Digging up system call ordinals

Today I was hacking a small tool and I needed a list of all the system call ordinals corresponding to the APIs exported by NTDLL.DLL. A bit of googling didn't come up with anything too interesting so I wrote a small IDAPython script to harvest them out of a disassembly of NTDLL.DLL.
The script will simply iterate through every segment and every function and try to find the byte pattern corresponding to the prolog of API functions calling the stub doing the SYSENTER, SYSCALL or INT 2Eh.
At least in Windows XP SP2 they will have the form:

MOV eax, XX	where XX is the syscall ordinal
MOV edx, 7FFE0300h	the stub doing the transition to kernel mode, the actual code reached depends on the underlying processor
CALL [edx]

Those instructions correspond to the byte sequence 'B8 ? 00 00 00 BA 00 03 FE 7F'. I'll just tell IDAPython to look for it at the beginning of each function and, if found, I'll extract the value of the system call ordinal and the name of the function and print a list of them:

syscall_ordinal_code = 'b8 ? 00 00 00 ba 00 03 fe 7f' for seg in Segments():   for func in Functions(seg, SegEnd(seg)):     address = FindBinary(func, SEARCH_DOWN, syscall_ordinal_code)     if address == func:       print '%08x: Syscall ordinal %04x for %s (%s)' % (         func, Dword(func+1), Name(func), Comment(func))

And the outcome of running the script on IDA with NTDLL.DLL looks like this:

7c90d379: Syscall ordinal 0000 for ZwAcceptConnectPort (NtAcceptConnectPort)
7c90d38e: Syscall ordinal 0001 for ZwAccessCheck (NtAccessCheck)
7c90d3a3: Syscall ordinal 0002 for ZwAccessCheckAndAuditAlarm (NtAccessCheckAndAuditAlarm)
7c90d3b8: Syscall ordinal 0003 for ZwAccessCheckByType (NtAccessCheckByType)
7c90d3cd: Syscall ordinal 0004 for ZwAccessCheckByTypeAndAuditAlarm (NtAccessCheckByTypeAndAuditAlarm)
7c90d3e2: Syscall ordinal 0005 for ZwAccessCheckByTypeResultList (NtAccessCheckByTypeResultList)
7c90d3f7: Syscall ordinal 0006 for ZwAccessCheckByTypeResultListAndAuditAlarm (NtAccessCheckByTypeResultListAndAuditAlarm)
7c90d40c: Syscall ordinal 0007 for ZwAccessCheckByTypeResultListAndAuditAlarmByHandle (NtAccessCheckByTypeResultListAndAuditAlarmByHandle)
7c90d421: Syscall ordinal 0008 for ZwAddAtom (NtAddAtom)
7c90d436: Syscall ordinal 0009 for ZwAddBootEntry (NtAddBootEntry)
7c90d44b: Syscall ordinal 000a for ZwAdjustGroupsToken (NtAdjustGroupsToken)
7c90d460: Syscall ordinal 000b for ZwAdjustPrivilegesToken (NtAdjustPrivilegesToken)
7c90d475: Syscall ordinal 000c for ZwAlertResumeThread (NtAlertResumeThread)
7c90d48a: Syscall ordinal 000d for ZwAlertThread (NtAlertThread)
7c90d49f: Syscall ordinal 000e for ZwAllocateLocallyUniqueId (NtAllocateLocallyUniqueId)
7c90d4b4: Syscall ordinal 000f for ZwAllocateUserPhysicalPages (NtAllocateUserPhysicalPages)
7c90d4c9: Syscall ordinal 0010 for ZwAllocateUuids (NtAllocateUuids)
7c90d4de: Syscall ordinal 0011 for ZwAllocateVirtualMemory (NtAllocateVirtualMemory)
7c90d4f3: Syscall ordinal 0012 for ZwAreMappedFilesTheSame (NtAreMappedFilesTheSame)
7c90d508: Syscall ordinal 0013 for ZwAssignProcessToJobObject (NtAssignProcessToJobObject)
7c90d51d: Syscall ordinal 0014 for ZwCallbackReturn (NtCallbackReturn)
7c90d532: Syscall ordinal 0015 for ZwCancelDeviceWakeupRequest (NtCancelDeviceWakeupRequest)
7c90d547: Syscall ordinal 0016 for ZwCancelIoFile (NtCancelIoFile)
7c90d55c: Syscall ordinal 0017 for ZwCancelTimer (NtCancelTimer)
7c90d571: Syscall ordinal 0018 for ZwClearEvent (NtClearEvent)
7c90d586: Syscall ordinal 0019 for ZwClose (NtClose)
7c90d59b: Syscall ordinal 001a for ZwCloseObjectAuditAlarm (NtCloseObjectAuditAlarm)
7c90d5b0: Syscall ordinal 001b for ZwCompactKeys (NtCompactKeys)
7c90d5c5: Syscall ordinal 001c for ZwCompareTokens (NtCompareTokens)
7c90d5da: Syscall ordinal 001d for ZwCompleteConnectPort (NtCompleteConnectPort)
7c90d5ef: Syscall ordinal 001e for ZwCompressKey (NtCompressKey)
7c90d604: Syscall ordinal 001f for ZwConnectPort (NtConnectPort)
7c90d619: Syscall ordinal 0020 for ZwContinue (NtContinue)
7c90d62e: Syscall ordinal 0021 for ZwCreateDebugObject (NtCreateDebugObject)
7c90d643: Syscall ordinal 0022 for ZwCreateDirectoryObject (NtCreateDirectoryObject)
7c90d658: Syscall ordinal 0023 for ZwCreateEvent (NtCreateEvent)
7c90d66d: Syscall ordinal 0024 for ZwCreateEventPair (NtCreateEventPair)
7c90d682: Syscall ordinal 0025 for ZwCreateFile (NtCreateFile)
7c90d697: Syscall ordinal 0026 for ZwCreateIoCompletion (NtCreateIoCompletion)
7c90d6ac: Syscall ordinal 0027 for ZwCreateJobObject (NtCreateJobObject)
7c90d6c1: Syscall ordinal 0028 for ZwCreateJobSet (NtCreateJobSet)
7c90d6d6: Syscall ordinal 0029 for ZwCreateKey (NtCreateKey)
7c90d6eb: Syscall ordinal 002a for ZwCreateMailslotFile (NtCreateMailslotFile)
7c90d700: Syscall ordinal 002b for ZwCreateMutant (NtCreateMutant)
7c90d715: Syscall ordinal 002c for ZwCreateNamedPipeFile (NtCreateNamedPipeFile)
7c90d72a: Syscall ordinal 002d for ZwCreatePagingFile (NtCreatePagingFile)
7c90d73f: Syscall ordinal 002e for ZwCreatePort (NtCreatePort)
7c90d754: Syscall ordinal 002f for ZwCreateProcess (NtCreateProcess)
7c90d769: Syscall ordinal 0030 for ZwCreateProcessEx (NtCreateProcessEx)
7c90d77e: Syscall ordinal 0031 for ZwCreateProfile (NtCreateProfile)
7c90d793: Syscall ordinal 0032 for ZwCreateSection (NtCreateSection)
7c90d7a8: Syscall ordinal 0033 for ZwCreateSemaphore (NtCreateSemaphore)
7c90d7bd: Syscall ordinal 0034 for ZwCreateSymbolicLinkObject (NtCreateSymbolicLinkObject)
7c90d7d2: Syscall ordinal 0035 for ZwCreateThread (NtCreateThread)
7c90d7e7: Syscall ordinal 0036 for ZwCreateTimer (NtCreateTimer)
7c90d7fc: Syscall ordinal 0037 for ZwCreateToken (NtCreateToken)
7c90d811: Syscall ordinal 0038 for ZwCreateWaitablePort (NtCreateWaitablePort)
7c90d826: Syscall ordinal 0039 for ZwDebugActiveProcess (NtDebugActiveProcess)
7c90d83b: Syscall ordinal 003a for ZwDebugContinue (NtDebugContinue)
7c90d850: Syscall ordinal 003b for ZwDelayExecution (NtDelayExecution)
7c90d865: Syscall ordinal 003c for ZwDeleteAtom (NtDeleteAtom)
7c90d87a: Syscall ordinal 003d for ZwDeleteBootEntry (NtDeleteBootEntry)
7c90d88f: Syscall ordinal 003e for ZwDeleteFile (NtDeleteFile)
7c90d8a4: Syscall ordinal 003f for ZwDeleteKey (NtDeleteKey)
7c90d8b9: Syscall ordinal 0040 for ZwDeleteObjectAuditAlarm (NtDeleteObjectAuditAlarm)
7c90d8ce: Syscall ordinal 0041 for ZwDeleteValueKey (NtDeleteValueKey)
7c90d8e3: Syscall ordinal 0042 for ZwDeviceIoControlFile (NtDeviceIoControlFile)
7c90d8f8: Syscall ordinal 0043 for ZwDisplayString (NtDisplayString)
7c90d90d: Syscall ordinal 0044 for ZwDuplicateObject (NtDuplicateObject)
7c90d922: Syscall ordinal 0045 for ZwDuplicateToken (NtDuplicateToken)
7c90d937: Syscall ordinal 0046 for ZwEnumerateBootEntries (NtEnumerateBootEntries)
7c90d94c: Syscall ordinal 0047 for ZwEnumerateKey (NtEnumerateKey)
7c90d961: Syscall ordinal 0048 for ZwEnumerateSystemEnvironmentValuesEx (NtEnumerateSystemEnvironmentValuesEx)
7c90d976: Syscall ordinal 0049 for ZwEnumerateValueKey (NtEnumerateValueKey)
7c90d98b: Syscall ordinal 004a for ZwExtendSection (NtExtendSection)
7c90d9a0: Syscall ordinal 004b for ZwFilterToken (NtFilterToken)
7c90d9b5: Syscall ordinal 004c for ZwFindAtom (NtFindAtom)
7c90d9ca: Syscall ordinal 004d for ZwFlushBuffersFile (NtFlushBuffersFile)
7c90d9df: Syscall ordinal 004e for ZwFlushInstructionCache (NtFlushInstructionCache)
7c90d9f4: Syscall ordinal 004f for ZwFlushKey (NtFlushKey)
7c90da09: Syscall ordinal 0050 for ZwFlushVirtualMemory (NtFlushVirtualMemory)
7c90da1e: Syscall ordinal 0051 for ZwFlushWriteBuffer (NtFlushWriteBuffer)
7c90da33: Syscall ordinal 0052 for ZwFreeUserPhysicalPages (NtFreeUserPhysicalPages)
7c90da48: Syscall ordinal 0053 for ZwFreeVirtualMemory (NtFreeVirtualMemory)
7c90da5d: Syscall ordinal 0054 for ZwFsControlFile (NtFsControlFile)
7c90da72: Syscall ordinal 0055 for ZwGetContextThread (NtGetContextThread)
7c90da87: Syscall ordinal 0056 for ZwGetDevicePowerState (NtGetDevicePowerState)
7c90da9c: Syscall ordinal 0057 for ZwGetPlugPlayEvent (NtGetPlugPlayEvent)
7c90dab1: Syscall ordinal 0058 for ZwGetWriteWatch (NtGetWriteWatch)
7c90dac6: Syscall ordinal 0059 for ZwImpersonateAnonymousToken (NtImpersonateAnonymousToken)
7c90dadb: Syscall ordinal 005a for ZwImpersonateClientOfPort (NtImpersonateClientOfPort)
7c90daf0: Syscall ordinal 005b for ZwImpersonateThread (NtImpersonateThread)
7c90db05: Syscall ordinal 005c for ZwInitializeRegistry (NtInitializeRegistry)
7c90db1a: Syscall ordinal 005d for ZwInitiatePowerAction (NtInitiatePowerAction)
7c90db2f: Syscall ordinal 005e for ZwIsProcessInJob (NtIsProcessInJob)
7c90db44: Syscall ordinal 005f for ZwIsSystemResumeAutomatic (NtIsSystemResumeAutomatic)
7c90db59: Syscall ordinal 0060 for ZwListenPort (NtListenPort)
7c90db6e: Syscall ordinal 0061 for ZwLoadDriver (NtLoadDriver)
7c90db83: Syscall ordinal 0062 for ZwLoadKey (NtLoadKey)
7c90db98: Syscall ordinal 0063 for ZwLoadKey2 (NtLoadKey2)
7c90dbad: Syscall ordinal 0064 for ZwLockFile (NtLockFile)
7c90dbc2: Syscall ordinal 0065 for ZwLockProductActivationKeys (NtLockProductActivationKeys)
7c90dbd7: Syscall ordinal 0066 for ZwLockRegistryKey (NtLockRegistryKey)
7c90dbec: Syscall ordinal 0067 for ZwLockVirtualMemory (NtLockVirtualMemory)
7c90dc01: Syscall ordinal 0068 for ZwMakePermanentObject (NtMakePermanentObject)
7c90dc16: Syscall ordinal 0069 for ZwMakeTemporaryObject (NtMakeTemporaryObject)
7c90dc2b: Syscall ordinal 006a for ZwMapUserPhysicalPages (NtMapUserPhysicalPages)
7c90dc40: Syscall ordinal 006b for ZwMapUserPhysicalPagesScatter (NtMapUserPhysicalPagesScatter)
7c90dc55: Syscall ordinal 006c for ZwMapViewOfSection (NtMapViewOfSection)
7c90dc6a: Syscall ordinal 006d for ZwModifyBootEntry (NtModifyBootEntry)
7c90dc7f: Syscall ordinal 006e for ZwNotifyChangeDirectoryFile (NtNotifyChangeDirectoryFile)
7c90dc94: Syscall ordinal 006f for ZwNotifyChangeKey (NtNotifyChangeKey)
7c90dca9: Syscall ordinal 0070 for ZwNotifyChangeMultipleKeys (NtNotifyChangeMultipleKeys)
7c90dcbe: Syscall ordinal 0071 for ZwOpenDirectoryObject (NtOpenDirectoryObject)
7c90dcd3: Syscall ordinal 0072 for ZwOpenEvent (NtOpenEvent)
7c90dce8: Syscall ordinal 0073 for ZwOpenEventPair (NtOpenEventPair)
7c90dcfd: Syscall ordinal 0074 for ZwOpenFile (NtOpenFile)
7c90dd12: Syscall ordinal 0075 for ZwOpenIoCompletion (NtOpenIoCompletion)
7c90dd27: Syscall ordinal 0076 for ZwOpenJobObject (NtOpenJobObject)
7c90dd3c: Syscall ordinal 0077 for ZwOpenKey (NtOpenKey)
7c90dd51: Syscall ordinal 0078 for ZwOpenMutant (NtOpenMutant)
7c90dd66: Syscall ordinal 0079 for ZwOpenObjectAuditAlarm (NtOpenObjectAuditAlarm)
7c90dd7b: Syscall ordinal 007a for ZwOpenProcess (NtOpenProcess)
7c90dd90: Syscall ordinal 007b for ZwOpenProcessToken (NtOpenProcessToken)
7c90dda5: Syscall ordinal 007c for ZwOpenProcessTokenEx (NtOpenProcessTokenEx)
7c90ddba: Syscall ordinal 007d for ZwOpenSection (NtOpenSection)
7c90ddcf: Syscall ordinal 007e for ZwOpenSemaphore (NtOpenSemaphore)
7c90dde4: Syscall ordinal 007f for ZwOpenSymbolicLinkObject (NtOpenSymbolicLinkObject)
7c90ddf9: Syscall ordinal 0080 for ZwOpenThread (NtOpenThread)
7c90de0e: Syscall ordinal 0081 for ZwOpenThreadToken (NtOpenThreadToken)
7c90de23: Syscall ordinal 0082 for ZwOpenThreadTokenEx (NtOpenThreadTokenEx)
7c90de38: Syscall ordinal 0083 for ZwOpenTimer (NtOpenTimer)
7c90de4d: Syscall ordinal 0084 for ZwPlugPlayControl (NtPlugPlayControl)
7c90de62: Syscall ordinal 0085 for ZwPowerInformation (NtPowerInformation)
7c90de77: Syscall ordinal 0086 for ZwPrivilegeCheck (NtPrivilegeCheck)
7c90de8c: Syscall ordinal 0087 for ZwPrivilegeObjectAuditAlarm (NtPrivilegeObjectAuditAlarm)
7c90dea1: Syscall ordinal 0088 for ZwPrivilegedServiceAuditAlarm (NtPrivilegedServiceAuditAlarm)
7c90deb6: Syscall ordinal 0089 for ZwProtectVirtualMemory (NtProtectVirtualMemory)
7c90decb: Syscall ordinal 008a for ZwPulseEvent (NtPulseEvent)
7c90dee0: Syscall ordinal 008b for ZwQueryAttributesFile (NtQueryAttributesFile)
7c90def5: Syscall ordinal 008c for ZwQueryBootEntryOrder (NtQueryBootEntryOrder)
7c90df0a: Syscall ordinal 008d for ZwQueryBootOptions (NtQueryBootOptions)
7c90df1f: Syscall ordinal 008e for ZwQueryDebugFilterState (NtQueryDebugFilterState)
7c90df34: Syscall ordinal 008f for ZwQueryDefaultLocale (NtQueryDefaultLocale)
7c90df49: Syscall ordinal 0090 for ZwQueryDefaultUILanguage (NtQueryDefaultUILanguage)
7c90df5e: Syscall ordinal 0091 for ZwQueryDirectoryFile (NtQueryDirectoryFile)
7c90df73: Syscall ordinal 0092 for ZwQueryDirectoryObject (NtQueryDirectoryObject)
7c90df88: Syscall ordinal 0093 for ZwQueryEaFile (NtQueryEaFile)
7c90df9d: Syscall ordinal 0094 for ZwQueryEvent (NtQueryEvent)
7c90dfb2: Syscall ordinal 0095 for ZwQueryFullAttributesFile (NtQueryFullAttributesFile)
7c90dfc7: Syscall ordinal 0096 for ZwQueryInformationAtom (NtQueryInformationAtom)
7c90dfdc: Syscall ordinal 0097 for ZwQueryInformationFile (NtQueryInformationFile)
7c90dff1: Syscall ordinal 0098 for ZwQueryInformationJobObject (NtQueryInformationJobObject)
7c90e006: Syscall ordinal 0099 for ZwQueryInformationPort (NtQueryInformationPort)
7c90e01b: Syscall ordinal 009a for ZwQueryInformationProcess (NtQueryInformationProcess)
7c90e030: Syscall ordinal 009b for ZwQueryInformationThread (NtQueryInformationThread)
7c90e045: Syscall ordinal 009c for ZwQueryInformationToken (NtQueryInformationToken)
7c90e05a: Syscall ordinal 009d for ZwQueryInstallUILanguage (NtQueryInstallUILanguage)
7c90e06f: Syscall ordinal 009e for ZwQueryIntervalProfile (NtQueryIntervalProfile)
7c90e084: Syscall ordinal 009f for ZwQueryIoCompletion (NtQueryIoCompletion)
7c90e099: Syscall ordinal 00a0 for ZwQueryKey (NtQueryKey)
7c90e0ae: Syscall ordinal 00a1 for ZwQueryMultipleValueKey (NtQueryMultipleValueKey)
7c90e0c3: Syscall ordinal 00a2 for ZwQueryMutant (NtQueryMutant)
7c90e0d8: Syscall ordinal 00a3 for ZwQueryObject (NtQueryObject)
7c90e0ed: Syscall ordinal 00a4 for ZwQueryOpenSubKeys (NtQueryOpenSubKeys)
7c90e102: Syscall ordinal 00a5 for ZwQueryPerformanceCounter (NtQueryPerformanceCounter)
7c90e117: Syscall ordinal 00a6 for ZwQueryQuotaInformationFile (NtQueryQuotaInformationFile)
7c90e12c: Syscall ordinal 00a7 for ZwQuerySection (NtQuerySection)
7c90e141: Syscall ordinal 00a8 for ZwQuerySecurityObject (NtQuerySecurityObject)
7c90e156: Syscall ordinal 00a9 for ZwQuerySemaphore (NtQuerySemaphore)
7c90e16b: Syscall ordinal 00aa for ZwQuerySymbolicLinkObject (NtQuerySymbolicLinkObject)
7c90e180: Syscall ordinal 00ab for ZwQuerySystemEnvironmentValue (NtQuerySystemEnvironmentValue)
7c90e195: Syscall ordinal 00ac for ZwQuerySystemEnvironmentValueEx (NtQuerySystemEnvironmentValueEx)
7c90e1aa: Syscall ordinal 00ad for ZwQuerySystemInformation (NtQuerySystemInformation
RtlGetNativeSystemInformation)
7c90e1bf: Syscall ordinal 00ae for ZwQuerySystemTime (NtQuerySystemTime)
7c90e1d4: Syscall ordinal 00af for ZwQueryTimer (NtQueryTimer)
7c90e1e9: Syscall ordinal 00b0 for ZwQueryTimerResolution (NtQueryTimerResolution)
7c90e1fe: Syscall ordinal 00b1 for ZwQueryValueKey (NtQueryValueKey)
7c90e213: Syscall ordinal 00b2 for ZwQueryVirtualMemory (NtQueryVirtualMemory)
7c90e228: Syscall ordinal 00b3 for ZwQueryVolumeInformationFile (NtQueryVolumeInformationFile)
7c90e23d: Syscall ordinal 00b4 for ZwQueueApcThread (NtQueueApcThread)
7c90e252: Syscall ordinal 00b5 for ZwRaiseException (NtRaiseException)
7c90e267: Syscall ordinal 00b6 for ZwRaiseHardError (NtRaiseHardError)
7c90e27c: Syscall ordinal 00b7 for ZwReadFile (NtReadFile)
7c90e291: Syscall ordinal 00b8 for ZwReadFileScatter (NtReadFileScatter)
7c90e2a6: Syscall ordinal 00b9 for ZwReadRequestData (NtReadRequestData)
7c90e2bb: Syscall ordinal 00ba for ZwReadVirtualMemory (NtReadVirtualMemory)
7c90e2d0: Syscall ordinal 00bb for ZwRegisterThreadTerminatePort (NtRegisterThreadTerminatePort)
7c90e2e5: Syscall ordinal 00bc for ZwReleaseMutant (NtReleaseMutant)
7c90e2fa: Syscall ordinal 00bd for ZwReleaseSemaphore (NtReleaseSemaphore)
7c90e30f: Syscall ordinal 00be for ZwRemoveIoCompletion (NtRemoveIoCompletion)
7c90e324: Syscall ordinal 00bf for ZwRemoveProcessDebug (NtRemoveProcessDebug)
7c90e339: Syscall ordinal 00c0 for ZwRenameKey (NtRenameKey)
7c90e34e: Syscall ordinal 00c1 for ZwReplaceKey (NtReplaceKey)
7c90e363: Syscall ordinal 00c2 for ZwReplyPort (NtReplyPort)
7c90e378: Syscall ordinal 00c3 for ZwReplyWaitReceivePort (NtReplyWaitReceivePort)
7c90e38d: Syscall ordinal 00c4 for ZwReplyWaitReceivePortEx (NtReplyWaitReceivePortEx)
7c90e3a2: Syscall ordinal 00c5 for ZwReplyWaitReplyPort (NtReplyWaitReplyPort)
7c90e3b7: Syscall ordinal 00c6 for ZwRequestDeviceWakeup (NtRequestDeviceWakeup)
7c90e3cc: Syscall ordinal 00c7 for ZwRequestPort (NtRequestPort)
7c90e3e1: Syscall ordinal 00c8 for ZwRequestWaitReplyPort (NtRequestWaitReplyPort)
7c90e3f6: Syscall ordinal 00c9 for ZwRequestWakeupLatency (NtRequestWakeupLatency)
7c90e40b: Syscall ordinal 00ca for ZwResetEvent (NtResetEvent)
7c90e420: Syscall ordinal 00cb for ZwResetWriteWatch (NtResetWriteWatch)
7c90e435: Syscall ordinal 00cc for ZwRestoreKey (NtRestoreKey)
7c90e44a: Syscall ordinal 00cd for ZwResumeProcess (NtResumeProcess)
7c90e45f: Syscall ordinal 00ce for ZwResumeThread (NtResumeThread)
7c90e474: Syscall ordinal 00cf for ZwSaveKey (NtSaveKey)
7c90e489: Syscall ordinal 00d0 for ZwSaveKeyEx (NtSaveKeyEx)
7c90e49e: Syscall ordinal 00d1 for ZwSaveMergedKeys (NtSaveMergedKeys)
7c90e4b3: Syscall ordinal 00d2 for ZwSecureConnectPort (NtSecureConnectPort)
7c90e4c8: Syscall ordinal 00d3 for ZwSetBootEntryOrder (NtSetBootEntryOrder)
7c90e4dd: Syscall ordinal 00d4 for ZwSetBootOptions (NtSetBootOptions)
7c90e4f2: Syscall ordinal 00d5 for ZwSetContextThread (NtSetContextThread)
7c90e507: Syscall ordinal 00d6 for ZwSetDebugFilterState (NtSetDebugFilterState)
7c90e51c: Syscall ordinal 00d7 for ZwSetDefaultHardErrorPort (NtSetDefaultHardErrorPort)
7c90e531: Syscall ordinal 00d8 for ZwSetDefaultLocale (NtSetDefaultLocale)
7c90e546: Syscall ordinal 00d9 for ZwSetDefaultUILanguage (NtSetDefaultUILanguage)
7c90e55b: Syscall ordinal 00da for ZwSetEaFile (NtSetEaFile)
7c90e570: Syscall ordinal 00db for ZwSetEvent (NtSetEvent)
7c90e585: Syscall ordinal 00dc for ZwSetEventBoostPriority (NtSetEventBoostPriority)
7c90e59a: Syscall ordinal 00dd for ZwSetHighEventPair (NtSetHighEventPair)
7c90e5af: Syscall ordinal 00de for ZwSetHighWaitLowEventPair (NtSetHighWaitLowEventPair)
7c90e5c4: Syscall ordinal 00df for ZwSetInformationDebugObject (NtSetInformationDebugObject)
7c90e5d9: Syscall ordinal 00e0 for ZwSetInformationFile (NtSetInformationFile)
7c90e5ee: Syscall ordinal 00e1 for ZwSetInformationJobObject (NtSetInformationJobObject)
7c90e603: Syscall ordinal 00e2 for ZwSetInformationKey (NtSetInformationKey)
7c90e618: Syscall ordinal 00e3 for ZwSetInformationObject (NtSetInformationObject)
7c90e62d: Syscall ordinal 00e4 for ZwSetInformationProcess (NtSetInformationProcess)
7c90e642: Syscall ordinal 00e5 for ZwSetInformationThread (NtSetInformationThread)
7c90e657: Syscall ordinal 00e6 for ZwSetInformationToken (NtSetInformationToken)
7c90e66c: Syscall ordinal 00e7 for ZwSetIntervalProfile (NtSetIntervalProfile)
7c90e681: Syscall ordinal 00e8 for ZwSetIoCompletion (NtSetIoCompletion)
7c90e696: Syscall ordinal 00e9 for ZwSetLdtEntries (NtSetLdtEntries)
7c90e6ab: Syscall ordinal 00ea for ZwSetLowEventPair (NtSetLowEventPair)
7c90e6c0: Syscall ordinal 00eb for ZwSetLowWaitHighEventPair (NtSetLowWaitHighEventPair)
7c90e6d5: Syscall ordinal 00ec for ZwSetQuotaInformationFile (NtSetQuotaInformationFile)
7c90e6ea: Syscall ordinal 00ed for ZwSetSecurityObject (NtSetSecurityObject)
7c90e6ff: Syscall ordinal 00ee for ZwSetSystemEnvironmentValue (NtSetSystemEnvironmentValue)
7c90e714: Syscall ordinal 00ef for ZwSetSystemEnvironmentValueEx (NtSetSystemEnvironmentValueEx)
7c90e729: Syscall ordinal 00f0 for ZwSetSystemInformation (NtSetSystemInformation)
7c90e73e: Syscall ordinal 00f1 for ZwSetSystemPowerState (NtSetSystemPowerState)
7c90e753: Syscall ordinal 00f2 for ZwSetSystemTime (NtSetSystemTime)
7c90e768: Syscall ordinal 00f3 for ZwSetThreadExecutionState (NtSetThreadExecutionState)
7c90e77d: Syscall ordinal 00f4 for ZwSetTimer (NtSetTimer)
7c90e792: Syscall ordinal 00f5 for ZwSetTimerResolution (NtSetTimerResolution)
7c90e7a7: Syscall ordinal 00f6 for ZwSetUuidSeed (NtSetUuidSeed)
7c90e7bc: Syscall ordinal 00f7 for ZwSetValueKey (NtSetValueKey)
7c90e7d1: Syscall ordinal 00f8 for ZwSetVolumeInformationFile (NtSetVolumeInformationFile)
7c90e7e6: Syscall ordinal 00f9 for ZwShutdownSystem (NtShutdownSystem)
7c90e7fb: Syscall ordinal 00fa for ZwSignalAndWaitForSingleObject (NtSignalAndWaitForSingleObject)
7c90e810: Syscall ordinal 00fb for ZwStartProfile (NtStartProfile)
7c90e825: Syscall ordinal 00fc for ZwStopProfile (NtStopProfile)
7c90e83a: Syscall ordinal 00fd for ZwSuspendProcess (NtSuspendProcess)
7c90e84f: Syscall ordinal 00fe for ZwSuspendThread (NtSuspendThread)
7c90e864: Syscall ordinal 00ff for ZwSystemDebugControl (NtSystemDebugControl)

Update: As somebody pointed out in the comments, there's a really good compilation of system call ordinals up at Metasploit's site.

xkcd: Python

So true

Take Two: Packers, Time and Google Groups

I just had to do it... This morning I read about chronoscope in a post in the Google Code Blog and I could not help myself from wanting to tinker with it.

I wrote a Mathematica function to export a time-series of the format (timestamp, value) into the dataset format used by chronoscope.

Epoch[date_] :=   ToString[AbsoluteTime[DateList[ToString[date]]] -   AbsoluteTime[DateList["1970"]]]; ChronoscopeJsExport = Function[ {datasetName, id, label, axis, data},   jsData = datasetName <>   " = {\nId: \"" <> ToString[id] <> "\", \n" <> "domain: [" <>   StringJoin[ Riffle[ Map[ Epoch, data[[All, 1]] ], ", "] ] <>   "], \n" <> "range: [" <>   StringJoin[     Riffle[ Map[ ToString, data[[All, 2]] ], ", "] ] <> "], \n" <>   "label: \"" <> ToString[label] <> "\", \n" <>   "axis: \"" <> ToString[axis] <> "\"\n};";   jsData ];

And ran it through the packer time-series I harvested from Google Groups. Then I picked some widget demo code and put it all together in a mash-up. The results of the quick hack are here... much nicer to visualize than in the previous post. (and it's interactive!)

• Use the mouse-wheel to zoom
• Drag the plot left/right to browse around different date ranges
• You can pick any packer and the data will be plotted against the previously selected one

pefile 1.2.8

And yet another one. pefile 1.2.8 comes with the usual few bugfixes and a slew of enhancements. Some of them are:

• One can now "relocate" the image by invoking relocate_image(ImageBase) with a new ImageBase the PE file's relocations will be applied to produce the relocated image.


• Section entropy is computed faster (thanks to Gergely)


• MD5, SHA-1, SHA-256, SHA-512 hashes are calculated on a per-section basis (thanks Jim Clausing for the suggestion)


• Improved (rather fixed) handling of Unicode strings when parsing the resources information

For more details and downloads head to pefile's project page.

PyDbg hacks

Pedram just posted on his OpenRCE blog some awesome PyDBG hacks.

Great Python overview

Alex Martelli gave a talk in the Baypiggies meeting providing a great overview of Python. Check out the video and slides.

Black Hat Slides

Although originally Halvar Flake and I were supposed to present together in a quick turbo-talk at Black Hat in Las Vegas, he unfortunately couldn't make it to the conference for reasons that have been already discussed.

I ended up sticking mostly to the original plan for the talk and presented some Python tools to automate reverse engineering and analysis processes.

I've just put the slides up here.

Scanning data for entropy anomalies II

Recently Phantal (aka Brian) left some comments on my blog and in OpenRCE on some calculations he did following up on my post Scanning data for entropy anomalies.

He develops the algorithm aiming at improving the execution speed of the entropy "scanner" example I had shown. I ran through his steps and arrived to the same conclusions he did on his latest comment. I just thought it'd be worth showing his work as a separate post rather than just a comment.

His idea is, by looking into the standard definition of entropy , to isolate all that doesn't change in the expression when the window slides and just update the entropy, instead of blindly recalculating it's value from scratch for each offset of the scan window.

Shannon' s entropy, usually represented as H, takes the following form if we work with the 256 possible byte values as the symbols :



where p(b) is the probability of the occurrence of a given byte.

H, the entropy, will tend towards its maximum value, 8, if the data has the maximum possible entropy. In such case the probability of each byte occurring would be the same which produces

Note that, although this is usually thought of as measuring the "amount of randomness", it is not that much the case. A sequence of bytes starting at 0 and increasing until 255 going through all the values in order would reach the maximum entropy value 8, even that it is all but random.

The probability of a given byte appearing in our window can also be expressed as . being the number of times the byte appears within the window and the width of the window.

The expression for the entropy can be expanded as follows


The entropy after sliding the window, , will have the same sum expansion except for two terms, the ones of the bytes going out and entering the window. We can then just update those and recalculate the expression by first removing the old values for the incoming and outgoing bytes and then adding the new values for both, after updating their count.



and that's all. Now on to some implementations in Mathematica and Python (but creating a Mathematica function with Pythonika). His implementation in C can be found in the comments of the previous post.

EntropyScan = Function[{Data, WindowScanSize},   SummationTerm [Prob_] := If[Prob > 0, Prob Log[2, Prob], 0];   (* Get the initial chunk and calculate the entropy *)   CurrentChunk = Data[[ Range[1, WindowScanSize] ]];   (* Calculate initial byte count and probabilities *)   ByteCounts = Table[Count[CurrentChunk, i - 1], {i, 1, 256}];   ByteProbs = Table[ByteCounts[[i]]/WindowScanSize, {i, 1, 256}];   FilteredByteProbs = Select[ByteProbs, # > 0 &];   H = - Total[     Table[FilteredByteProbs[[i]] Log[2, FilteredByteProbs[[i]]],     {i, 1, Length[FilteredByteProbs]}]];   Entropies = {H};   (* Slide the window and recalculate for incoming and outgoing bytes *)   For[offset = 1, offset + WindowScanSize <= Length[Data], offset++,     (* Get incoming and outgoing bytes *)     ByteOut = Data[[offset]] + 1;     ByteIn = Data[[offset + WindowScanSize]] + 1;     (* Get the old probabilities *)     OldValByteOut = SummationTerm[ByteProbs[[ByteOut]]];     OldValByteIn = SummationTerm[ByteProbs[[ByteIn]]];     (* Update counters and values *)     ByteCounts[[ByteOut]]--;     ByteCounts[[ByteIn]]++;     ByteProbs[[ByteOut]] = ByteCounts[[ByteOut]]/WindowScanSize;     ByteProbs[[ByteIn]] = ByteCounts[[ByteIn]]/WindowScanSize;     (* Get the new probabilities *)     ValByteOut = SummationTerm[ByteProbs[[ByteOut]]];     ValByteIn = SummationTerm[ByteProbs[[ByteIn]]];     (* Update the entropy *)     H = H + OldValByteOut + OldValByteIn - ValByteIn - ValByteOut;     Entropies = Append[Entropies, H];   ];   Entropies ];

Py["import math"] EntropyScanPython = PyFunction["\< def entropy_scan(args):   data = args[0]   window_size = float(args[1])   summation_term = lambda p: p*math.log(p,2) if p>0 else 0   current_chunk = data[:int(window_size)]   byte_counts = [     len(filter(lambda a:a==i, current_chunk))     for i in range(256)]   byte_probs = [byte_counts[i]/window_size for i in range(256)]   H = -sum(     [byte_probs[i]*math.log(byte_probs[i], 2)       for i in range(256) if byte_probs[i]>0])   entropies = [H]   for offset in range(len(data)-window_size):     byte_out, byte_in = data[offset], data[int(offset+window_size)]     old_val_byte_out = summation_term(byte_probs[byte_out])     old_val_byte_in = summation_term(byte_probs[byte_in])     byte_counts[byte_out] -= 1;     byte_counts[byte_in] += 1;     byte_probs[byte_out] = byte_counts[byte_out]/window_size;     byte_probs[byte_in] = byte_counts[byte_in]/window_size;     val_byte_out = summation_term(byte_probs[byte_out])     val_byte_in = summation_term(byte_probs[byte_in])     H = H + old_val_byte_out + old_val_byte_in - val_byte_out - val_byte_in     entropies.append(H)   return entropies \>"];

Scanning data for entropy anomalies

l0re just asked the following question in the OpenRCE forums:

I'm currently searching for a tool that does an entropy analyse. I want it to use it for finding a RSA key in a binary file. I have seen a tool that could do this on a workshop but unfortunately I don't know the name of tool and I can't find it with help of google. Does any one know the name of the tool or a tool that could do this?

I'm don't know of such tool from the top of my head although PEiD and OllyDBG both do statistical tests in order to detect possibly compressed/packed executables.

But having to come up with such things is one of the reasons why I love Python and Mathematica+Pythonika. With both it's possible to put together, in a few minutes the desired functionality.

So, the idea is to spot the typical high entropy that should be exhibited by something like a RSA key stored in binary form. Assuming that it's stored within data with significantly lower entropy, such as a standard executable file (that is, not packed or compressed itself), it should be easy to spot visually. Let's check...

First we need a function that calculates the entropy of a given chunk of data. The following code will take a Python string and calculate it's byte entropy, returning a real number in the range 0.0 and 8.0.
Values close to 8.0 would indicate a high entropy, hence the likelihood of compressed or otherwise highly random data. Low values would indicate low complexity data such as text or executable instructions or any other data exhibiting clear patterns.

import math def H(data):   if not data:     return 0   entropy = 0   for x in range(256):     p_x = float(data.count(chr(x)))/len(data)     if p_x > 0:       entropy += - p_x*math.log(p_x, 2)   return entropy

Next we want to be able to take a chunk of data and run the entropy calculation function all across it, on byte increments, with a defined block size. Starting from the byte at offset 0, we will calculate the entropy of each data chunk of the given size and return it's value. The function is an iterator so that we can easily get a list of entropies for all offsets that we can next feed into a plotting function.

def entropy_scan (data, block_size) :   for block in (     data[x:block_size+x]     for x in range (len (data) - block_size) ):     yield H (block)

Now we need some test data, the following code will generate a low-entropy chunk of data 1024 bytes long, followed by a high-entropy one (assuming the random generator is good enough, which is the case for the example) also 1024 bytes long and closing with 1024 bytes more of low entropy data.

data = ''.join (   [chr (random.randint (0, 64)) for x in xrange (1024)] +   [chr (random.randint (0, 255)) for x in xrange (1024)] +   [chr (random.randint (0, 64)) for x in xrange (1024)] )

If we run the Python code within Mathematica

ListPlot[ Py["\<   list(     entropy_scan( data, 256 ) ) \>"] ]

we obtain the following plot



displaying a noticeable bump in the region where the higher entropy data lies within our test data.

Update:

Deadhacker has posted an augmented version of my hack that does not rely on Mathematica in addition of being able to run on arbitrary files passed as arguments to his script.