Skip to content

syscalls: dereferencing syscall argument pointers, parsers for argument values (modified pr #1824) #1852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
psolvx wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

syscalls: dereferencing syscall argument pointers, parsers for argument values (modified pr #1824) #1852

psolvx wants to merge 14 commits into from

Conversation

@psolvx
Copy link
Contributor

@psolvx psolvx commented Sep 25, 2025

Modified idea from #1824 by @1ndahous3, so most of that pr is included, with some changes.

fill_fmt_args uses parsers specified by:

  • syscall name and argument name
  • argument name
  • argument type

Subkeys from #1850 are used to have a "Arguments" and "Extra" subkeys. Parsers can modify output argument values or add data to "Extra" subkey.

There are 2 boolean options:
--syscall-nested-args - controls if arguments are nested in an "Arguments" subkey
--syscall-dereference-args - controls if argument pointers are dereferenced and enables extra parsers (the goal was for the default setting to leave only parsers corresponding to previous parse_argument and win_extract_string functions, its up to each parser to respect that)

With both of these flags disabled output format should be backwards compatible

New parsers allow for reading:

  • PID from ProcessHandle,
  • TID, PID from ThreadHandle,
  • rip, rcx from NtSetContextThread Context argument
  • eip, eax from NtSetInformationThread Wow64Context argument

This pr is based on #1850 and also #1851 (though this one is not strictly necessary)

@drakvuf-jenkins
Copy link
Collaborator

drakvuf-jenkins commented Sep 25, 2025

Can one of the admins verify this patch?

@psolvx psolvx force-pushed the syscall-deref-args-refactor branch from b493c66 to e92e096 Compare September 25, 2025 16:21
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 25, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@psolvx @drakvuf-jenkins @1ndahous3