How does Windows 11 handle incrementing low-level syscalls compared to W10
I implemented my own version of SysWhisperer2 to parse ntdll and dynamically resolve syscall service numbers in Windows 11 under the assumption that the methodology would still be able to process syscalls correctly. The program itself works to resolve syscall numbers from what I can tell by going between windbg and the program output to make sure addresses and the syscall number align.
However, I was watching Weaponizing Windows Syscalls and noticed the speaker said Windows syscalls no longer increment by one, which makes SysWhisperer2, as well as my approach no longer possible in cases where the syscall is not incremented by one.
I am compiling as a 64-bit executable rather than 32, so I do not have to deal with WoW64 transistioning from 32-bit compatability mode to 64-bit, but I don't imagine WoW64 would have its own set of syscalls.
Essentially, I am wondering what the behavior is for syscall SSNs in W11. I would expect that they do not increment one-by-one, as they did not in later versions of W10 from what I understand. But from what I am able to tell, syscalls are still incremented one-by-one in W11.
I haven't been able to actually mock the syscalls yet in my own code (via using something like SysWhisperer3), but from what I can tell, the SSNs are correct and Windows is still incrementing syscalls by one. Is that true?
I am using W11 (23H2) pro
