Last active
November 23, 2019 18:33
-
-
Save jthuraisamy/79b96ab3f884305038e1afafc31d588a to your computer and use it in GitHub Desktop.
System Call Detection at Runtime (NtCreateFile example)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .code | |
| NtCreateFile PROC | |
| mov rax, gs:[60h] | |
| NtCreateFile_Check_X_X_XXXX: ; Check major version. | |
| cmp dword ptr [rax+118h], 5 | |
| je NtCreateFile_SystemCall_5_X_XXXX | |
| cmp dword ptr [rax+118h], 6 | |
| je NtCreateFile_Check_6_X_XXXX | |
| cmp dword ptr [rax+118h], 10 | |
| je NtCreateFile_Check_10_0_XXXX | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. | |
| cmp dword ptr [rax+11ch], 0 | |
| je NtCreateFile_Check_6_0_XXXX | |
| cmp dword ptr [rax+11ch], 1 | |
| je NtCreateFile_Check_6_1_XXXX | |
| cmp dword ptr [rax+11ch], 2 | |
| je NtCreateFile_SystemCall_6_2_XXXX | |
| cmp dword ptr [rax+11ch], 3 | |
| jge NtCreateFile_SystemCall_6_3_XXXX | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_0_XXXX: ; Check build number for Windows Vista. | |
| cmp dword ptr [rax+120h], 6000 | |
| je NtCreateFile_SystemCall_6_0_6000 | |
| cmp dword ptr [rax+120h], 6001 | |
| je NtCreateFile_SystemCall_6_0_6001 | |
| cmp dword ptr [rax+120h], 6002 | |
| jge NtCreateFile_SystemCall_6_0_6002 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_6_1_XXXX: ; Check build number for Windows 7. | |
| cmp dword ptr [rax+120h], 7600 | |
| je NtCreateFile_SystemCall_6_1_7600 | |
| cmp dword ptr [rax+120h], 7601 | |
| jge NtCreateFile_SystemCall_6_1_7601 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_Check_10_0_XXXX: ; Check build number for Windows 10. | |
| cmp dword ptr [rax+120h], 10240 | |
| je NtCreateFile_SystemCall_10_0_10240 | |
| cmp dword ptr [rax+120h], 10586 | |
| je NtCreateFile_SystemCall_10_0_10586 | |
| cmp dword ptr [rax+120h], 14393 | |
| je NtCreateFile_SystemCall_10_0_14393 | |
| cmp dword ptr [rax+120h], 15063 | |
| je NtCreateFile_SystemCall_10_0_15063 | |
| cmp dword ptr [rax+120h], 16299 | |
| je NtCreateFile_SystemCall_10_0_16299 | |
| cmp dword ptr [rax+120h], 17134 | |
| je NtCreateFile_SystemCall_10_0_17134 | |
| cmp dword ptr [rax+120h], 17763 | |
| je NtCreateFile_SystemCall_10_0_17763 | |
| cmp dword ptr [rax+120h], 18362 | |
| jge NtCreateFile_SystemCall_10_0_18362 | |
| jmp NtCreateFile_SystemCall_Unknown | |
| NtCreateFile_SystemCall_5_X_XXXX: ; Windows XP SPX / Server 2003 SPX | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6000: ; Windows Vista SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6001: ; Windows Vista SP1 / Server 2008 SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_0_6002: ; Windows Vista SP2 / Server 2008 SP2 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_1_7600: ; Windows 7 SP0 / Server 2008 R2 SP0 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_1_7601: ; Windows 7 SP1 / Server 2008 R2 SP1 | |
| mov eax, 0052h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_2_XXXX: ; Windows 8.0 / Server 2012 | |
| mov eax, 0053h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_6_3_XXXX: ; Windows 8.1 / Server 2012 R2 | |
| mov eax, 0054h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) | |
| mov eax, 0055h | |
| jmp NtCreateFile_Epilogue | |
| NtCreateFile_SystemCall_Unknown: ; Unknown/unsupported version | |
| ret | |
| NtCreateFile_Epilogue: | |
| mov r10, rcx | |
| syscall | |
| ret | |
| NtCreateFile ENDP | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment