kohnakagawa · May 18, 2020 06:30
diff --git a/syscall_number_mapper.py b/syscall_number_mapper.py
 from binaryninja import *

 log_to_stderr(1)

 def get_syscall_no(zwf):
    for b in zwf.basic_blocks:
        for i in b.get_disassembly_text():
            if str(i).startswith("syscall"):
                eax = zwf.get_reg_value_at(i.address, "eax")
                if eax.type == RegisterValueType.ConstantValue:
                    return eax.value
                else:
                    raise Exception("couldn't determine syscall number.")

    raise Exception("syscall not found")

 log_info("[*] loading ntdll.dll...")
 ntdll = BinaryViewType['PE'].open("C:\\Windows\\System32\\ntdll.dll")

 log_info("[*] analyzing ntdll.dll...")
 ntdll.update_analysis_and_wait()

 ZwFunctions = (
    function for function in ntdll.functions if function.name.startswith("Zw"))

 log_info("[*] mapping syscall numbers..")

 for f in ZwFunctions:
    log_info("- now processing: %s" % (f.name))
    try:
        syscallno = get_syscall_no(f)
    except Exception as e:
        log_error(str(e))

    print("%s\t%s" % (f.name, str(syscallno)))
diff --git a/syscall_numbers.tsv b/syscall_numbers.tsv
	from binaryninja import *

	log_to_stderr(1)

	def get_syscall_no(zwf):
	for b in zwf.basic_blocks:
	for i in b.get_disassembly_text():
	if str(i).startswith("syscall"):
	eax = zwf.get_reg_value_at(i.address, "eax")
	if eax.type == RegisterValueType.ConstantValue:
	return eax.value
	else:
	raise Exception("couldn't determine syscall number.")

	raise Exception("syscall not found")

	log_info("[*] loading ntdll.dll...")
	ntdll = BinaryViewType['PE'].open("C:\\Windows\\System32\\ntdll.dll")

	log_info("[*] analyzing ntdll.dll...")
	ntdll.update_analysis_and_wait()

	ZwFunctions = (
	function for function in ntdll.functions if function.name.startswith("Zw"))

	log_info("[*] mapping syscall numbers..")

	for f in ZwFunctions:
	log_info("- now processing: %s" % (f.name))
	try:
	syscallno = get_syscall_no(f)
	except Exception as e:
	log_error(str(e))

	print("%s\t%s" % (f.name, str(syscallno)))
	ZwAccessCheck	0
	ZwWorkerFactoryWorkerReady	1
	ZwAcceptConnectPort	2
	ZwMapUserPhysicalPagesScatter	3
	ZwWaitForSingleObject	4
	ZwCallbackReturn	5
	ZwReadFile	6
	ZwDeviceIoControlFile	7
	ZwWriteFile	8
	ZwRemoveIoCompletion	9
	ZwReleaseSemaphore	10
	ZwReplyWaitReceivePort	11
	ZwReplyPort	12
	ZwSetInformationThread	13
	ZwSetEvent	14
	ZwClose	15
	ZwQueryObject	16
	ZwQueryInformationFile	17
	ZwOpenKey	18
	ZwEnumerateValueKey	19
	ZwFindAtom	20
	ZwQueryDefaultLocale	21
	ZwQueryKey	22
	ZwQueryValueKey	23
	ZwAllocateVirtualMemory	24
	ZwQueryInformationProcess	25
	ZwWaitForMultipleObjects32	26
	ZwWriteFileGather	27
	ZwSetInformationProcess	28
	ZwCreateKey	29
	ZwFreeVirtualMemory	30
	ZwImpersonateClientOfPort	31
	ZwReleaseMutant	32
	ZwQueryInformationToken	33
	ZwRequestWaitReplyPort	34
	ZwQueryVirtualMemory	35
	ZwOpenThreadToken	36
	ZwQueryInformationThread	37
	ZwOpenProcess	38
	ZwSetInformationFile	39
	ZwMapViewOfSection	40
	ZwAccessCheckAndAuditAlarm	41
	ZwUnmapViewOfSection	42
	ZwReplyWaitReceivePortEx	43
	ZwTerminateProcess	44
	ZwSetEventBoostPriority	45
	ZwReadFileScatter	46
	ZwOpenThreadTokenEx	47
	ZwOpenProcessTokenEx	48
	ZwQueryPerformanceCounter	49
	ZwEnumerateKey	50
	ZwOpenFile	51
	ZwDelayExecution	52
	ZwQueryDirectoryFile	53
	ZwQuerySystemInformation	54
	ZwOpenSection	55
	ZwQueryTimer	56
	ZwFsControlFile	57
	ZwWriteVirtualMemory	58
	ZwCloseObjectAuditAlarm	59
	ZwDuplicateObject	60
	ZwQueryAttributesFile	61
	ZwClearEvent	62
	ZwReadVirtualMemory	63
	ZwOpenEvent	64
	ZwAdjustPrivilegesToken	65
	ZwDuplicateToken	66
	ZwContinue	67
	ZwQueryDefaultUILanguage	68
	ZwQueueApcThread	69
	ZwYieldExecution	70
	ZwAddAtom	71
	ZwCreateEvent	72
	ZwQueryVolumeInformationFile	73
	ZwCreateSection	74
	ZwFlushBuffersFile	75
	ZwApphelpCacheControl	76
	ZwCreateProcessEx	77
	ZwCreateThread	78
	ZwIsProcessInJob	79
	ZwProtectVirtualMemory	80
	ZwQuerySection	81
	ZwResumeThread	82
	ZwTerminateThread	83
	ZwReadRequestData	84
	ZwCreateFile	85
	ZwQueryEvent	86
	ZwWriteRequestData	87
	ZwOpenDirectoryObject	88
	ZwAccessCheckByTypeAndAuditAlarm	89
	ZwQuerySystemTime	89
	ZwWaitForMultipleObjects	91
	ZwSetInformationObject	92
	ZwCancelIoFile	93
	ZwTraceEvent	94
	ZwPowerInformation	95
	ZwSetValueKey	96
	ZwCancelTimer	97
	ZwSetTimer	98
	ZwAccessCheckByType	99
	ZwAccessCheckByTypeResultList	100
	ZwAccessCheckByTypeResultListAndAuditAlarm	101
	ZwAccessCheckByTypeResultListAndAuditAlarmByHandle	102
	ZwAcquireProcessActivityReference	103
	ZwAddAtomEx	104
	ZwAddBootEntry	105
	ZwAddDriverEntry	106
	ZwAdjustGroupsToken	107
	ZwAdjustTokenClaimsAndDeviceGroups	108
	ZwAlertResumeThread	109
	ZwAlertThread	110
	ZwAlertThreadByThreadId	111
	ZwAllocateLocallyUniqueId	112
	ZwAllocateReserveObject	113
	ZwAllocateUserPhysicalPages	114
	ZwAllocateUuids	115
	ZwAllocateVirtualMemoryEx	116
	ZwAlpcAcceptConnectPort	117
	ZwAlpcCancelMessage	118
	ZwAlpcConnectPort	119
	ZwAlpcConnectPortEx	120
	ZwAlpcCreatePort	121
	ZwAlpcCreatePortSection	122
	ZwAlpcCreateResourceReserve	123
	ZwAlpcCreateSectionView	124
	ZwAlpcCreateSecurityContext	125
	ZwAlpcDeletePortSection	126
	ZwAlpcDeleteResourceReserve	127
	ZwAlpcDeleteSectionView	128
	ZwAlpcDeleteSecurityContext	129
	ZwAlpcDisconnectPort	130
	ZwAlpcImpersonateClientContainerOfPort	131
	ZwAlpcImpersonateClientOfPort	132
	ZwAlpcOpenSenderProcess	133
	ZwAlpcOpenSenderThread	134
	ZwAlpcQueryInformation	135
	ZwAlpcQueryInformationMessage	136
	ZwAlpcRevokeSecurityContext	137
	ZwAlpcSendWaitReceivePort	138
	ZwAlpcSetInformation	139
	ZwAreMappedFilesTheSame	140
	ZwAssignProcessToJobObject	141
	ZwAssociateWaitCompletionPacket	142
	ZwCallEnclave	143
	ZwCancelIoFileEx	144
	ZwCancelSynchronousIoFile	145
	ZwCancelTimer2	146
	ZwCancelWaitCompletionPacket	147
	ZwCommitComplete	148
	ZwCommitEnlistment	149
	ZwCommitRegistryTransaction	150
	ZwCommitTransaction	151
	ZwCompactKeys	152
	ZwCompareObjects	153
	ZwCompareSigningLevels	154
	ZwCompareTokens	155
	ZwCompleteConnectPort	156
	ZwCompressKey	157
	ZwConnectPort	158
	ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter	159
	ZwCreateDebugObject	160
	ZwCreateDirectoryObject	161
	ZwCreateDirectoryObjectEx	162
	ZwCreateEnclave	163
	ZwCreateEnlistment	164
	ZwCreateEventPair	165
	ZwCreateIRTimer	166
	ZwCreateIoCompletion	167
	ZwCreateJobObject	168
	ZwCreateJobSet	169
	ZwCreateKeyTransacted	170
	ZwCreateKeyedEvent	171
	ZwCreateLowBoxToken	172
	ZwCreateMailslotFile	173
	ZwCreateMutant	174
	ZwCreateNamedPipeFile	175
	ZwCreatePagingFile	176
	ZwCreatePartition	177
	ZwCreatePort	178
	ZwCreatePrivateNamespace	179
	ZwCreateProcess	180
	ZwCreateProfile	181
	ZwCreateProfileEx	182
	ZwCreateRegistryTransaction	183
	ZwCreateResourceManager	184
	ZwCreateSectionEx	185
	ZwCreateSemaphore	186
	ZwCreateSymbolicLinkObject	187
	ZwCreateThreadEx	188
	ZwCreateTimer	189
	ZwCreateTimer2	190
	ZwCreateToken	191
	ZwCreateTokenEx	192
	ZwCreateTransaction	193
	ZwCreateTransactionManager	194
	ZwCreateUserProcess	195
	ZwCreateWaitCompletionPacket	196
	ZwCreateWaitablePort	197
	ZwCreateWnfStateName	198
	ZwCreateWorkerFactory	199
	ZwDebugActiveProcess	200
	ZwDebugContinue	201
	ZwDeleteAtom	202
	ZwDeleteBootEntry	203
	ZwDeleteDriverEntry	204
	ZwDeleteFile	205
	ZwDeleteKey	206
	ZwDeleteObjectAuditAlarm	207
	ZwDeletePrivateNamespace	208
	ZwDeleteValueKey	209
	ZwDeleteWnfStateData	210
	ZwDeleteWnfStateName	211
	ZwDisableLastKnownGood	212
	ZwDisplayString	213
	ZwDrawText	214
	ZwEnableLastKnownGood	215
	ZwEnumerateBootEntries	216
	ZwEnumerateDriverEntries	217
	ZwEnumerateSystemEnvironmentValuesEx	218
	ZwEnumerateTransactionObject	219
	ZwExtendSection	220
	ZwFilterBootOption	221
	ZwFilterToken	222
	ZwFilterTokenEx	223
	ZwFlushBuffersFileEx	224
	ZwFlushInstallUILanguage	225
	ZwFlushInstructionCache	226
	ZwFlushKey	227
	ZwFlushProcessWriteBuffers	228
	ZwFlushVirtualMemory	229
	ZwFlushWriteBuffer	230
	ZwFreeUserPhysicalPages	231
	ZwFreezeRegistry	232
	ZwFreezeTransactions	233
	ZwGetCachedSigningLevel	234
	ZwGetCompleteWnfStateSubscription	235
	ZwGetContextThread	236
	ZwGetCurrentProcessorNumber	237
	ZwGetCurrentProcessorNumberEx	238
	ZwGetDevicePowerState	239
	ZwGetMUIRegistryInfo	240
	ZwGetNextProcess	241
	ZwGetNextThread	242
	ZwGetNlsSectionPtr	243
	ZwGetNotificationResourceManager	244
	ZwGetWriteWatch	245
	ZwImpersonateAnonymousToken	246
	ZwImpersonateThread	247
	ZwInitializeEnclave	248
	ZwInitializeNlsFiles	249
	ZwInitializeRegistry	250
	ZwInitiatePowerAction	251
	ZwIsSystemResumeAutomatic	252
	ZwIsUILanguageComitted	253
	ZwListenPort	254
	ZwLoadDriver	255
	ZwLoadEnclaveData	256
	ZwLoadKey	257
	ZwLoadKey2	258
	ZwLoadKeyEx	259
	ZwLockFile	260
	ZwLockProductActivationKeys	261
	ZwLockRegistryKey	262
	ZwLockVirtualMemory	263
	ZwMakePermanentObject	264
	ZwMakeTemporaryObject	265
	ZwManageHotPatch	266
	ZwManagePartition	267
	ZwMapCMFModule	268
	ZwMapUserPhysicalPages	269
	ZwMapViewOfSectionEx	270
	ZwModifyBootEntry	271
	ZwModifyDriverEntry	272
	ZwNotifyChangeDirectoryFile	273
	ZwNotifyChangeDirectoryFileEx	274
	ZwNotifyChangeKey	275
	ZwNotifyChangeMultipleKeys	276
	ZwNotifyChangeSession	277
	ZwOpenEnlistment	278
	ZwOpenEventPair	279
	ZwOpenIoCompletion	280
	ZwOpenJobObject	281
	ZwOpenKeyEx	282
	ZwOpenKeyTransacted	283
	ZwOpenKeyTransactedEx	284
	ZwOpenKeyedEvent	285
	ZwOpenMutant	286
	ZwOpenObjectAuditAlarm	287
	ZwOpenPartition	288
	ZwOpenPrivateNamespace	289
	ZwOpenProcessToken	290
	ZwOpenRegistryTransaction	291
	ZwOpenResourceManager	292
	ZwOpenSemaphore	293
	ZwOpenSession	294
	ZwOpenSymbolicLinkObject	295
	ZwOpenThread	296
	ZwOpenTimer	297
	ZwOpenTransaction	298
	ZwOpenTransactionManager	299
	ZwPlugPlayControl	300
	ZwPrePrepareComplete	301
	ZwPrePrepareEnlistment	302
	ZwPrepareComplete	303
	ZwPrepareEnlistment	304
	ZwPrivilegeCheck	305
	ZwPrivilegeObjectAuditAlarm	306
	ZwPrivilegedServiceAuditAlarm	307
	ZwPropagationComplete	308
	ZwPropagationFailed	309
	ZwPulseEvent	310
	ZwQueryAuxiliaryCounterFrequency	311
	ZwQueryBootEntryOrder	312
	ZwQueryBootOptions	313
	ZwQueryDebugFilterState	314
	ZwQueryDirectoryFileEx	315
	ZwQueryDirectoryObject	316
	ZwQueryDriverEntryOrder	317
	ZwQueryEaFile	318
	ZwQueryFullAttributesFile	319
	ZwQueryInformationAtom	320
	ZwQueryInformationByName	321
	ZwQueryInformationEnlistment	322
	ZwQueryInformationJobObject	323
	ZwQueryInformationPort	324
	ZwQueryInformationResourceManager	325
	ZwQueryInformationTransaction	326
	ZwQueryInformationTransactionManager	327
	ZwQueryInformationWorkerFactory	328
	ZwQueryInstallUILanguage	329
	ZwQueryIntervalProfile	330
	ZwQueryIoCompletion	331
	ZwQueryLicenseValue	332
	ZwQueryMultipleValueKey	333
	ZwQueryMutant	334
	ZwQueryOpenSubKeys	335
	ZwQueryOpenSubKeysEx	336
	ZwQueryPortInformationProcess	337
	ZwQueryQuotaInformationFile	338
	ZwQuerySecurityAttributesToken	339
	ZwQuerySecurityObject	340
	ZwQuerySecurityPolicy	341
	ZwQuerySemaphore	342
	ZwQuerySymbolicLinkObject	343
	ZwQuerySystemEnvironmentValue	344
	ZwQuerySystemEnvironmentValueEx	345
	ZwQuerySystemInformationEx	346
	ZwQueryTimerResolution	347
	ZwQueryWnfStateData	348
	ZwQueryWnfStateNameInformation	349
	ZwQueueApcThreadEx	350
	ZwRaiseException	351
	ZwRaiseHardError	352
	ZwReadOnlyEnlistment	353
	ZwRecoverEnlistment	354
	ZwRecoverResourceManager	355
	ZwRecoverTransactionManager	356
	ZwRegisterProtocolAddressInformation	357
	ZwRegisterThreadTerminatePort	358
	ZwReleaseKeyedEvent	359
	ZwReleaseWorkerFactoryWorker	360
	ZwRemoveIoCompletionEx	361
	ZwRemoveProcessDebug	362
	ZwRenameKey	363
	ZwRenameTransactionManager	364
	ZwReplaceKey	365
	ZwReplacePartitionUnit	366
	ZwReplyWaitReplyPort	367
	ZwRequestPort	368
	ZwResetEvent	369
	ZwResetWriteWatch	370
	ZwRestoreKey	371
	ZwResumeProcess	372
	ZwRevertContainerImpersonation	373
	ZwRollbackComplete	374
	ZwRollbackEnlistment	375
	ZwRollbackRegistryTransaction	376
	ZwRollbackTransaction	377
	ZwRollforwardTransactionManager	378
	ZwSaveKey	379
	ZwSaveKeyEx	380
	ZwSaveMergedKeys	381
	ZwSecureConnectPort	382
	ZwSerializeBoot	383
	ZwSetBootEntryOrder	384
	ZwSetBootOptions	385
	ZwSetCachedSigningLevel	386
	ZwSetCachedSigningLevel2	387
	ZwSetContextThread	388
	ZwSetDebugFilterState	389
	ZwSetDefaultHardErrorPort	390
	ZwSetDefaultLocale	391
	ZwSetDefaultUILanguage	392
	ZwSetDriverEntryOrder	393
	ZwSetEaFile	394
	ZwSetHighEventPair	395
	ZwSetHighWaitLowEventPair	396
	ZwSetIRTimer	397
	ZwSetInformationDebugObject	398
	ZwSetInformationEnlistment	399
	ZwSetInformationJobObject	400
	ZwSetInformationKey	401
	ZwSetInformationResourceManager	402
	ZwSetInformationSymbolicLink	403
	ZwSetInformationToken	404
	ZwSetInformationTransaction	405
	ZwSetInformationTransactionManager	406
	ZwSetInformationVirtualMemory	407
	ZwSetInformationWorkerFactory	408
	ZwSetIntervalProfile	409
	ZwSetIoCompletion	410
	ZwSetIoCompletionEx	411
	ZwSetLdtEntries	412
	ZwSetLowEventPair	413
	ZwSetLowWaitHighEventPair	414
	ZwSetQuotaInformationFile	415
	ZwSetSecurityObject	416
	ZwSetSystemEnvironmentValue	417
	ZwSetSystemEnvironmentValueEx	418
	ZwSetSystemInformation	419
	ZwSetSystemPowerState	420
	ZwSetSystemTime	421
	ZwSetThreadExecutionState	422
	ZwSetTimer2	423
	ZwSetTimerEx	424
	ZwSetTimerResolution	425
	ZwSetUuidSeed	426
	ZwSetVolumeInformationFile	427
	ZwSetWnfProcessNotificationEvent	428
	ZwShutdownSystem	429
	ZwShutdownWorkerFactory	430
	ZwSignalAndWaitForSingleObject	431
	ZwSinglePhaseReject	432
	ZwStartProfile	433
	ZwStopProfile	434
	ZwSubscribeWnfStateChange	435
	ZwSuspendProcess	436
	ZwSuspendThread	437
	ZwSystemDebugControl	438
	ZwTerminateEnclave	439
	ZwTerminateJobObject	440
	ZwTestAlert	441
	ZwThawRegistry	442
	ZwThawTransactions	443
	ZwTraceControl	444
	ZwTranslateFilePath	445
	ZwUmsThreadYield	446
	ZwUnloadDriver	447
	ZwUnloadKey	448
	ZwUnloadKey2	449
	ZwUnloadKeyEx	450
	ZwUnlockFile	451
	ZwUnlockVirtualMemory	452
	ZwUnmapViewOfSectionEx	453
	ZwUnsubscribeWnfStateChange	454
	ZwUpdateWnfStateData	455
	ZwVdmControl	456
	ZwWaitForAlertByThreadId	457
	ZwWaitForDebugEvent	458
	ZwWaitForKeyedEvent	459
	ZwWaitForWorkViaWorkerFactory	460
	ZwWaitHighEventPair	461
	ZwWaitLowEventPair	462