Today I will investigate syscall function in Windows. As we know, Windows library are provided through its API, but actually can skip the Windows API and use syscall directly, just like in Linux x64.
But the syscall numbers on Windows, from release to release, are not stable.

For syscall table in Windows, see: https://github.com/j00ru/windows-syscalls

So I will try my luck for my version of Windows, by debugging two EXEs (PE 64-bit) using IDA Freeware 8.3.

Below is the normal code for a program to exit with errorlevel 7:


As you see from above, there is an extra section called "idata", which is import table mandatory for every Win32 programs to be useful.

But today I will just hack it so that the newly created program will be even smaller, and without the import table at all.

After loading the exit.exe (source code listed above), I step into "call [ExitProcess]", and this is what I entered into, RtlExitUserProcess:

RtlExitUserProcess



If I further step into NtTerminateProcess, this is what we see:
Now it uses "syscall" with ID "0x2C" (the syscall number varies from one release of Windows to another)

NtTerminateProcess


After some investigation, I came up with this program, also exit with errorlevel 7:



And after I load it in IDA Freeware, this is the output.

Disassembly of NtExit.exe (source code above):


The file size:


The NtExit.exe is without extra 512 bytes section of import table.

In summary, it is not practical to use syscall number directly in a Windows program, but I heard some malware are using it. @junyian @KLKS

Thank you for reading!

When some system develop,
common functions might changed / update / upgrade from time to time.
"Internal" functions are designed to used by system and system-app.

For better error handling, logs, redirect to appropriate function, ...,
API was released for "public" or "3rd party software" to called.

Since there is no syscall in 32-bit mode....



....I make direct call to ntdll.dll instead, x86 code as below:

Readers might ask, what is "ntdll.dll"? It is a library part of "kernel32.dll" dependency:



Many Win32 API are provided through "kernel32.dll" (along with "user32.dll" and others), but underlying it there is "ntdll.dll" which is even deeper.

So , kernel32.dll ExitProcess API will call ntdll.dll NtTerminateProcess.....