Comments by "zenith parsec" (@zenithparsec) on "Reverse Engineering - Computerphile" video.

  1. 15:33 Library or external function calls and system calls are being conflated. Typical user code doesn't directly make system calls. These are implemented as "magic" instruction (this is all generalized) which allow a userland program to execute a small chunk of kernel code. By magic instruction I mean "an instruction which causes the kernel to shut up and pay attention", i.e. throws an interrupt of some sort. The mnemonic "syscall" is an assembly instruction for several different architecture's instruction, even on the same hardware, various operating systems (and even versions of them) can use different instructions. (Nothing is stopping you from saying "A syscall instruction is any instruction which causes a protection fault when writing to a valid syscall number." Provided your kernel can tell that happened and react to it appropriately, the mechanism doesn't matter. ) While the mechanism you use to call them varies, all of them need you to tell the kernel what you want them to do as well as that you want them to do something. The parameters to the syscalls go in registers (or in a specific region of memory) and include the system call number you want to run, telling the kernel how the arguments should be interpreted. Once you have set up the parameters, you execute your magic instruction, which interrupts the kernel, looks at your request and fills in the reply. Then the process returns from kernel mode, and continues. These operations are often by system library code, because different systems might use different system calls, but as long as the library call takes the same arguments, your code will still work. That's why there's a distinction between library code and system calls. The only other times you need to know what a system call is are if you are reversing a statically linked binary (which puts all the library code it is going to use directly into the program. And it can make them massive) or if you are working with shellcode (like an exploit for a vulnerability might use.)
    3