Jonas L

Everything else runs in usermode- and they need to ask ring0 to do stuff on their behalf. One mechanism for that is syscalls- a predefined list of operations that causes control flow to switch into ring0 - kernel validates the arguments and execute the matching operation.

You can see a list of syscalls at https://j00ru.vexillium.org/syscalls/nt/32/  As syscalls are a pathway for less privileged code to influence code executing at the highest privilege it is interesting for security researchers.

The same factors also make it interesting for rootkits(term describing malware executing in ring 0).

If you redirect the address where the system jumps to execute a given syscall you get perfect conditions to rewrite input/output then call oroginal address. That enables perfect hiding of code that execute on the system.

When you are in ring0 you can overwrite the address of the handler, this has been abused alot by malware.

So MS created patchguard, a system that periodically verifies the address have not been from their original content at boot. If tampering is detected- it will halt the system with a BSOD.

When doing security research being able to see syscalls with arguments is a great help and can speed up reverse engineering process alot. One thing I would like to see is IOCTRL codes- used for many file operations and in general communicating with devices.

That is possible with dtrace- its special because it enables you to make syscall hooks. The alternative is to write and test sign a driver, and that means any tiny error gives you BSOD. That is why I decided to make it work with dtrace- whatever it takes.