
        
        push ebp
        mov ebp, esp
        
        ; Alloc space for params
        mov ecx, [ebp + 4*3 + 0x08] ; cnt
        cmp ecx, 4 ; Reserve shadow space
        jge @f
        mov ecx, 4
@@:
        shl ecx, 3
        sub esp, ecx
        
        and esp, 0xFFFFFFF0 ; Align stack
        
        ; Convert params to x64
        mov edi, esp ; Destination
        mov ecx, [ebp + 4*3 + 0x08] ; Count
        lea ebx, [ebp + 4*3 + 0x10] ; Source for params
CONVERT_PARAMS_LOOP:    
        test ecx, ecx
        je @f
        
        mov eax, [ebx]
        stosd ; mov dword[edi], dword[eax] edi += 4
        mov eax, 0
        stosd ; [edi] = 0 edi += 4
        add ebx, 4 ; srcPtr++
        dec ecx    ; cnt--
        jmp CONVERT_PARAMS_LOOP
        
@@:     
        ;mov eax, [ebp + 4*3 + 0x0C] ; Get syscall id
        call 0x33:X64_START
X86_RETURN_FROM_X64:    
        leave
        pop edx
        pop ebx
        pop edi
        ret
                        
;align 16       
X64_START:
use64
        mov eax, dword [ebp + 0x18] ; Get syscall id (4*3 = saved registers, )
        ; Get args from shadow space
        mov rcx, [rsp + 8]
        mov rdx , [rsp + 0x10]
        mov r8, [rsp + 0x18]
        mov r9, [rsp + 0x20]
        
        mov     r10,rcx
        syscall
use32 
        retf