System Calls

  • System calls perform some operation on a specific type of kernel object exposed by the object manager

    • Example: NtCreateMutant system call creates Mutant object, which is a mutual exclusion primitive used for locking and thread synchronization

  • System call names follow a common pattern and start with either Nt or Zw

  • The rest of the name relates to the kernel object type the system call operates on

    • Create - creates a new object. Maps to New-Nt <Type> PowerShell commands

    • Open - opens an existing object. Maps to Get-Nt <Type> PowerShell commands

    • QueryInformation - queries object information and properties

    • SetInformation - sets object information and properties

C-language prototype for NtCreateMutant
// 
NTSTATUS NtCreateMutant(
    HANDLE* FileHandle,
    //represents the operations the caller wants to be able to perform on the Mutant using the handle
    ACCESS_MARK DesiredAccess, 
    // Defines the attributes for the object to open or create
    OBJECT_ATTRIBUTES* ObjectAttributes,
    // Represents if the created Mutant is owned by the caller or not
    BOOLEAN InitialOwner
);
The OBJECT_ATTRIBUTES structure
struct OBJECT_ATTRIBUTES {
    // Represents the length of the structure
    ULONG           Length;
    // RootDirectory and ObjectName indicate how the system call should look up the resource being accessed
    HANDLE          RootDirectory; // Handle to an opened kernel object to use as the base for looking up the object
    UNICODE_STRING* ObjectName; // A pointer to a UNICODE_STRING structure
    ULONG           Attributes;
    PVOID           SecurityDescriptor;
    PVOID           SecurityQualityOfService;
}
The UNICODE_STRING structure
struct UNICODE_STRING {
    // Lengths are stored in USHORT - unsigned 16 bit integers
    // Represents the total valid length of the string pointed to by Buffer in bytes
    USHORT Length;
    // Represents the max length of the string pointer to by Buffer in bytes
    USHORT MaximumLength;
    // A pointer to an array of 16-bit Unicode charactes used to reference the string data
    WCHAR* Buffer;
}

Object Attribute Flags and Descriptions

PowerShell name
Description

Inherit

Marks the handle as inheritable

Permanent

Marks the handle as permanent

Exclusive

Marks the handle as exclusive if creating a new object. Only the same process can open a handle to the object

CaseInsesitive

Looks up the object name in a case-insensitive manner

OpenIf

If using a Create call, opens a handle to an existing object if available

OpenLink

Opens the object if it's a link to another object; otherwise, follows the link. This is used only by the configuration manager

KernelHandle

Opens the handle as a kernel handle when used in kernel mode. This prevents user-mode applications from accessing the handle directly.

ForceAccessCheck

When used in kernel mode, ensures all access checks are performed, even if calling the Zw version of the system call

IgnoreImpersonatedDeviceMap

Disables the device map when impersonating

DontReparse

Indicates not to follow any path that contains a symbolic link

PreviousObject ManagerNextNTSTATUS Codes

Last updated