Exploring the evolution of syscalls - Part One

Reviewing what a syscall is

You probably noticed that the name of this site is the opcode for syscall so it seems fitting for the first post to reference them. Before we can get to the exploitation of syscalls we firstly must refresh ourselves on what exactly they are. Within the Win32 API a syscall is the instruction that moves a set of parameters provided by the user into the kernel context which performs the requested action and returns the result back to the program.

To explore this further lets take a standard Win32 API call which may be used by a malicious application to allocate memory within a process to run shellcode. VirtualAlloc is a Win32 api call used to allocate memory. VirtualAlloc calls the Native API function NtAllocateVirtualMemory which then results in the parameters being passed and the appropriate Service Syscall Number (SSN) being called. A couple of things to note here:

• The specific SSN number can change with both minor and major updates to Windows.
• Neither the NativeAPI functions or the syscall numbers are officially documented by Windows
• Not all NativeAPI functions result in a SSN being called.

To illustrate this process visually below is a diagram of the Win32 API function VirtualAlloc being called which results in a call to NtAllocateVirtualMemory and subsequently the SSN number 18 being moved into eax and the instruction syscall being executed. KiSystemCall64 is invoked which functions within the kernel to facilitate the saving of the userland perimeters, finding the relevant function in the SSDT and executing the function within the kernel with the correct parameters. Afterwards the KiSystemCall64 or another exit mechanism will transfer control back to userland (ring 3).

Looks cool but like why though

If the Windows seems happy enough to do all the work with NtAllocateVirtualMemory and executing the syscall why can't we just chill and call VirtualAlloc? The answer to that question is hooking.

Now this is going to be a slightly useless detour as I couldn't infact get Windows Defender to hook anything but I'll show to process anyway.