3

I've been reading about the way syscalls are called in windows.
The general theme in all the articles I read is:
64bit- called inside ntdll
32bit- from ntdll jumping to KiFastSystemcall
but when I opened IDA with ntdlls from both 64 and 32 bit to verify these articles this is what I saw:
(32bit)

NtCreateFile proc near
mov     eax, 55h        ; syscall num
mov     edx, offset j_Wow64Transition
call    edx ; weird stub is called instead of KiFastSystemcall.
            ; I couldn't find anything about it.perhaps a wrapper around KiFastSystemcall?

retn    2Ch
NtCreateFile endp

(64bit)

NtCreateFile proc near
mov     r10, rcx        ; NtCreateFile
mov     eax, 55h
test    byte ptr ds:7FFE0308h, 1 ; some test to decide wether to use int 0x2E or syscall?
                                 ; I don't know why int 0x2E be used. I thought it causes overhead?
jnz     short loc_18009CB15
syscall                 
retn
loc_18009CB15:          
int     2Eh             
retn
NtCreateFile endp

if anyone knows why the system calls are called like this I would love to know.
to summarize:
(32 bit) why is j_Wow64Transition there instead of KiFastSystemcall?
(64 bit) what is being compared and why?
thanks.

Alal Benben
  • 33
  • 2

2 Answers2

5

Following cites, answering your first question come from Windows Internals Sixth Edition Part 1, page 225:

Wow64 (Win32 emulation on 64-bit Windows) refers to the software that permits the execution of 32-bit x86 applications on 64-bit Windows. It is implemented as a set of user-mode DLLs, with some support from the kernel for creating 32-bit versions of what would normally only be 64-bit data ­structures [...]

Wow64 hooks all the code paths where 32-bit code would transition to the native 64-bit system or when the native system needs to call into 32-bit user-mode code.

Wow64 transitions to native 64-bit mode, captures the parameters associated with the system call (converting 32-bit pointers to 64-bit pointers), and issues the corresponding native 64-bit system call. When the native system call returns, Wow64 converts any output parameters if necessary from 64-bit to 32-bit formats before returning to 32-bit mode.

So, when you run some 32 bit x86 program on 64 bit Windows, such transitions may occur to enable this application to make a native system call.

Answer to your second question is already here.

bart1e
  • 3,369
  • 2
  • 8
  • 24
1

I would add information to the first answer.

The switch of the mode from Wow64 to 64bit, aka "Heaven's Gate", is in wow64cpu.dll. offset j_Wow64Transition is a part of wow64cpu.dll.

These slides helps you to understand the procedure of executing 64bit syscall from Wow64 process with assembly codes as a example.

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
Igeta
  • 11
  • 3
  • I was also missing the term "Heaven's Gate" in the first answer. Presumably because it's not Microsoft's terminology, but the book is published by Microsoft Press. – 0xC0000022L Apr 20 '20 at 21:03