Adding Syscalls and OS APIs
Adding Syscalls and OS APIs
Overview
Qiling covers ~40% of Windows API and Linux syscalls. Community contributions are needed for the rest. The goal is “close enough to kernel” — not always 100% identical (e.g. pid/uid/mprotect can be stub returns).
POSIX Syscalls
Split by header file convention. Examples:
| Syscall | Header | File |
|---|---|---|
setpriority | resource.h | posix/syscall/resource.py |
clock_gettime | time.h | posix/syscall/time.py |
After implementing, register the syscall in qiling/os/linux/<arch>.py — map syscall name to syscall number.
Windows / UEFI OS API
Same principle: split by header file. The header file determines which module the API implementation belongs to.
Development Workflow
Before modifying core source, prototype with ql.os.set_api() or ql.os.set_syscall():
1# Test a custom syscall stub before committing to core
2ql.os.set_syscall('write', my_write_impl, QL_INTERCEPT.CALL)
See hijack.md for full API hooking documentation.
API Mapping
Windows and UEFI API mapping is done via ql.hook_code() at the OS layer.