The system call dispatcher on x86 NT has undergone several revisions over the years.<\/p>\n
Until recently, the primary method used to make system calls was the int 2e<\/em> instruction (software interrupt, vector 0x2e). This is a fairly quick way to enter CPL 0 (kernel mode), and it is backwards compatible with all 32-bit capable x86 processors.<\/p>\n With Windows XP, the mainstream mechanism used to do system calls changed; From this point forward, the operating system selects a more optimized kernel transition mechanism based on your processor type. Pentium II and later processors will instead use the sysenter<\/em> instruction, which is a more efficient mechanism of switching to CPL 0 (kernel mode), as it dispenses with some needless (in this case) overhead of usual interrupt dispatching.<\/p>\n How is this switch accomplished? Well, starting with Windows XP, the system service call stubs do not hardcode a particular instruction (say, int 2e<\/em>) anymore. Instead, they indirect through a field in the KUSER_SHARED_DATA<\/em> block (“SystemCall”). The meaning of this field changed in Windows XP SP2 and Windows Server 2003 SP1; in prior versions, the SystemCall field held the actual code used to make the system call (and was filled in at runtime with the proper values). In XP SP2 and Srv03 SP1, in the interests of reducing system attack surface, the KUSER_SHARED_DATA<\/em> region was marked non-executable, and SystemCall becomes a pointer to a stub residing in NTDLL (with the pointer value being adjusted at runtime based on the processor type, to refer to an appropriate system call stub).<\/p>\n What this means for you today is that on modern systems, you can expect to see a sequence like so for system calls:<\/p>\n 0x7ffe0300 is +0x300 bytes into KUSER_SHARED_DATA<\/em>. Looking at the structure definition, we can see that this is “SystemCall”:<\/p>\n Since my system is Srv03 SP1, SystemCall is a pointer to a stub in NTDLL.<\/p>\n On my system, the system call dispatcher is using sysenter<\/em>. You can look at the old int 2e<\/em> dispatcher if you wish, as it is still supported for compatibility with older processors:<\/p>\n The actual calling convention used by the system call dispatcher is thus:<\/p>\n For most of the time, though, you’ll probably not be dealing directly with the system call dispatching mechanism itself. If you are, however, now you know how it works.<\/p>\n","protected":false},"excerpt":{"rendered":" The system call dispatcher on x86 NT has undergone several revisions over the years. Until recently, the primary method used to make system calls was the int 2e instruction (software interrupt, vector 0x2e). This is a fairly quick way to enter CPL 0 (kernel mode), and it is backwards compatible with all 32-bit capable x86 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,4,8,5],"tags":[],"_links":{"self":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/48"}],"collection":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":1,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":686,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/686"}],"wp:attachment":[{"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.nynaeve.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}0:001> u ntdll!NtClose\r\nntdll!ZwClose:\r\n7c821138 b81b000000 mov eax,0x1b\r\n7c82113d ba0003fe7f mov edx,0x7ffe0300\r\n7c821142 ff12 call dword ptr [edx]\r\n7c821144 c20400 ret 0x4\r\n7c821147 90 nop\r\n<\/pre>\n
0:001> dt ntdll!_KUSER_SHARED_DATA\r\n +0x000 TickCountLowDeprecated : Uint4B\r\n +0x004 TickCountMultiplier : Uint4B\r\n +0x008 InterruptTime : _KSYSTEM_TIME\r\n [...]\r\n +0x300 SystemCall : Uint4B\r\n +0x304 SystemCallReturn : Uint4B\r\n +0x308 SystemCallPad : [3] Uint8B\r\n [...]<\/pre>\n
0:001> u poi(0x7ffe0300)\r\nntdll!KiFastSystemCall:\r\n7c82ed50 8bd4 mov edx,esp\r\n7c82ed52 0f34 sysenter\r\nntdll!KiFastSystemCallRet:\r\n7c82ed54 c3 ret\r\n<\/pre>\n
0:001> u ntdll!KiIntsystemCall\r\nntdll!KiIntSystemCall:\r\n7c82ed60 8d542408 lea edx,[esp+0x8]\r\n7c82ed64 cd2e int 2e\r\n7c82ed66 c3 ret\r\n<\/pre>\n
\n