hello-i386-nt.s

# Copyright 2017-2026 Rivoreo

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
# IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.


# To build for NT 5.0 kernel:
# as --defsym SYS_NtQueryInformationProcess=134 --defsym SYS_NtWriteFile=237 --defsym SYS_NtDisplayString=57 --defsym SYS_NtTerminateProcess=224 hello-i386-nt.s -o hello-i386-nt.o
# ld -m i386pe --strip-all --no-insert-timestamp --entry _NtProcessStartup hello-i386-nt.o -o hello-i386-nt


# NT 3.5 kernel
#	.set	SYS_NtQueryInformationProcess, 98
#	.set	SYS_NtWriteFile, 184
#	.set	SYS_NtDisplayString, 41
#	.set	SYS_NtTerminateProcess, 170
# NT 3.51 kernel
#	.set	SYS_NtQueryInformationProcess, 103
#	.set	SYS_NtWriteFile, 192
#	.set	SYS_NtDisplayString, 43
#	.set	SYS_NtTerminateProcess, 178
# NT 5.0 kernel
#	.set	SYS_NtQueryInformationProcess, 134
#	.set	SYS_NtWriteFile, 237
#	.set	SYS_NtDisplayString, 57
#	.set	SYS_NtTerminateProcess, 224
# NT 5.1 kernel
#	.set	SYS_NtQueryInformationProcess, 154
#	.set	SYS_NtWriteFile, 274
#	.set	SYS_NtDisplayString, 67
#	.set	SYS_NtTerminateProcess, 257
# NT 5.2 kernel
#	.set	SYS_NtQueryInformationProcess, 161
#	.set	SYS_NtWriteFile, 284
#	.set	SYS_NtDisplayString, 70
#	.set	SYS_NtTerminateProcess, 266
# NT 6.0.6000 kernel
#	.set	SYS_NtQueryInformationProcess, 228
#	.set	SYS_NtWriteFile, 359
#	.set	SYS_NtDisplayString, 128
#	.set	SYS_NtTerminateProcess, 338
# NT 6.0.6001 kernel
#	.set	SYS_NtQueryInformationProcess, 228
#	.set	SYS_NtWriteFile, 355
#	.set	SYS_NtDisplayString, 128
#	.set	SYS_NtTerminateProcess, 334
# NT 6.1 kernel
#	.set	SYS_NtQueryInformationProcess, 234
#	.set	SYS_NtWriteFile, 396
#	.set	SYS_NtDisplayString, 109
#	.set	SYS_NtTerminateProcess, 370
# NT 6.2 kernel
#	.set	SYS_NtQueryInformationProcess, 176
#	.set	SYS_NtWriteFile, 5
#	.set	SYS_NtDisplayString, 305
#	.set	SYS_NtTerminateProcess, 35
# NT 6.3 kernel
#	.set	SYS_NtQueryInformationProcess, 179
#	.set	SYS_NtWriteFile, 6
#	.set	SYS_NtDisplayString, 309
#	.set	SYS_NtTerminateProcess, 35

	.section	.rodata
	.align	0

helloworld:
	.ascii	"Hello world\n"
	.ascii	"From NT mode\n"

helloworld_w:
	.ascii	"H\0e\0l\0l\0o\0 \0w\0o\0r\0l\0d\0\n\0"

helloworld_nt_string:
	.short	24
	.short	24
	.long	helloworld_w

	.text

	.global	_NtProcessStartup
_NtProcessStartup:
	leal	-20-24(%esp), %eax
	pushl	$0
	pushl	$24
	pushl	%eax
	pushl	$0
	pushl	$-1
	movl	$SYS_NtQueryInformationProcess, %eax
	movl	%esp, %edx
	int	$0x2e
	movl	-20(%esp), %eax		# PebBaseAddress
	addl	$20, %esp
	movl	16(%eax), %edx		# ProcessParameters
	movl	28(%edx), %edx		# StandardOutput
	testl	%edx, %edx
	jle	skip_to_display_string
	xorl	%ecx, %ecx
	cmpl	%eax, 4(%esp)
	sete	%cl
	decl	%ecx
	andl	$12-25, %ecx
	addl	$25, %ecx
	leal	-36-8(%esp), %eax
	pushl	$0
	pushl	$0
	pushl	%ecx
	pushl	$helloworld
	pushl	%eax
	pushl	$0
	pushl	$0
	pushl	$0
	pushl	%edx
	movl	$SYS_NtWriteFile, %eax
	movl	%esp, %edx
	int	$0x2e
	addl	$36, %esp
skip_to_display_string:
	pushl	$helloworld_nt_string
	movl	$SYS_NtDisplayString, %eax
	movl	%esp, %edx
	int	$0x2e
	addl	$4, %esp
	pushl	$0
	pushl	$-1
	movl	$SYS_NtTerminateProcess, %eax
	movl	%esp, %edx
	int	$0x2e