# 系统调用 Radare2 allows manual search for assembly code looking like a syscall operation. For example on ARM platform usually they are represented by the `svc` instruction, on the others can be a different instructions, e.g. `syscall` on x86 PC. ``` [0x0001ece0]> /ad/ svc ... 0x000187c2 # 2: svc 0x76 0x000189ea # 2: svc 0xa9 0x00018a0e # 2: svc 0x82 ... ``` Syscalls detection is driven by `asm.os`, `asm.bits`, and `asm.arch`. Be sure to setup those configuration options accordingly. You can use `asl` command to check if syscalls' support is set up properly and as you expect. The command lists syscalls supported for your platform. ``` [0x0001ece0]> asl ... sd_softdevice_enable = 0x80.16 sd_softdevice_disable = 0x80.17 sd_softdevice_is_enabled = 0x80.18 ... ``` If you setup ESIL stack with `aei` or `aeim`, you can use `/as` command to search the addresses where particular syscalls were found and list them. ``` [0x0001ece0]> aei [0x0001ece0]> /as 0x000187c2 sd_ble_gap_disconnect 0x000189ea sd_ble_gatts_sys_attr_set 0x00018a0e sd_ble_gap_sec_info_reply ... ``` To reduce searching time it is possible to [restrict the searching](/radare2/intro-4/configurating_the_search.md) range for only executable segments or sections with `/as @e:search.in=io.maps.x` Using the [ESIL emulation](/radare2/intro-6/emulation.md) radare2 can print syscall arguments in the disassembly output. To enable the linear (but very rough) emulation use `asm.emu` configuration variable: ``` [0x0001ece0]> e asm.emu=true [0x0001ece0]> s 0x000187c2 [0x000187c2]> pdf~svc 0x000187c2 svc 0x76 ; 118 = sd_ble_gap_disconnect [0x000187c2]> ``` In case of executing `aae` (or `aaaa` which calls `aae`) command radare2 will push found syscalls to a special `syscall.` flagspace, which can be useful for automation purpose: ``` [0x000187c2]> fs 0 0 * imports 1 0 * symbols 2 1523 * functions 3 420 * strings 4 183 * syscalls [0x000187c2]> f~syscall ... 0x000187c2 1 syscall.sd_ble_gap_disconnect.0 0x000189ea 1 syscall.sd_ble_gatts_sys_attr_set 0x00018a0e 1 syscall.sd_ble_gap_sec_info_reply ... ``` It also can be interactively navigated through within HUD mode (`V_`) ``` 0> syscall.sd_ble_gap_disconnect - 0x000187b2 syscall.sd_ble_gap_disconnect 0x000187c2 syscall.sd_ble_gap_disconnect.0 0x00018a16 syscall.sd_ble_gap_disconnect.1 0x00018b32 syscall.sd_ble_gap_disconnect.2 0x0002ac36 syscall.sd_ble_gap_disconnect.3 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vxerlee.gitbook.io/radare2/intro-6/syscalls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.