#!/usr/bin/env ruby
# Copyright (c) 2009 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# This is an idarub script for extracting system call numbers from a DLL that
# has been loaded into the IDA disassembler. The interesting system call stubs
# are contained in ntdll.dll, user32.dll, gdi32.dll, and imm32.dll.
require 'idarub'
ida, = IdaRub.auto_client
curea = 0
filename = ida.get_root_filename
while true
curea = ida.find_binary(
curea, ida.BADADDR, 'ba 00 03 fe 7f', 16, ida.SEARCH_DOWN)
break if curea == ida.BADADDR
raise "z" if ida.get_byte(curea - 5) != 0xb8
syscall = ida.get_long(curea - 4)
# Remove the IDA _ prefix and the @argsize trailing decorator...
funcname = ida.get_func_name(curea).split('@', 2)[0].split('_', 2)[-1]
puts '%d: "%s!%s",' % [syscall, filename, funcname]
curea += 1