3

I have been looking into ntdll.dll on windows 10 x64 bit, and i noticed a check inside the ntdll like this:

enter image description here

So after testing some bit, it tries to execute the system call via int 2eh. I have tried to manually create app and execute int 2Eh most naive way like this (visual studio + masm .asm file x64 bit project):

int2e.asm:

.code
_myNtWriteFile PROC
    mov r10,rcx
    mov eax,9
    int 2Eh
    ret
_myNtWriteFile ENDP
END

Source.cpp:

#include <Windos.h>
#include <winternl.h>
extern "C" NTSTATUS myNtWriteFile (HANDLE           FileHandle,
  HANDLE           Event,
  PIO_APC_ROUTINE  ApcRoutine,
  PVOID            ApcContext,
  PIO_STATUS_BLOCK IoStatusBlock,
  PVOID            Buffer,
  ULONG            Length,
  PLARGE_INTEGER   ByteOffset,
  PULONG           Key);
int main()
{
     HANDLE hFile = CreateFileA("1.txt",GENERIC_WRITE,0,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);

      if(hFile!=INVALID_HANDLE_VALUE)
      {
         CHAR lpszStr[] = "Hello, World!";
         IO_STATUS_BLOCK pBlock = { 0 };
           NTSTATUS nStatus = myNtWriteFile(hFile,NULL,NULL,NULL,&pBlock,lpszStr,lstrlenA(lpszStr),0,0);
          CloseHandle(hFile);
      }
}

I always get access violation on int 2eh, so my questions:

Is int 2eh is still supported even on latest x64 bit win 10? Is the calling convention for this interrupt the same as for the syscall in x64 bit mode?

MaleFUnction0
  • 31
  • 1
  • 1
    Just wondering, but 1.) are you looking at the WOW64 or the x64 version of the DLL? and 2.) could this be something conditionally executed when running on processors not supporting those instructions? – 0xC0000022L Nov 08 '18 at 16:01
  • i was looking on the x64 version of ntdl. 2) Yeah, that's probably what happens there i was just interested if i still could use int 2eh instead of syscall/sysenter, even on cpu's that support it.
    • – MaleFUnction0 Nov 08 '18 at 16:55