cocateh/wausyscall
1
0
Fork 0
mirror of https://github.com/cocateh/wausyscall.git synced 2024-06-29 18:32:57 +00:00
Code Issues Projects Releases Wiki Activity
wausyscall is a tool for extracting Windows syscall numbers from usermode syscall wrapper dlls such as ntdll.dll or win32u.dll.
9 Commits 1 Branch 0 Tags 52 KiB
Rust 100%
7849d5fcb3
Go to file
cocateh 7849d5fcb3 implemented parsing AArch64 and MIPS R4000 syscalls
2022-01-05 00:46:05 +01:00
src implemented parsing AArch64 and MIPS R4000 syscalls 2022-01-05 00:46:05 +01:00
.gitignore basic, unfinished pe parser implementation 2022-01-05 00:45:58 +01:00
Cargo.lock basic, unfinished pe parser implementation 2022-01-05 00:45:58 +01:00
Cargo.toml basic, unfinished pe parser implementation 2022-01-05 00:45:58 +01:00
README.md updated readme 2022-01-05 00:46:05 +01:00

README.md

Overview

wausyscall is a tool for extracting Windows syscall numbers from usermode syscall wrapper dlls such as ntdll.dll or win32u.dll

It supports only x86 Windows but can be easily ported to other architectures, due to PE file portability, if provided with length of instructions prior to syscall number move instruction, given that syscall wrapper function format is the same.

Usage & Installation

cargo install --path .

cargo install --git <url to git repo>

Usage: wausyscall <path> (function name) [--only-erroneus] [--help]

Invoking wausyscall on Windows with no arguments should work fine, and default to system provided ntdll.dll file. If running on other system, a path to the file should be provided.

--only-erroneus prints opcodes that are most likely improperly parsed.

Function name argument is not required. When provided, it looks up syscall number for the specified function name, but then on Windows, providing a path to the dll is required.