B_Code汇编【汇编】代码备忘
,
Source
Edit
History

【汇编】SyscallWithASM

文章目录
相关知识点
  1. syscall 的指令集为 0f 05
  2. syscall 系统调用表在不同的版本不一样,具体可以查看 Windows X86-64 System Call Table (XP/2003/Vista/7/8/10/11 and Server)

以下代码主要记录 CreateThreadEx 和 NtTerminateProcess 两个系统调用接口的 ASM 实现与调用

汇编代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.code
 
NtCreateThreadEx proc
    mov r10, rcx
    mov eax, 0C7h
    syscall
    ret
NtCreateThreadEx endp

NtTerminateProcess proc
    mov r10, rcx
    mov eax, 02Ch
    syscall
    ret
NtTerminateProcess endp
 
end

如何调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// 使用前需要先声明函数原型
EXTERN_C NTSTATUS NtCreateThreadEx(
    OUT PHANDLE ThreadHandle,
    IN ACCESS_MASK DesiredAccess,
    IN LPVOID ObjectAttributes OPTIONAL,
    IN HANDLE ProcessHandle,
    IN PVOID StartRoutine,
    IN PVOID Argument OPTIONAL,
    IN ULONG CreateFlags,
    IN SIZE_T ZeroBits,
    IN SIZE_T StackSize,
    IN SIZE_T MaximumStackSize,
    IN LPVOID AttributeList OPTIONAL);

EXTERN_C NTSTATUS NtTerminateProcess(
    HANDLE ProcessHandle,
    NTSTATUS ExitStatus
);


// call NtTerminateProcess
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, true, pid);
if (handle)
{
    NTSTATUS status = NtTerminateProcess(handle, 1);
    cout << GREEN << "Kill:" << pid << " | Result:" << status << WHITE << endl;
}
else
{
    cout << RED << "GetLastError(" << GetLastError() << ")\n" << WHITE << endl;
}

// call NtCreateThreadEx
HANDLE hthread = nullptr;

NtCreateThreadEx(&hthread, GENERIC_EXECUTE, nullptr, hproc, ThreadProc, nullptr, FALSE, 0, 0, 0, nullptr);

// function ThreadProc
DWORD WINAPI ThreadProc(LPVOID prarm)
{
    std::cout << "thead id:" << GetCurrentThreadId() << std::endl;

    return 0;
}