wausyscall is a tool for extracting Windows syscall numbers from usermode syscall wrapper dlls such as ntdll.dll or win32u.dll.
Go to file
Michał Lach c087d0008c Implemented basic Thumb2 PE files recognition
Documented ARM32 Windows syscall invoking convention. Still not
understanding how to properly parse the immediate values encoded in
movs. MSVC uses a different mov instruction for some of the functions
for some reason. Normal mov in Thumb2 takes a 12-bit imm, movw takes
full 16-bit imm. The weird thing is that immediates in those functions
that differ don't exceed the boundaries of the normal 12-bit mov. This
just seems like a shit codegen.
2022-08-10 12:45:42 +02:00
src Implemented basic Thumb2 PE files recognition 2022-08-10 12:45:42 +02:00
.gitignore basic, unfinished pe parser implementation 2022-01-05 00:45:58 +01:00
Cargo.toml replaced regex crate with stdlib functions for string searching 2022-08-09 16:45:49 +02:00
LICENSE added license 2022-07-25 22:46:02 +02:00
README.md Implemented basic Thumb2 PE files recognition 2022-08-10 12:45:42 +02:00

Overview

wausyscall is a tool for extracting Windows syscall numbers from usermode syscall wrapper dlls such as ntdll.dll or win32u.dll.

It should support every platform Windows NT has ever run on natively so far!! (i386, amd64, AArch64, ARM (Thumb2), Alpha, MIPS, PowerPC, Itanium).

Usage & Installation

cargo install --path .

cargo install --git <url to git repo>

Usage: wausyscall <path> (function name) [--only-erroneus] [--help]

Invoking wausyscall on Windows with no arguments should work fine, and default to system provided ntdll.dll file. If running on other system, a path to the file should be provided.

--only-erroneus prints opcodes that are most likely improperly parsed.

Function name argument is not required. When provided, it looks up syscall number for the specified function name, but then on Windows, providing a path to the dll is required.

Limitations

Some of the functions which match to syscall regex, but are not syscalls, will return incorrect output.

--only-erroneus flag tries to print out problematic functions, yet it is not 100% accurate.