Tuesday, January 19, 2010

Windows 7 and XP SP3 system call tables

A short post to let you know that I've uploaded system call tables for Windows Seven SP0 and Windows XP SP3 here:
The Python and C versions can easily be integrated into projects.

The old tables (NT, 2K, XP, etc.) were generated based on the MetaSploit System Call Tables page, so thanks to them for that.

Edit: here's a diff with Vista SP0 (a diff with SP2 would be more valuable, will do eventually):

Syscalls added:
  • NtAllocateReserveObject
  • NtAlpcRevokeSecurityContext
  • NtCreateKeyTransacted
  • NtCreateProfileEx
  • NtCreateUserProcess
  • NtDisableLastKnownGood
  • NtDrawText
  • NtEnableLastKnownGood
  • NtEnumerateTransactionObject
  • NtNotifyChangeSession
  • NtOpenKeyEx
  • NtOpenKeyTransacted
  • NtOpenKeyTransactedEx
  • NtQuerySecurityAttributesToken
  • NtQuerySystemInformationEx
  • NtQueueApcThreadEx
  • NtReplacePartitionUnit
  • NtSerializeBoot
  • NtSetIoCompletionEx
  • NtSetTimerEx
  • NtUmsThreadYield

Syscalls removed:
  • NtPullTransaction
  • NtGetMUILicenseInfo
  • NtClearMUILicenseInfo
  • NtRequestWakeupLatency
  • NtRollbackSavepointTransaction
  • NtClearAllSavepointsTransaction
  • NtClearSavepointTransaction
  • NtRequestDeviceWakeup
  • NtSavepointComplete
  • NtStartTm
  • NtCancelDeviceWakeupRequest
  • NtMarshallTransaction
  • NtListTransactions
  • NtSavepointTransaction
Seems like there's plenty to investigate (NtCreateUserProcess, NtSerializeBoot, NtReplacePartitionUnit, NtQuerySystemInformationEx, NtQueueApcThreadEx, ...).
Posted by at
Labels: ,

1 comment:

t0ka7a said...

salut,
blog sympa... Je l'ai ajouté dans ma blogoliste. Si le mien te convient d'ailleurs: http://infond.blogspot.com
PS: stp, ne valide pas ce commentaire :)
++
t0ka7a

April 21, 2010 at 12:51 AM

Post a Comment

Subscribe to: Post Comments (Atom)