I am trying to do some reversing to find out a function call behind

Question

0

Editorial Team

Asked: May 28, 20262026-05-28T14:48:15+00:00 2026-05-28T14:48:15+00:00

I am trying to do some reversing to find out a function call behind

0

I am trying to do some reversing to find out a function call behind the scene.

While debugging using windbg I came across a call,

mov     edx,offset SharedUserData!SystemCallStub
call    dword ptr [edx]

call leads to code below,

ntdll!KiFastSystemCall:

8bd4        mov     edx,esp
0f34        sysenter

According to this documentation, eax contains the system call ordinal.
and the value in eax is 11CC.

I am trying to figure out, what actually is this function which will be called. Does anyone has any idea how can I proceed further?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T14:48:16+00:00

Basically you need a way of dumping the SSDT – on x32 this can be done easily. Probably the easiest way is do look for a utility which would dump the SSDT along the necessary indexes and you will see what corresponds to this particular index. Basically eax would store an index in a function table so the system disaptcher would at some point do call FunctionTable[eax] A up-to-date listing of call tables can be found here

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am trying to do some reversing to find out a function call behind

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply