text [粗略]映射系统从Windows 10上的本地ntdll.dll通过binaryninja调用Zw API的数量

Posted 2021-05-01

from binaryninja import *

log_to_stderr(1)

def get_syscall_no(zwf):
    for b in zwf.basic_blocks:
        for i in b.get_disassembly_text():
            if str(i).startswith("syscall"):
                eax = zwf.get_reg_value_at(i.address, "eax")
                if eax.type == RegisterValueType.ConstantValue:
                    return eax.value
                else:
                    raise Exception("couldn't determine syscall number.")

    raise Exception("syscall not found")

log_info("[*] loading ntdll.dll...")
ntdll = BinaryViewType['PE'].open("C:\\Windows\\System32\\ntdll.dll")

log_info("[*] analyzing ntdll.dll...")
ntdll.update_analysis_and_wait()

ZwFunctions = (
    function for function in ntdll.functions if function.name.startswith("Zw"))

log_info("[*] mapping syscall numbers..")

for f in ZwFunctions:
    log_info("- now processing: %s" % (f.name))
    try:
        syscallno = get_syscall_no(f)
    except Exception as e:
        log_error(str(e))

    print("%s\t%s" % (f.name, str(syscallno)))

ZwAccessCheck	0
ZwWorkerFactoryWorkerReady	1
ZwAcceptConnectPort	2
ZwMapUserPhysicalPagesScatter	3
ZwWaitForSingleObject	4
ZwCallbackReturn	5
ZwReadFile	6
ZwDeviceIoControlFile	7
ZwWriteFile	8
ZwRemoveIoCompletion	9
ZwReleaseSemaphore	10
ZwReplyWaitReceivePort	11
ZwReplyPort	12
ZwSetInformationThread	13
ZwSetEvent	14
ZwClose	15
ZwQueryObject	16
ZwQueryInformationFile	17
ZwOpenKey	18
ZwEnumerateValueKey	19
ZwFindAtom	20
ZwQueryDefaultLocale	21
ZwQueryKey	22
ZwQueryValueKey	23
ZwAllocateVirtualMemory	24
ZwQueryInformationProcess	25
ZwWaitForMultipleObjects32	26
ZwWriteFileGather	27
ZwSetInformationProcess	28
ZwCreateKey	29
ZwFreeVirtualMemory	30
ZwImpersonateClientOfPort	31
ZwReleaseMutant	32
ZwQueryInformationToken	33
ZwRequestWaitReplyPort	34
ZwQueryVirtualMemory	35
ZwOpenThreadToken	36
ZwQueryInformationThread	37
ZwOpenProcess	38
ZwSetInformationFile	39
ZwMapViewOfSection	40
ZwAccessCheckAndAuditAlarm	41
ZwUnmapViewOfSection	42
ZwReplyWaitReceivePortEx	43
ZwTerminateProcess	44
ZwSetEventBoostPriority	45
ZwReadFileScatter	46
ZwOpenThreadTokenEx	47
ZwOpenProcessTokenEx	48
ZwQueryPerformanceCounter	49
ZwEnumerateKey	50
ZwOpenFile	51
ZwDelayExecution	52
ZwQueryDirectoryFile	53
ZwQuerySystemInformation	54
ZwOpenSection	55
ZwQueryTimer	56
ZwFsControlFile	57
ZwWriteVirtualMemory	58
ZwCloseObjectAuditAlarm	59
ZwDuplicateObject	60
ZwQueryAttributesFile	61
ZwClearEvent	62
ZwReadVirtualMemory	63
ZwOpenEvent	64
ZwAdjustPrivilegesToken	65
ZwDuplicateToken	66
ZwContinue	67
ZwQueryDefaultUILanguage	68
ZwQueueApcThread	69
ZwYieldExecution	70
ZwAddAtom	71
ZwCreateEvent	72
ZwQueryVolumeInformationFile	73
ZwCreateSection	74
ZwFlushBuffersFile	75
ZwApphelpCacheControl	76
ZwCreateProcessEx	77
ZwCreateThread	78
ZwIsProcessInJob	79
ZwProtectVirtualMemory	80
ZwQuerySection	81
ZwResumeThread	82
ZwTerminateThread	83
ZwReadRequestData	84
ZwCreateFile	85
ZwQueryEvent	86
ZwWriteRequestData	87
ZwOpenDirectoryObject	88
ZwAccessCheckByTypeAndAuditAlarm	89
ZwQuerySystemTime	89
ZwWaitForMultipleObjects	91
ZwSetInformationObject	92
ZwCancelIoFile	93
ZwTraceEvent	94
ZwPowerInformation	95
ZwSetValueKey	96
ZwCancelTimer	97
ZwSetTimer	98
ZwAccessCheckByType	99
ZwAccessCheckByTypeResultList	100
ZwAccessCheckByTypeResultListAndAuditAlarm	101
ZwAccessCheckByTypeResultListAndAuditAlarmByHandle	102
ZwAcquireProcessActivityReference	103
ZwAddAtomEx	104
ZwAddBootEntry	105
ZwAddDriverEntry	106
ZwAdjustGroupsToken	107
ZwAdjustTokenClaimsAndDeviceGroups	108
ZwAlertResumeThread	109
ZwAlertThread	110
ZwAlertThreadByThreadId	111
ZwAllocateLocallyUniqueId	112
ZwAllocateReserveObject	113
ZwAllocateUserPhysicalPages	114
ZwAllocateUuids	115
ZwAllocateVirtualMemoryEx	116
ZwAlpcAcceptConnectPort	117
ZwAlpcCancelMessage	118
ZwAlpcConnectPort	119
ZwAlpcConnectPortEx	120
ZwAlpcCreatePort	121
ZwAlpcCreatePortSection	122
ZwAlpcCreateResourceReserve	123
ZwAlpcCreateSectionView	124
ZwAlpcCreateSecurityContext	125
ZwAlpcDeletePortSection	126
ZwAlpcDeleteResourceReserve	127
ZwAlpcDeleteSectionView	128
ZwAlpcDeleteSecurityContext	129
ZwAlpcDisconnectPort	130
ZwAlpcImpersonateClientContainerOfPort	131
ZwAlpcImpersonateClientOfPort	132
ZwAlpcOpenSenderProcess	133
ZwAlpcOpenSenderThread	134
ZwAlpcQueryInformation	135
ZwAlpcQueryInformationMessage	136
ZwAlpcRevokeSecurityContext	137
ZwAlpcSendWaitReceivePort	138
ZwAlpcSetInformation	139
ZwAreMappedFilesTheSame	140
ZwAssignProcessToJobObject	141
ZwAssociateWaitCompletionPacket	142
ZwCallEnclave	143
ZwCancelIoFileEx	144
ZwCancelSynchronousIoFile	145
ZwCancelTimer2	146
ZwCancelWaitCompletionPacket	147
ZwCommitComplete	148
ZwCommitEnlistment	149
ZwCommitRegistryTransaction	150
ZwCommitTransaction	151
ZwCompactKeys	152
ZwCompareObjects	153
ZwCompareSigningLevels	154
ZwCompareTokens	155
ZwCompleteConnectPort	156
ZwCompressKey	157
ZwConnectPort	158
ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter	159
ZwCreateDebugObject	160
ZwCreateDirectoryObject	161
ZwCreateDirectoryObjectEx	162
ZwCreateEnclave	163
ZwCreateEnlistment	164
ZwCreateEventPair	165
ZwCreateIRTimer	166
ZwCreateIoCompletion	167
ZwCreateJobObject	168
ZwCreateJobSet	169
ZwCreateKeyTransacted	170
ZwCreateKeyedEvent	171
ZwCreateLowBoxToken	172
ZwCreateMailslotFile	173
ZwCreateMutant	174
ZwCreateNamedPipeFile	175
ZwCreatePagingFile	176
ZwCreatePartition	177
ZwCreatePort	178
ZwCreatePrivateNamespace	179
ZwCreateProcess	180
ZwCreateProfile	181
ZwCreateProfileEx	182
ZwCreateRegistryTransaction	183
ZwCreateResourceManager	184
ZwCreateSectionEx	185
ZwCreateSemaphore	186
ZwCreateSymbolicLinkObject	187
ZwCreateThreadEx	188
ZwCreateTimer	189
ZwCreateTimer2	190
ZwCreateToken	191
ZwCreateTokenEx	192
ZwCreateTransaction	193
ZwCreateTransactionManager	194
ZwCreateUserProcess	195
ZwCreateWaitCompletionPacket	196
ZwCreateWaitablePort	197
ZwCreateWnfStateName	198
ZwCreateWorkerFactory	199
ZwDebugActiveProcess	200
ZwDebugContinue	201
ZwDeleteAtom	202
ZwDeleteBootEntry	203
ZwDeleteDriverEntry	204
ZwDeleteFile	205
ZwDeleteKey	206
ZwDeleteObjectAuditAlarm	207
ZwDeletePrivateNamespace	208
ZwDeleteValueKey	209
ZwDeleteWnfStateData	210
ZwDeleteWnfStateName	211
ZwDisableLastKnownGood	212
ZwDisplayString	213
ZwDrawText	214
ZwEnableLastKnownGood	215
ZwEnumerateBootEntries	216
ZwEnumerateDriverEntries	217
ZwEnumerateSystemEnvironmentValuesEx	218
ZwEnumerateTransactionObject	219
ZwExtendSection	220
ZwFilterBootOption	221
ZwFilterToken	222
ZwFilterTokenEx	223
ZwFlushBuffersFileEx	224
ZwFlushInstallUILanguage	225
ZwFlushInstructionCache	226
ZwFlushKey	227
ZwFlushProcessWriteBuffers	228
ZwFlushVirtualMemory	229
ZwFlushWriteBuffer	230
ZwFreeUserPhysicalPages	231
ZwFreezeRegistry	232
ZwFreezeTransactions	233
ZwGetCachedSigningLevel	234
ZwGetCompleteWnfStateSubscription	235
ZwGetContextThread	236
ZwGetCurrentProcessorNumber	237
ZwGetCurrentProcessorNumberEx	238
ZwGetDevicePowerState	239
ZwGetMUIRegistryInfo	240
ZwGetNextProcess	241
ZwGetNextThread	242
ZwGetNlsSectionPtr	243
ZwGetNotificationResourceManager	244
ZwGetWriteWatch	245
ZwImpersonateAnonymousToken	246
ZwImpersonateThread	247
ZwInitializeEnclave	248
ZwInitializeNlsFiles	249
ZwInitializeRegistry	250
ZwInitiatePowerAction	251
ZwIsSystemResumeAutomatic	252
ZwIsUILanguageComitted	253
ZwListenPort	254
ZwLoadDriver	255
ZwLoadEnclaveData	256
ZwLoadKey	257
ZwLoadKey2	258
ZwLoadKeyEx	259
ZwLockFile	260
ZwLockProductActivationKeys	261
ZwLockRegistryKey	262
ZwLockVirtualMemory	263
ZwMakePermanentObject	264
ZwMakeTemporaryObject	265
ZwManageHotPatch	266
ZwManagePartition	267
ZwMapCMFModule	268
ZwMapUserPhysicalPages	269
ZwMapViewOfSectionEx	270
ZwModifyBootEntry	271
ZwModifyDriverEntry	272
ZwNotifyChangeDirectoryFile	273
ZwNotifyChangeDirectoryFileEx	274
ZwNotifyChangeKey	275
ZwNotifyChangeMultipleKeys	276
ZwNotifyChangeSession	277
ZwOpenEnlistment	278
ZwOpenEventPair	279
ZwOpenIoCompletion	280
ZwOpenJobObject	281
ZwOpenKeyEx	282
ZwOpenKeyTransacted	283
ZwOpenKeyTransactedEx	284
ZwOpenKeyedEvent	285
ZwOpenMutant	286
ZwOpenObjectAuditAlarm	287
ZwOpenPartition	288
ZwOpenPrivateNamespace	289
ZwOpenProcessToken	290
ZwOpenRegistryTransaction	291
ZwOpenResourceManager	292
ZwOpenSemaphore	293
ZwOpenSession	294
ZwOpenSymbolicLinkObject	295
ZwOpenThread	296
ZwOpenTimer	297
ZwOpenTransaction	298
ZwOpenTransactionManager	299
ZwPlugPlayControl	300
ZwPrePrepareComplete	301
ZwPrePrepareEnlistment	302
ZwPrepareComplete	303
ZwPrepareEnlistment	304
ZwPrivilegeCheck	305
ZwPrivilegeObjectAuditAlarm	306
ZwPrivilegedServiceAuditAlarm	307
ZwPropagationComplete	308
ZwPropagationFailed	309
ZwPulseEvent	310
ZwQueryAuxiliaryCounterFrequency	311
ZwQueryBootEntryOrder	312
ZwQueryBootOptions	313
ZwQueryDebugFilterState	314
ZwQueryDirectoryFileEx	315
ZwQueryDirectoryObject	316
ZwQueryDriverEntryOrder	317
ZwQueryEaFile	318
ZwQueryFullAttributesFile	319
ZwQueryInformationAtom	320
ZwQueryInformationByName	321
ZwQueryInformationEnlistment	322
ZwQueryInformationJobObject	323
ZwQueryInformationPort	324
ZwQueryInformationResourceManager	325
ZwQueryInformationTransaction	326
ZwQueryInformationTransactionManager	327
ZwQueryInformationWorkerFactory	328
ZwQueryInstallUILanguage	329
ZwQueryIntervalProfile	330
ZwQueryIoCompletion	331
ZwQueryLicenseValue	332
ZwQueryMultipleValueKey	333
ZwQueryMutant	334
ZwQueryOpenSubKeys	335
ZwQueryOpenSubKeysEx	336
ZwQueryPortInformationProcess	337
ZwQueryQuotaInformationFile	338
ZwQuerySecurityAttributesToken	339
ZwQuerySecurityObject	340
ZwQuerySecurityPolicy	341
ZwQuerySemaphore	342
ZwQuerySymbolicLinkObject	343
ZwQuerySystemEnvironmentValue	344
ZwQuerySystemEnvironmentValueEx	345
ZwQuerySystemInformationEx	346
ZwQueryTimerResolution	347
ZwQueryWnfStateData	348
ZwQueryWnfStateNameInformation	349
ZwQueueApcThreadEx	350
ZwRaiseException	351
ZwRaiseHardError	352
ZwReadOnlyEnlistment	353
ZwRecoverEnlistment	354
ZwRecoverResourceManager	355
ZwRecoverTransactionManager	356
ZwRegisterProtocolAddressInformation	357
ZwRegisterThreadTerminatePort	358
ZwReleaseKeyedEvent	359
ZwReleaseWorkerFactoryWorker	360
ZwRemoveIoCompletionEx	361
ZwRemoveProcessDebug	362
ZwRenameKey	363
ZwRenameTransactionManager	364
ZwReplaceKey	365
ZwReplacePartitionUnit	366
ZwReplyWaitReplyPort	367
ZwRequestPort	368
ZwResetEvent	369
ZwResetWriteWatch	370
ZwRestoreKey	371
ZwResumeProcess	372
ZwRevertContainerImpersonation	373
ZwRollbackComplete	374
ZwRollbackEnlistment	375
ZwRollbackRegistryTransaction	376
ZwRollbackTransaction	377
ZwRollforwardTransactionManager	378
ZwSaveKey	379
ZwSaveKeyEx	380
ZwSaveMergedKeys	381
ZwSecureConnectPort	382
ZwSerializeBoot	383
ZwSetBootEntryOrder	384
ZwSetBootOptions	385
ZwSetCachedSigningLevel	386
ZwSetCachedSigningLevel2	387
ZwSetContextThread	388
ZwSetDebugFilterState	389
ZwSetDefaultHardErrorPort	390
ZwSetDefaultLocale	391
ZwSetDefaultUILanguage	392
ZwSetDriverEntryOrder	393
ZwSetEaFile	394
ZwSetHighEventPair	395
ZwSetHighWaitLowEventPair	396
ZwSetIRTimer	397
ZwSetInformationDebugObject	398
ZwSetInformationEnlistment	399
ZwSetInformationJobObject	400
ZwSetInformationKey	401
ZwSetInformationResourceManager	402
ZwSetInformationSymbolicLink	403
ZwSetInformationToken	404
ZwSetInformationTransaction	405
ZwSetInformationTransactionManager	406
ZwSetInformationVirtualMemory	407
ZwSetInformationWorkerFactory	408
ZwSetIntervalProfile	409
ZwSetIoCompletion	410
ZwSetIoCompletionEx	411
ZwSetLdtEntries	412
ZwSetLowEventPair	413
ZwSetLowWaitHighEventPair	414
ZwSetQuotaInformationFile	415
ZwSetSecurityObject	416
ZwSetSystemEnvironmentValue	417
ZwSetSystemEnvironmentValueEx	418
ZwSetSystemInformation	419
ZwSetSystemPowerState	420
ZwSetSystemTime	421
ZwSetThreadExecutionState	422
ZwSetTimer2	423
ZwSetTimerEx	424
ZwSetTimerResolution	425
ZwSetUuidSeed	426
ZwSetVolumeInformationFile	427
ZwSetWnfProcessNotificationEvent	428
ZwShutdownSystem	429
ZwShutdownWorkerFactory	430
ZwSignalAndWaitForSingleObject	431
ZwSinglePhaseReject	432
ZwStartProfile	433
ZwStopProfile	434
ZwSubscribeWnfStateChange	435
ZwSuspendProcess	436
ZwSuspendThread	437
ZwSystemDebugControl	438
ZwTerminateEnclave	439
ZwTerminateJobObject	440
ZwTestAlert	441
ZwThawRegistry	442
ZwThawTransactions	443
ZwTraceControl	444
ZwTranslateFilePath	445
ZwUmsThreadYield	446
ZwUnloadDriver	447
ZwUnloadKey	448
ZwUnloadKey2	449
ZwUnloadKeyEx	450
ZwUnlockFile	451
ZwUnlockVirtualMemory	452
ZwUnmapViewOfSectionEx	453
ZwUnsubscribeWnfStateChange	454
ZwUpdateWnfStateData	455
ZwVdmControl	456
ZwWaitForAlertByThreadId	457
ZwWaitForDebugEvent	458
ZwWaitForKeyedEvent	459
ZwWaitForWorkViaWorkerFactory	460
ZwWaitHighEventPair	461
ZwWaitLowEventPair	462