So with the release of Windows 10 I (like many before me) decided to look into what new syscalls have been added. Syscalls are the means by which code running in the context of a user can request the functionality provided by the kernel be executed. This includes many basic operations such as opening and reading from files. Collecting this information will allow us to identify new functionality provided by the Windows 10 kernel.
In order to get the information in which I was interested, I needed a way to programmatically identify the exported syscall wrappers and extract their respective numbers. Simone Margaritelli explains how this can be accomplished in his excellent blog “On Windows syscall mechanism and syscall numbers extraction methods”. At the end of the blog, he includes a proof of concept for demonstrating his technique of matching the assembly stub to extract the syscall number. This code however would not support analysis of 64-bit binaries which is what I would prefer to inspect.
To address this I added a new tool to the mayhem project which will analyze both 32-bit and 64-bit PE files. Much in the same way outlined in the material referenced above, the script will search the PE file for exported functions and attempt to identify syscall stubs and extract the numbers which they are calling.
Now, equipped with a way to quickly and easily extract syscalls from PE files, I started analyzing ntdll.dll & user32.dll on a Windows 8.1 x64 Professional system. Using these as a baseline, I also analyzed the same files on Windows 10 x64 Tech Preview and Windows 10 x64 to identify new syscalls that are exported between the three.
* Added between Tech Preview and Final
** Removed between Tech Preview and Final
Finally this information shows that 39 syscall wrappers have been added between Windows 8.1 and Windows 10. Some of the wrappers do provide duplicate functionality as can be seen in the Nt* and Zw* functions. With this information in hand, we can start focus on the newly added Windows 10 kernel functionality. The same steps can also be applied to additional DLLs such as kernel32.dll and gdi32.dll.
|5128||0x180033ca0||N/A (Ordinal Export)||2542|
|5181||0x180033ff0||N/A (Ordinal Export)||2566|
|5150||0x180033e00||N/A (Ordinal Export)||2571|
|5151||0x180033e10||N/A (Ordinal Export)||2576|
|5100||0x180033ae0||N/A (Ordinal Export)*||2578|
|5188||0x180034060||N/A (Ordinal Export)*||2579|