jthuraisamy/syscall.asm

## syscall.asm
.code

NtCreateFile PROC
	mov rax, gs:[60h]
NtCreateFile_Check_X_X_XXXX:        ; Check major version.
	cmp dword ptr [rax+118h], 5
	je  NtCreateFile_SystemCall_5_X_XXXX
	cmp dword ptr [rax+118h], 6
	je  NtCreateFile_Check_6_X_XXXX
	cmp dword ptr [rax+118h], 10
	je  NtCreateFile_Check_10_0_XXXX
	jmp NtCreateFile_SystemCall_Unknown
NtCreateFile_Check_6_X_XXXX:        ; Check minor version for Windows Vista/7/8.
	cmp dword ptr [rax+11ch], 0
	je  NtCreateFile_Check_6_0_XXXX
	cmp dword ptr [rax+11ch], 1
	je  NtCreateFile_Check_6_1_XXXX
	cmp dword ptr [rax+11ch], 2
	je  NtCreateFile_SystemCall_6_2_XXXX
	cmp dword ptr [rax+11ch], 3
	jge NtCreateFile_SystemCall_6_3_XXXX
	jmp NtCreateFile_SystemCall_Unknown
NtCreateFile_Check_6_0_XXXX:        ; Check build number for Windows Vista.
	cmp dword ptr [rax+120h], 6000
	je  NtCreateFile_SystemCall_6_0_6000
	cmp dword ptr [rax+120h], 6001
	je  NtCreateFile_SystemCall_6_0_6001
	cmp dword ptr [rax+120h], 6002
	jge NtCreateFile_SystemCall_6_0_6002
	jmp NtCreateFile_SystemCall_Unknown
NtCreateFile_Check_6_1_XXXX:        ; Check build number for Windows 7.
	cmp dword ptr [rax+120h], 7600
	je  NtCreateFile_SystemCall_6_1_7600
	cmp dword ptr [rax+120h], 7601
	jge NtCreateFile_SystemCall_6_1_7601
	jmp NtCreateFile_SystemCall_Unknown
NtCreateFile_Check_10_0_XXXX:       ; Check build number for Windows 10.
	cmp dword ptr [rax+120h], 10240
	je  NtCreateFile_SystemCall_10_0_10240
	cmp dword ptr [rax+120h], 10586
	je  NtCreateFile_SystemCall_10_0_10586
	cmp dword ptr [rax+120h], 14393
	je  NtCreateFile_SystemCall_10_0_14393
	cmp dword ptr [rax+120h], 15063
	je  NtCreateFile_SystemCall_10_0_15063
	cmp dword ptr [rax+120h], 16299
	je  NtCreateFile_SystemCall_10_0_16299
	cmp dword ptr [rax+120h], 17134
	je  NtCreateFile_SystemCall_10_0_17134
	cmp dword ptr [rax+120h], 17763
	je  NtCreateFile_SystemCall_10_0_17763
	cmp dword ptr [rax+120h], 18362
	jge NtCreateFile_SystemCall_10_0_18362
	jmp NtCreateFile_SystemCall_Unknown
NtCreateFile_SystemCall_5_X_XXXX:   ; Windows XP SPX    / Server 2003 SPX
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_0_6000:   ; Windows Vista SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_0_6001:   ; Windows Vista SP1 / Server 2008 SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_0_6002:   ; Windows Vista SP2 / Server 2008 SP2
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_1_7600:   ; Windows 7 SP0     / Server 2008 R2 SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_1_7601:   ; Windows 7 SP1     / Server 2008 R2 SP1
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_2_XXXX:   ; Windows 8.0       / Server 2012
	mov eax, 0053h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_6_3_XXXX:   ; Windows 8.1       / Server 2012 R2
	mov eax, 0054h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
NtCreateFile_SystemCall_Unknown:    ; Unknown/unsupported version
	ret
NtCreateFile_Epilogue:
	mov r10, rcx
	syscall
	ret
NtCreateFile ENDP

end
	.code

	NtCreateFile PROC
	mov rax, gs:[60h]
	NtCreateFile_Check_X_X_XXXX: ; Check major version.
	cmp dword ptr [rax+118h], 5
	je NtCreateFile_SystemCall_5_X_XXXX
	cmp dword ptr [rax+118h], 6
	je NtCreateFile_Check_6_X_XXXX
	cmp dword ptr [rax+118h], 10
	je NtCreateFile_Check_10_0_XXXX
	jmp NtCreateFile_SystemCall_Unknown
	NtCreateFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8.
	cmp dword ptr [rax+11ch], 0
	je NtCreateFile_Check_6_0_XXXX
	cmp dword ptr [rax+11ch], 1
	je NtCreateFile_Check_6_1_XXXX
	cmp dword ptr [rax+11ch], 2
	je NtCreateFile_SystemCall_6_2_XXXX
	cmp dword ptr [rax+11ch], 3
	jge NtCreateFile_SystemCall_6_3_XXXX
	jmp NtCreateFile_SystemCall_Unknown
	NtCreateFile_Check_6_0_XXXX: ; Check build number for Windows Vista.
	cmp dword ptr [rax+120h], 6000
	je NtCreateFile_SystemCall_6_0_6000
	cmp dword ptr [rax+120h], 6001
	je NtCreateFile_SystemCall_6_0_6001
	cmp dword ptr [rax+120h], 6002
	jge NtCreateFile_SystemCall_6_0_6002
	jmp NtCreateFile_SystemCall_Unknown
	NtCreateFile_Check_6_1_XXXX: ; Check build number for Windows 7.
	cmp dword ptr [rax+120h], 7600
	je NtCreateFile_SystemCall_6_1_7600
	cmp dword ptr [rax+120h], 7601
	jge NtCreateFile_SystemCall_6_1_7601
	jmp NtCreateFile_SystemCall_Unknown
	NtCreateFile_Check_10_0_XXXX: ; Check build number for Windows 10.
	cmp dword ptr [rax+120h], 10240
	je NtCreateFile_SystemCall_10_0_10240
	cmp dword ptr [rax+120h], 10586
	je NtCreateFile_SystemCall_10_0_10586
	cmp dword ptr [rax+120h], 14393
	je NtCreateFile_SystemCall_10_0_14393
	cmp dword ptr [rax+120h], 15063
	je NtCreateFile_SystemCall_10_0_15063
	cmp dword ptr [rax+120h], 16299
	je NtCreateFile_SystemCall_10_0_16299
	cmp dword ptr [rax+120h], 17134
	je NtCreateFile_SystemCall_10_0_17134
	cmp dword ptr [rax+120h], 17763
	je NtCreateFile_SystemCall_10_0_17763
	cmp dword ptr [rax+120h], 18362
	jge NtCreateFile_SystemCall_10_0_18362
	jmp NtCreateFile_SystemCall_Unknown
	NtCreateFile_SystemCall_5_X_XXXX: ; Windows XP SPX / Server 2003 SPX
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_0_6000: ; Windows Vista SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_0_6001: ; Windows Vista SP1 / Server 2008 SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_0_6002: ; Windows Vista SP2 / Server 2008 SP2
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_1_7600: ; Windows 7 SP0 / Server 2008 R2 SP0
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_1_7601: ; Windows 7 SP1 / Server 2008 R2 SP1
	mov eax, 0052h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_2_XXXX: ; Windows 8.0 / Server 2012
	mov eax, 0053h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_6_3_XXXX: ; Windows 8.1 / Server 2012 R2
	mov eax, 0054h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903)
	mov eax, 0055h
	jmp NtCreateFile_Epilogue
	NtCreateFile_SystemCall_Unknown: ; Unknown/unsupported version
	ret
	NtCreateFile_Epilogue:
	mov r10, rcx
	syscall
	ret
	NtCreateFile ENDP

	end