-
[X360 Reversing] Chapter 7: Setting up Syscall Table
Setting up Syscall table
Syscalls are the mechanism used by unprivileged code (like Kernel) to request functionalities to privileged code (HyperVisor).
HV is the most privileged code running on your system: it manages memory access, encryption and low-level security.
Syscalls are invoked by unprivileged code writing in r0 the number of the required Syscall (from 0x00 to 0xDEPENDS_ON_KERNEL) and executing
sc instruction.
sc throws an exception that is catched and moves execution to 0xc00. At that address there's the syscall dispatcher that, after checking r0 validity, looks in sycall table for the effective address of the required syscall and jump to it.
Syscall table start address is a dword located at 0x48 (HV header) so, to get the address of a syscall implementation you have too look at
sctable_start_address+(syscall number * 4)
Syscall table is a simple list of sequential 32 bit addresses, ordered by syscall number (ascending).
This is the sctable for HV 12625. As you can see syscall #0 is at 0x1F20, syscall #1 at 0x8B4 etc etc..
syscall.png
In newer Kernels syscall addressing changes a bit: for some syscalls the address in the table doesn't lead to syscall implementation, but to a code snippet then dinamically create the "real" address.
Credits:
xeBuild Team
Free60
RGLoader
Ultima modifica di DrSchottky; 26-10-2015 alle 12:23
-
Post Thanks / Like - 1 Likes, 0 Thanks, 0 Dislikes
zeruel85 Ha dato un "mi piace" per questo post
-
Segnalibri