issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
ntdll!ZwReadFile:

77f4302f mov eax,0xbf

77f43034 mov edx,0x7ffe0300

77f43039 call edx

77f4303b ret 0x24

This function calls into SharedUserData!SystemCallStub(every sys-
tem call goes through this function). The following is a disassembly of the code
at 7ffe0300.


SharedUserData!SystemCallStub:

7ffe0300 mov edx,esp

7ffe0302 sysenter

7ffe0304 ret

If you’re wondering why this extra call is required (instead of just invoking
SYSENTERfrom within the system API), it’s because SYSENTERrecords no
state information whatsoever. In the previous implementation, the invocation
of int 2ewould store the current value of the EIPand EFLAGSregisters.
SYSENTERon the other hand stores no state information, so by calling into the
SystemCallStubthe operating system is recording the address of the cur-
rent user-mode stub in the stack, so that it later knows where to return. Once
the kernel completes the call and needs to go back to user mode, it simply
jumps to the address recorded in the stack by that call from the API into
SystemCallStub; the RETinstruction at 7ffe0304is never actually executed.


Executable Formats


A basic understanding of executable formats is critical for reversers because a
program’s executable often gives significant hints about a program’s architec-
ture. I’d say that in general, a true hacker must understand the system’s exe-
cutable format in order to truly understand the system.
This section will cover the basic structure of Windows’ executable file for-
mat: the Portable Executable (PE). To avoid turning this into a boring listing of
the individual fields, I will only discuss the general concepts of portable exe-
cutables and the interesting fields. For a full listing of the individual fields, you
can use the MSDN (at http://msdn.microsoft.com)) to look up the spe-
cific data structures specified in the section titled “Headers.”


Basic Concepts


Probably the most important thing to bear in mind when dealing with exe-
cutable files is that they’re relocatable. This simply means that they could be


Windows Fundamentals 93
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.