Posted: Mon May 09, 2005 3:21 pm Post subject: Hooking the nt api
im writing a kernel driver and trying to hook some of the nt api. im mainly trying to hide a program of mine from another process. i took a look at some of your code and noticed NtUserBuildHwndList and a few other nt api that you hook. im wondering how you figured out what the call number for these were in the descriptor table? i read up that the Zw functions just load eax with the call number of the equivalent nt api function and int 2eh it to the kernel so i can figure out what those call are but what about NtUserBuildHwndList and the other few nt functions, how did you find out what each of thier call numbers were?
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
Posted: Mon May 09, 2005 5:16 pm Post subject: Re: Hooking the nt api
skeet8812 wrote:
im writing a kernel driver and trying to hook some of the nt api. im mainly trying to hide a program of mine from another process. i took a look at some of your code and noticed NtUserBuildHwndList and a few other nt api that you hook. im wondering how you figured out what the call number for these were in the descriptor table? i read up that the Zw functions just load eax with the call number of the equivalent nt api function and int 2eh it to the kernel so i can figure out what those call are but what about NtUserBuildHwndList and the other few nt functions, how did you find out what each of thier call numbers were?
yes if those are correct. i found that page but wasnt sure if it was correct though. i would also like to know how they were found so i know 100% sure they're right and maybe i then can write a function for finding the values without disassembling things by hand.
Joined: 18 Jul 2004 Posts: 193 Location: USA Chicago
Posted: Mon May 09, 2005 5:46 pm Post subject:
skeet8812 wrote:
yes if those are correct. i found that page but wasnt sure if it was correct though. i would also like to know how they were found so i know 100% sure they're right and maybe i then can write a function for finding the values without disassembling things by hand.
I'm dark byte, but not at home right now (And since I havn't added this ip to Dark Byte's allowed ip list I can't go on it without getting ip banned)
The method I use to find the callnumbers:
I wrote a small program (systemcallsignaler) that calls some windows apis that use those internal ntuser api's
before it makes such a call it signals the debugger(systemcallretriever) that It's going to enter such a api and tell it which api it is. The debugger will then start single stepping till a call to the system is made (eg int 2e or that fastcall api) at that point eax will hold the callnumber and thats what I store. (note that the value of eax will need to be decreased with 0x100 to get a valid callnumber)
I then verify it's correct by looking at the shadow table parameter list and confirm the number of parameters equals to what I need.
The driver searches the shadowdescriptortable by looking for a descriptor table that points to the memory of win32k.sys (usually a0000000)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum