Skip to content

05: Chapter 2 | LAB Exercise Playbook

Jump to bottom
VirtualAllocEx edited this page Aug 3, 2023 · 45 revisions

LAB Exercise: Warm-Up

In this exercise we will get a feel for user mode, kernel mode, native functions, syscalls, syscall stub, etc. To do this, the student must complete the following tasks.

Exercise tasks:

Debug Syscall IDs

Task Nr. Task Description
1 Use WindDbg on your DEV/LAB machine and open or attach to a process like x64 notepad.exe.
2 Debug the syscall IDs (System Service Numbers SSNs) for the following four native APIs that we will need later in the Direct Syscalls and Indirect Syscalls chapters: NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, NtWaitForSingleObject
3 Make a note of the debugged syscall IDs, we will need them later.

Analyse privilege mode switching

Task Nr. Task Description
4 Open Procmon and open a new instance of notepad.exe
5 Type some text into notepad.exe and save the file to disk.
6 Using Procmon, search for the operation WriteFile and analyse the call stack for:
  • Win32-API CreateFile in user mode
  • Privilege mode switching by going from user mode to kernel via syscall
  • Native API NtCreateFile in kernel mode

WinDbg

Task

In the first step we will use WinDbg and want to debug the syscall ID's for NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx and NtWaitForSingleObject. So we have to use the x command to extract the memory address from the native API and then use the u command to unassemble or dissassemble the address to get the contents of the syscall stub from the native function. In this case, Windows 10 Enterprise 22H2 was used.

To start with debbuging, open WinDbg and open the process notepad.exe.

00

Then you can start with extracting information from ntdll.dll by using the following commands.

x ntdll!NtAPI
u memory address 

x ntdll!NtAllocateVirtualMemory
u 00007ff8`c318d350

001

Solution

Procmon

Task

The second step is to use procmon to analyse the privileged mode switch in the context of the notepad.exe process from user mode to kernel mode. To do this, we open notepad.exe, write the file to disk by saving it, and then use procmon to look for the WriteFile operation in the context of notepad.exe.

We can use two filters in procmon to make our lives easier:
  • process is notepad.exe
  • operation is WriteFile

05

Solution

In the following diagram we can clearly see the transition from user mode to kernel mode in the context of saving the file to disk using notepad.exe. First the Win32 API WriteFile is called, then the native function NtWriteFile is called, which includes the syscall stub consisting of syscall ID, syscall etc, and finally the syscall command itself is executed. The kernel, in turn, needs to interact with the appropriate device driver to actually do the writing to the disc. This is where IofCallDriver is called, and is also shown in the figure.

06

Summary: Windows OS System Calls

  • System call is part of the syscall stub from a native function
  • Every system call has a specific syscall ID and is related to a specific NTAPI
  • Syscall and syscall stub are retrieved and executed from ntdll.dll
  • Responsible to initialize transition from user mode to kernel mode
  • Enable temporary access to components or resources in kernel, like file system, drivers etc.

Clone this wiki locally