Linux syscall calling convention: rax - syscall number rdi, rsi, rdx, r10, r8, r9 - arguments return value placed in rax Instruction set: mov rax, imm64 >48 b8 IMM64 xor eax, eax (sets rax to 0, much shorter than mov rax, 0) >31 c0 xor edx, edx >31 d2 mov rdest, rsrc ax bx cx dx sp bp si di 0 3 1 2 4 5 6 7 >48 89 (dest | src << 3 | 0xc0) mov r8, rax (for syscalls) >49 89 c0 mov r9, rax (for syscalls) >49 89 c1 mov r10, rax (for syscalls) >49 89 c2 xchg rax, rbx >48 93 mov qword [rbx], rax >48 89 03 mov rax, qword [rbx] >48 8b 03 mov dword [rbx], eax >89 03 mov eax, dword [rbx] >8b 03 mov word [rbx], ax >66 89 03 mov ax, word [rbx] >66 8b 03 mov byte [rbx], al >88 03 mov al, byte [rbx] >8a 03 mov rax, qword [rbp+imm32] >48 8b 85 IMM32 (note: imm may be negative) mov qword [rbp+imm32], rax >48 89 85 IMM32 (note: imm may be negative) mov qword [rsp], rbp >48 89 2c 24 mov rbp, qword [rsp] >48 8b 2c 24 mov ebx, imm32 >bb IMM32 neg rax >48 f7 d8 add rax, rbx >48 01 d8 sub rax, rbx >48 29 d8 imul rbx >48 f7 eb idiv rbx >48 f7 fb mul rbx >48 f7 e3 div rbx >48 f7 f3 not rax >48 f7 d0 and rax, rbx >48 21 d8 or rax, rbx >48 09 d8 xor rax, rbx >48 31 d8 shl rax, cl >48 d3 e0 shl rax, imm8 >48 c1 e0 IMM8 shr rax, cl >48 d3 e8 shr rax, imm8 >48 c1 e8 IMM8 sar rax, cl >48 d3 f8 sar rax, imm8 >48 c1 f8 IMM8 sub rsp, imm32 >48 81 ec IMM32 add rsp, imm32 >48 81 c4 IMM32 cmp rax, rbx >48 39 d8 test rax, rax >48 85 c0 jmp rel32 >e9 REL32 je rel32 >0f 84 REL32 jne rel32 >0f 85 REL32 jl rel32 >0f 8c REL32 jg rel32 >0f 8f REL32 jb rel32 >0f 82 REL32 ja rel32 >0f 87 REL32 call rax >ff d0 ret >c3 syscall >0f 05 nop >90 (more will be added as needed) to be removed: mov qword [rsp], rax >48 89 04 24 mov rax, qword [rsp] >48 8b 04 24