Syscalls-Extractor
Quick script for automatically extracting syscall numbers for an OS
$ python3 .\syscalls-extractor.py --help
usage: syscalls-extractor.py [-h] [-d PE_DIRECTORY]
Automatically extracts syscall numbers for an OS
optional arguments:
-h, --help show this help message and exit
-d PE_DIRECTORY, --pe-directory PE_DIRECTORY
$ python3 .\syscalls-extractor.py
[*] Printing syscall numbers for ntoskrnl.exe in C:\Windows\System32
[*] 38 (0x26) = ntoskrnl.exe : ZwOpenProcess
[*] 193 (0xc1) = ntoskrnl.exe : ZwCreateThreadEx
[*] 58 (0x3a) = ntoskrnl.exe : ZwWriteVirtualMemory
[*] 24 (0x18) = ntoskrnl.exe : ZwAllocateVirtualMemory
[*] 74 (0x4a) = ntoskrnl.exe : ZwCreateSection
[*] 40 (0x28) = ntoskrnl.exe : ZwMapViewOfSection
[*] 185 (0xb9) = ntoskrnl.exe : ZwCreateProcess
[*] 80 (0x50) = ntoskrnl.exe : ZwProtectVirtualMemory
[+] Done
Adding syscalls
Add to the syscalls dict at the top of the script to add more functions to check for syscalls.
E.g.:
syscalls = {
"ntoskrnl.exe": [
"ZwOpenProcess",
"ZwCreateThreadEx",
"ZwWriteVirtualMemory",
"ZwAllocateVirtualMemory",
"ZwCreateSection",
"ZwMapViewOfSection",
"ZwCreateProcess",
"ZwProtectVirtualMemory"
],
}
Native and debug symbols are checked.
Logic
This works by finding the function, locating the next jmp instruction and confirming that the instruction before hand was a mov eax. If so the value moved into eax is returned as the syscall instruction.
79 Dec 14, 2022
1 Oct 23, 2022
658 Jan 09, 2023
564 Jan 02, 2023
1 Jul 09, 2021
5 Jul 02, 2022
![Risky [ Zero Tow ]](https://avatars.githubusercontent.com/u/76860656?v=4&s=60)
10 Apr 07, 2022
2 Mar 01, 2022
2 Feb 20, 2022
13 Dec 23, 2022
1 Dec 15, 2021
1 Jan 23, 2022
4.1k Jan 02, 2023
2 Jan 21, 2022
17 Oct 12, 2022
6 May 26, 2022
36 Dec 01, 2022
4 Nov 03, 2021
5 Dec 06, 2022
3 Jul 14, 2022