Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Wednesday, October 27 2021 @ 09:33 PM CEST

Using native system calls


CodingLevel : intermediate

OS : windows
Language : ASM

How to use interrupts directly instead of using the windows API.

Well, first what we need to do is to find out how the API works.
In my tutorial, we will take SetCursorPos() as an example.
First, you need to write a program that calls SetCursorPos().

 invoke SetCursorPos, 100, 100 ;voila!
 invoke ExitProcess, 0
 end start
Now, let us debug our program. Run Ollydbg and start debugging your newly created program. Should look something like this, more or less:

00401000 >/$ 6A 64          PUSH 64                                  ; /Y = 64 (100.)
00401002  |. 6A 64          PUSH 64                                  ; |X = 64 (100.)
00401004  |. E8 07000000    CALL           ; SetCursorPos
00401009  |. 6A 00          PUSH 0                                   ; /ExitCode = 0
0040100B  . E8 06000000    CALL          ; ExitProcess
00401010   $-FF25 08204000  JMP DWORD PTR DS:[>;  user32.SetCursorPos
00401016   .-FF25 00204000  JMP DWORD PTR DS:[;  KERNEL32.ExitProcess
Ok, trace until SetCursorPos, when you reach it trace into it.

77E3577A > 6A 5F            PUSH 5F
77E3577C   FF7424 0C        PUSH DWORD PTR SS:[ESP+C]
77E35780   FF7424 0C        PUSH DWORD PTR SS:[ESP+C]
77E35784   E8 A3EBFDFF      CALL user32.77E1432C
We see that 2 dwords are pushed. But what is that PUSH 5F? I can only thank _death for reminding me on this one :)
(Hey minos! ;-)
5F is our ID for SetCursorPos. I don't think you can find a list of valid IDs somewhere on the net though.

We enter the call to see what's going on :)

77E1432C   B8 3A110000      MOV EAX,113A
77E14331   8D5424 04        LEA EDX,DWORD PTR SS:[ESP+4]
77E14335   CD 2E            INT 2E
77E14337   C2 0C00          RETN 0C
That's it? In your dump window, follow ESP+4 (press ctrl+g then type ESP+4). This is how it looks on my machine:

0012FFAC  64 00 00 00 64 00 00 00  d...d...
0012FFB4  5F 00 00 00              _...
That means 3 dwords. One dword for the x value, another one for the y value, and the third one for 5F000000.

An example of calling a native system call (SetCursorPos()):


 thePos STRUCT
 x dd 0
 y dd 0
 z dd 5Fh
 thePos ENDS

 myApp db "BoR0's Native Syscaller",0
 succ  db "Successfully set cursor!", 0
 erro  db "Error while setting cursor!", 0

 mystr thePos <>

 mov mystr.y, 300
 mov mystr.x, 300

 mov eax, 113Ah
 mov edx, offset mystr
 int 2Eh

 .IF eax == 1
 invoke MessageBox, 0, ADDR succ, ADDR myApp, MB_OK+MB_ICONINFORMATION
 invoke MessageBox, 0, ADDR erro, ADDR myApp, MB_OK+MB_ICONERROR

 invoke ExitProcess,0

 end start
From here we notice how SetCursorPos works. EAX==113Ah;

The thing I've noticed about this is that you must have at LEAST one pointer to a function that is in user32.dll for the interrupt to work. (doesn't matter which function)

Q: Why is that?
A: I don't really know, there are some connections with the interrupts and the OS perhaps. Anyway, for our code it will work because MessageBox() is found in user32.dll.

Q: But why user32.dll?
A: Because SetCursorPos() is found there :-)

Q: What are the advantages/disadvantages of using this instead simply calling SetCursorPos()?
A: A debugger wont break if you set a breakpoint on SetCursorPos()
And as well, disadvantages. The interrupt ID might change in other incoming Windows versions. So, this one is tested on 2K only and I've also heard rumours that the ID is not same within XP.

Good luck playing with your functions and native calls! ;)

My thanks goes to: _death, Detten, Zephyrous, cektop, CopyMasta (been a while mate!)

(no) copyright (c) BoR0
April, 2005

What's Related

Story Options

Using native system calls | 2 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Using native system calls
Authored by: stingduk on Monday, April 04 2005 @ 06:36 PM CEST
nice tut boro
but there are certain problems with using the above methods

you have to keep in mind that that this may not be compatible between os as they are not documented and ms reserves the right to change the routines at thier will

for example the 113a routine is called NtuserCallTwoParam() in w2k while it is NtUserBuildPropList in xp :)

113A BF92D784 4 NtUserBuildPropList A0065714 03 NtUserCallTwoParam take a look at this site for all other system service

also if you have windbg you can set symbol path and grab all those symbol from ms servers

look into ollydbg forum for configuring and patching ollydbg to accept those .pdbs :) and you can find the names to all calls in ollydbg itself :)

look below

77E385EA USER32.SetCursorPos      PUSH    5F
77E385EC                          PUSH    DWORD PTR SS:[ESP+C]
77E385F0                          PUSH    DWORD PTR SS:[ESP+C]
77E385F4                          CALL    USER32.NtUserCallTwoParam
77E385F9                          RETN    8
77E385FC USER32.GetMenuItemInfoA  PUSH    EBP
also if you grab the ntuser.h from ddk you can see the 5f etc is defined :) or look for wine header documentation like below for definitions
  DWORD Param,
  DWORD Routine);

#define TWOPARAM_ROUTINE_UNKNOWN            0x54
  DWORD Param1,
  DWORD Param2,
  DWORD Routine);
ntuser.h defines google cache
Using native system calls
Authored by: BoR0 on Tuesday, April 05 2005 @ 12:21 PM CEST
Indeed, well I told Detten to update this tutorial :)

Advantages: a debugger wont break if you try to set a breakpoint.

Disadvantages: this might not work for other Windows version, as upcoming version are changing the interrupts.
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.81 seconds