Open mewmew opened 4 years ago
7FFE0300h
is supposed to point to SharedUserData!SystemCallStub
From http://www.nynaeve.net/?p=131
0:000> u ntdll!NtClose
ntdll!ZwClose:
mov eax,30h
mov edx,offset SharedUserData!SystemCallStub
call dword ptr [edx]
ret 4
Edit: another link on the topic, SystemCallStub
is removed in Windows 8 it seems: https://www.malwaretech.com/2015/07/windows-10-system-call-stub-changes.html
To enable analysis of samples using
user32.dll
, support forKiFastSystemCall
ofntdll
is needed inbinee
.Roughly, this is what happens when a program invokes a function of
user32.dll
, sayShowCursor(FALSE)
.ShowCursor
ofuser32.dll
.ShowCursor
function ofuser32.dll
pushes a simple call routine ID (e.g. the ID ofShowCursor
is0x40
on XP) and the argument ofShowCursor
and then invokesNtUserCallOneParam
.NtUserCallOneParam
function assigns arguments to the corresponding registers and invokesKiFastSystemCall
ofntdll
, through an indirect call to0x7FFE0300
(i.e.mov edx, 7FFE0300h; call dword ptr [edx]
)KiFastSystemCall
function ofntdll
assigns arguments to the corresponding registers and performs a call tosysenter
.user32.dll
as indicated by the given ID.Using
binee
to analyze a simple program usingShowCursor
currently results an premature abort of the analysis, asbinee
cannot resolve the indirect call to0x7ffe0300
(which should resolve toKiFastSystemCall
ofntdll
).A minimal test case is provided below.
Contents of
c.asm
:Build instructions:
c.exe
attachment: c.tar.gzUser code:
ShowCursor
ofuser32.dll
as presented in IDA:Code of
NtUserCallOneParam
as presented in IDA:Code of
KiFastSystemCall
as presented in IDA:References:
Edit: a related by orthogonal issue to this would be that an error should be reported by
binee
to indicate premature abort of analysis, so the analyzee can make an informed decision as to how to proceed (and not be under the false pretense that analysis completed successfully).