identification method of system call in sample reverse

Posted by trammel at 2020-02-25

The converse in the situation of no sign expression

Under Linux platform, the program can be simplified through strip program. The simplified executable file will be smaller without any impact on the execution efficiency. But this kind of situation will bring trouble to the program. Without the support of symbol table, all functions will be displayed in the form of sub XXXX in IDA, which will cause trouble in reverse engineering.

Here is a brief record of the system call identification methods under each common platform.

System call identification methods of common platforms

No matter which platform the system calls, there are two key points, one is the call instruction, the other is the call number.

The specific function of system call is determined by the system call number. The corresponding relationship between the call number and the function should refer to the relevant header file.

I put all the header files related to system calls that can be found at present in the reverse bins project on GitHub for reference.



There are two kinds of system calls under arm, one is with parameters, the other is the parameter specification during instruction call, as follows:

Register assignment

Specified in the instruction






When the unsigned table is recorded here, the identification method of system call function can be used for Linux reverse reference.

This kind of comparison can also be implemented in IDA script to save reverse time. In the analysis of Mirai samples, it can save about 30% of the analysis time.