SysWhispers2 syscall identifier script, unhex the SW2_SyscallList_hex.dmp with `binascii.unhexlify(content)`

SW2_SyscallList_hex.dmp

00000000f90100001719a606d06607001f3fa801e06607001e1db13ef06607006dc1ac9700670700c1ee3e8410670700340d98322067070027ff8235306707008ef8d80040670700be8278e250670700071ccc4460670700e7188913706707001a1fb02080670700b25b283c90670700b18c0b92a06707001b344cefb0670700113b9d12c06707001b3aa70ad06707002ed4fbaae06707003398c9edf0670700ef5799a900680700b95aa8bd10680700b42f2121206807009cb0ea5f306807007e78d35b40680700c62ed4c550680700c0d041c5606807008139947e90680700169dcdf3a068070095990786b0680700ecda52edc0680700b77c2270d0680700180572e0e06807004ae3b99cf0680700129898ac00690700b1c82aaf1069070087a91483206907000819882f30690700e36cc9e2406907007e78ad5f506907008cbab828606907007528e14e706907002ddeb2d680690700f115ac36906907007fe9abb5a0690700047e9f51b0690700525cce46c0690700e350ae6fd06907005dec9fb6e0690700c9c8bc0af06907000cf194fb006a070014ef8eee106a0700b19d1483206a07007dd02ff4306a07002c40bb2a406a0700a1983398506a070007308f16606a07009683069d706a0700102cba24806a0700f8921586906a07006ad2b798a06a070067b2de86b06a07007e4eb962c06a0700541b8c3ed06a0700e8f054c6e06a07003807ad06f06a0700986f0465006b0700207da88b106b07008ea5ce4e206b0700ac3895a7306b0700636e41e0406b07005f70930e506b0700d1da43dd606b0700a1f7bb11706b07004828f876806b07005186c09a906b0700ae46bcaea06b0700691dda45b06b0700e0e39c17c06b07007d4ad478d06b0700b99de3a1e06b07000b179005f06b070001069202006c07001c9ab69c106c070064f4d2e6206c070014e8a0ff306c0700e7cdbc0a406c070094abc268506c0700fade49f2606c070083241f2c706c0700d6eb8a0a806c07005b27cf16906c0700b9782d00a06c0700a86a3708b06c07001f393bb8c06c0700ca0b4f12d06c07003d08a206e06c0700c1fabb06f06c0700a8215453006d07002a1b9d3d106d0700f01caf28206d0700958039a0306d07004c64d56a406d0700525baf5d506d0700466dd668606d0700d7d68a19706d0700a9b29201806d0700743d9341906d0700899a178ea06d070054c9d1fbb06d0700fd16950bc06d07003d348b2ed06d0700b50b9b80e06d070026e6a0fcf06d070057e38893006e07002ffab3ea106e0700af03af89206e0700fdc40282306e070027036b3a406e0700c8ad11fd506e0700d2eec068606e0700681cde4d706e0700362fbe32806e070043658827906e0700e1fa72e5a06e07002a2ba30fb06e070027028f40c06e07003032ae37d06e07004e55861ee06e0700271a723df06e0700c739cd5c006f070093272c16106f0700cd80558d206f0700fa1fb120306f07006f4031ab406f070093be30a1506f07000fd3a3c2606f070016eaaef6706f07005fe24d63806f07000c1eb205906f07005be232f7a06f070072d77829b06f0700241db71dc06f0700a9471e4dd06f0700373cba06e06f0700fe56dd09f06f0700acec3dd2007007009145240f10700700ae1774212070070089ba07fb30700700dd7f3503407007003f74348d50700700847a8b1060700700e40cbef07070070012f490c980700700f5dfa6fe90700700e0ca4b17a070070058df37c3b070070013139903c070070037dd302cd07007006b79bb1be0700700e6c375dcf070070070acc88b00710700bfdd203e10710700842d4163207107008f3994b130710700ea52a8bc407107007decabcc507107002cc542276071070004de97d9707107002d38b0128071070023a4bfac90710700d83c9ef2a0710700efeb3d9db0710700fa94e973c071070005669230d0710700a8eb8435e07107001f2ec80ef071070031d0809800720700273cba1e10720700064fe935207207003f98121e3072070000c78bc040720700e7354cec507207002ecbbc2460720700d6288e0c70720700daf679b8807207002a22bc2a907207000b629802a07207002421bf2eb0720700393d9030c07207003056af75d0720700bce720e4e07207007e48de46f07207006536a07a0073070002f08ace107307009eb1c29f207307002a2090123073070092e78f1e40730700d453b8a85073070092eea82c60730700225bbf22707307001ac946e3807307002bb8a5f9907307000cc540fba073070078024dbeb0730700333ca33ac0730700584f9d1bd0730700c49c4885e0730700ce682f06f07307001e0bb01800740700a95222bc107407002a709440207407002a11bbf5307407005c7d9f064074070044bc51dc507407000025953960740700de37b1df707407001aba3a3c80740700a4261a0390740700ced254d6a0740700a3a0923cb074070079bfe39ec0740700f5d4befed0740700e2c7b00ee07407005b95ff4df07407002cbbbeb50075070062168e1e1075070010459f3620750700be5c39a73075070005538a36407507009ea2913250750700ce790a256075070001b2bd827075070006b4d2f6807507000f0c9a00907507000605a53fa075070056b8dcbab0750700452613e8c0750700821adbe9d0750700c2711a01e075070051f1ad84f07507000ddfafe300760700096d970710760700613a2b0220760700ea46b18d307607003500931c40760700c5154207507607001208b83e607607003334a23c707607001453ac178076070094b60594907607002e919156a076070058df14eeb07607006f60f56ac07607001c7cb05dd0760700a13e0f34e0760700e2ee4dfff0760700b7be2db6007707005206814c107707009e9396092077070033cb8f9330770700fa213945407707008396c06650770700090c9d02607707007f772eb4707707008657a192807707002dfd723f90770700995af2bea07707002c209614b07707001e76078cc077070031a0919bd077070015600aaae0770700016f0aaaf077070058eba7af0078070021bf0239107807002c08b7272078070058a1c0b23078070036269a004078070021eebde6507807000324a70c60780700d83beb7070780700515e891080780700303ab606907807002a28b20fa07807006c169566b078070018079b0dc07807000613960bd0780700ae7a3972e078070020cb9704f07807006585fea6007907003808ab0f107907001c41cf0120790700bf85ec40307907009809cfc940790700253cb01450790700918708836079070023b1b9a7707907002035f8758079070002329f12907907005ad29c9ca07907003015d108b079070006019406c07907004b69d38cd0790700cbc29902e07907002f3de056f07907009c6d207f007a07001f1e8e10107a0700948bbf12207a07000868ac36307a07000a4bd90b407a07004d7aa300507a07002d768c24607a07007c7faf3d707a07007346a90e807a07002c9db18d907a07004307d407a07a07006ba6a5dab07a0700a0174308c07a070027e99df8d07a070069b8ca97e07a07003d0d9b3cf07a0700bee6a16e007b0700e31cade0107b07000c0e640d207b0700a550c6ac307b07006496e17e407b07005851cf72507b0700f0e9aa0b607b0700daecb613707b07001e148c1a807b0700985d1575907b0700e8be9648a07b0700248eb8a6b07b070003259603c07b07001e770806d07b07003eeb843ce07b0700f9d0d04af07b070068d0ce91007c0700f5a0ab40107c070031388719207c07007bd7568e307c0700a7a0b526407c07000213a31b507c07007d22ee02607c07002a67b76b707c07001a8e839c807c07004a805267907c0700ba508106a07c07006d9e079ab07c070019099806c07c07003fdb50d1d07c0700604afa2be07c070028058928f07c0700cd239bcb007d07008b2a5178107d0700409a2e81207d0700dbf37efd307d0700c0ed9c03407d07005140bc26507d07005d5fbe24607d070023e39bf0707d0700e9673809807d0700580fdc2e907d0700b1f785bba07d07004ec49290b07d0700857a561ec07d0700b71d8b82d07d0700d365544de07d070019b32210f07d0700eae33209007e070045328d14107e07003be7afc1207e0700d1c442db307e0700c7f1bc32407e070045c1b6be507e070070cb9cb1607e07002e9a340e707e0700a3fc09a4807e07007e79f260907e07002801ae0ca07e07003d8c9fb8b07e0700f209cb48c07e07008ef0a532d07e070044681e8be07e0700e1b2b396f07e0700869fe781007f0700eeca78e8107f0700edcc71e5207f070038e4b2e1307f0700e895bd7c407f07001a109f2c507f0700fda61fcb607f0700818f1c80707f0700239cb09e807f070030d4bbba907f07002d54bf49a07f07001a228ac0b07f070024b8b59ac07f0700e7502206d07f0700033f9a3ee07f070044d39897f07f07006a00db3d008007003627b82610800700c6d760fd20800700af070f31308007003f39ab3340800700f06c1318508007009c290be860800700f7fc5df270800700c4cb4f3d808007003039b32690800700a2ab9b35a080070030b88aa9b08007004418c300c080070086a927a5d0800700a1303c10e08007001526b210f080070089a3257d0081070071b8a3f81081070035208908208107005514d301308107000a24b6304081070027e4bbe450810700b8a01d836081070062413b957081070026168226808107004f5c951490810700d3634947a081070083a83188b081070082ea9382c0810700dbcf4cc7d0810700ba4d207be0810700a89b029ff0810700963baabc00820700e3db8b2e10820700fdccb310208207000e3f9315308207009abab93c40820700d3949fac5082070035c88ad260820700e0d5be00708207001f7e8a44808207007e1c41ce90820700a21d2a2ea0820700dc45926cb0820700adc8a017c08207006af0b4b6d0820700669cfa92e082070092a8cf91f0820700f3dd6fe900830700d8cf6dee10830700584d951c208307009604081c30830700da64341e40830700eb2cb70450830700e223ba1c608307002ef29cfa708307004db5ffa080830700a28d3bbc90830700941b8971a08307009ae50e95b08307000329980dc08307006ed6d50ad08307009d9631aee08307000b0a9508f0830700c8f95ad300840700f339237f108407001525930f2084070096e535be308407008de5991540840700062e871e508407005e1a32f860840700041acaa67084070095ba6dda8084070010ab3ee290840700432e52c6a084070098d75c9bb0840700166dcf2cc0840700334a079fd08407003f1b9545e084070052d8a9bcf0840700d7fc7de100850700d01e427910850700da2f961c208507001534b02c30850700ed40301040850700e4ca5de2508507008d54bf1a60850700374d945d70850700183cb302808507001957b46990850700025c11b1a0850700052b9a03b08507007bd44791c085070020839097d0850700427fd45fe08507006366c755f085070046529a0600860700030891341086070054069f9120860700bde673fd308607007c28969e408607007e3e8c80508607000afb948e608607009538441d70860700

sycall_identifier.py

import struct
import pefile
from collections import namedtuple
from typing import List, Optional

NTDLL_BASE_ADDRESS = 0x77DA0000
SW2_Entrie = namedtuple("SW2_Entrie", ["hash", "address"])
SW2_syscallList: List = []


def get_section(pe: pefile.PE, section_name: str) -> pefile.SectionStructure:
    """return section by name, if not found raise KeyError exception."""
    for section in filter(
        lambda x: x.Name.startswith(section_name.encode()), pe.sections
    ):
        return section

    available_sections = ", ".join(
        [_sec.Name.replace(b"\x00", b"").decode() for _sec in pe.sections]
    )
    raise KeyError(
        f"{section_name} not found in the PE, available sections: {available_sections}"
    )


def find_syscall_by_hash(hash) -> Optional[SW2_Entrie]:
    for syscall in SW2_syscallList:
        if syscall.hash == hash:
            return syscall


with open("SW2_SyscallList.dmp", "rb") as f:
    # offset 0x8 is used to remove the DWORD Count of the struct _SW2_SYSCALL_LIST
    SW2_syscallList_raw = f.read()[0x8:]

for hash, addr_offset in struct.iter_unpack("<Li", SW2_syscallList_raw):
    SW2_syscallList.append(SW2_Entrie(hash, addr_offset + NTDLL_BASE_ADDRESS))

PE_FILE = "ntdll.dll"
pe = pefile.PE(PE_FILE)

text = get_section(pe, ".text")
image_base = pe.OPTIONAL_HEADER.ImageBase
section_rva = text.VirtualAddress

# hashes obtained in IDA
hashes = [
    0x129D3B11,
    0xD982903,
    0x983398A1,
    0xC541D0C0,
    0x5FAD787E,
    0x85489CC4,
    0x70227CB7,
    0xC654F0E8,
    0xC5D42EC6,
    0x861592F8,
    0x17AC5314,
    0xF25DFCF7,
    0x9CB69A1C,
]

mapping_syscall_id_fn = []
# Build a corresponding address and ntdll function name
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
    mapping_syscall_id_fn.append((pe.OPTIONAL_HEADER.ImageBase + exp.address, exp.name))

for addr, name in mapping_syscall_id_fn:
    for syscall in map(find_syscall_by_hash, hashes):
        if addr == syscall.address:
            print(f"0x{syscall.hash:x} <-> {name.decode()}")
            break