Posixcafe Fresh shipments of beans and standards every Tuesday


NTSTATUS __attribute__((naked))
NtAllocateVirtualMemory10(HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG protect)
{
	asm volatile (	"mov %rcx, %r10;"
			"mov $0x18, %eax;"
			"syscall;"
			"ret;");
}

Here the naked attribute allows us to treat the function as a pure assembly function by having gcc abstain from doing any function preample shuffling of the stack or otherwise when we call this function. In this example we have 0x18 set as our syscall number, which is the NtAllocateVirtualMemory syscall index for the latest version of windows 10 at the time of this writing.

Refernces:
https://github.com/outflanknl/Dumpert/blob/master/Dumpert/Outflank-Dumpert/Syscalls.asm
https://github.com/j00ru/windows-syscalls/blob/master/x64/json/nt-per-syscall.json
https://gcc.gnu.org/onlinedocs/gcc/x86-Function-Attributes.html