cassemblysystem-callswindows-11

how can I find systemcall on windows?

I'm beginner on assembly code. I never used at windows assembly code, so I really confused.

I try to catch system call when I run printf("hello world!\n") in windows 11, visual studio 2022. I write my whole code at last paragraph.

Actually I want to do is, capturing the system call which printf() calling during printf() working. That means, I want to find How c library can calling system call.

well, I do like that...

  1. write printf("hello world!\n"); completed code on VS2022.
  2. make breakpoint at printf() line.
  3. run local windows debugger with release mode, x64 architecture.
  4. open disassembly window and register window on vs2022.
  5. run only one line at once with press F11

I tried that...

  1. find syscall function, but VS2022's disassembly can't search syscall.
  2. find call function line and try to searching RAX code changes as 0x0001(windows systemcall) , but I can't find that.
  3. find RAX code changed as 0x0001, but I find RAX code changed like 0x0001 such as add function.
  4. find the code line that output appear on terminal, but I press F11 key during 10 minutes. Is this correct? But, more assembly codes still remained, not finished code run.

so, I have some question...

  1. Is this catching system call`s procedure correct? If It isn't, how can I trying that?
  2. I tried to searching which assembly functions call system call. The answer is, syscall or 'call' with RAX values changes like windows system call such as '0x0001' That means, searching syscall or call function is first, then searching RAX values. Is that true?
  3. convert windows printf() function code to assembly code. Is output code very long? I don't understand why I try during over 10 minutes to watch output on terminal.

Thank you for reading.

#the whole code
#include <stdio.h>

int main() {
    printf("Hello world\n");
}
Solution

  • printf is a function of libc, which does not map to any Windows syscall.

    If you want use printf without any library, you would have to implement it by yourself.

    Here is the syscall table for Windows: https://github.com/hfiref0x/SyscallTables

    Please kindly note that Microsoft is changing the syscall id by different versions / builds of Windows. This means even you could implement a printf without calling Windows libraries, it is very likely only works on your local machine.

    Edit: Since question was updated...

    No, libc do not use syscall directly, it invokes APIs in kernel32.dll (and other system libraries like user32.dll and kernelbase.dll, etc.); all syscalls are eventually done in ntdll.dll.

    This is because syscall id and calling convention of ntdll.dll APIs are constantly changing between different versions of Windows. In order to make the program works on other builds of Windows, libc only use APIs that are documented in Windows SDK, which are guarantee to work by Microsoft.

    All syscalls / undocumented API may changes after any update without announcement, because they are not supposedly to be used in user programs. In case you are developing shell scripts, (anti-)anti-debug tools, etc., that only works in specifics version of Windows, then you could use these API directly. Otherwise you should not use them.

    If you are interesting in how Windows APIs invokes syscall, you may debug the Nt* and Rtl* APIs in ntdll.dll, which actually use the syscall directly.You can also find some documentations about the undocumented API here or reactOS, etc.