'Viewing how Windows syscalls are handled by OS
I am trying to figure out how syscalls are performed on kernel, Are there any good explanation about what exactly happens on kernel, when a "syscall" instruction is encountered. What are the ways to view those kernel-mode callbacks and maybe documenting some undocumented functions.
Basically what I'm asking
mov eax, 23h ; NtQueryVirtualMemory
syscall ; Any way to view what OS does, how it fills registers, sets return value etc. after executing this instruction
Thanks.
Solution 1:[1]
to add a bit more info to the post above me, syscall will go into kernel at the at the syscall handler KiSystemCall64(Shadow). Here it makes a context switch and calls to the corrosponding function in the SSDT, the identifier for wich function to call is stored in EAX. To learn more about it you can consider going in kernel and hooking the syscall handler by getting the MSR register and then changing the LSTAR index of the MSR. The LSTAR points to the syscall handler. And you can overwrite it to handle it yourself / log it. Might be a fun project if you want to get to learn more about it.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Zpes |