About Nt* and Zw* prefixes in ring0.

OSR_Community_User · July 20, 2007, 1:45am

Hi~a simple question.
In ring0 call Zw* prefixes routines need the SSDT(System Service Descriptor Tab) to locate its address,am i right?
If there’s a SSDT Hook it will work.am i right?
What about call Nt* prefixes routines directly?Dose it use SSDT too, or not?
Can this way make the SSDT useless??

Ì½Ë÷ Windows Vista µÄÊÀ½ç
http://search.live.com/results.aspx?q=windows+vista&mkt=zh-cn&FORM=LIVSOP

OSR_Community_User · July 20, 2007, 4:18am

Trying again, your questions are answered in this article.

http://www.osronline.com/article.cfm?article=257

On 7/20/07, wrote:
>
> Hi~a simple question.
> In ring0 call Zw* prefixes routines need the SSDT(System Service
> Descriptor Tab) to locate its address,am i right?
> If there’s a SSDT Hook it will work.am i right?
> What about call Nt* prefixes routines directly?Dose it use SSDT too, or
> not?
> Can this way make the SSDT useless??
>
> http:
></http:>

OSR_Community_User · July 20, 2007, 5:51am

thanks for your help~!!

Date: Fri, 20 Jul 2007 09:17:57 +0100From: xxxxx@gmail.comTo: xxxxx@lists.osr.comSubject: Re: [ntdev] About Nt* and Zw* prefixes in ring0.Trying again, your questions are answered in this article.http://www.osronline.com/article.cfm?article=257
On 7/20/07, wrote:

Hi~a simple question.In ring0 call Zw* prefixes routines need the SSDT(System Service Descriptor Tab) to locate its address,am i right?If there’s a SSDT Hook it will work.am i right?What about call Nt* prefixes routines directly?Dose it use SSDT too, or not?Can this way make the SSDT useless??— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
_________________________________________________________________
Ê¹ÓÃÏÂÒ»´úµÄ MSN Messenger¡£
http://imagine-msn.com/messenger/launch80/default.aspx?locale=zh-cn&source=wlmailtagline

Matthew_Carter · July 21, 2007, 11:23pm

That article is very informative. I’m not doing anything with Nt or Zw
functions but I’ve often wondered about these things. Thanks for pointing
it out.

“Cathal Mullaney” wrote in message
news:xxxxx@ntdev…
> Trying again, your questions are answered in this article.
>
> http://www.osronline.com/article.cfm?article=257
>

anton_bassov · July 22, 2007, 2:47pm

> That article is very informative.

Actually, this article (written in 2003) is far from being the first available source of info on the subject - the difference between Ntxxx and Zwxxx functions for the kernel code and lack of any for the user-mode one had been explained by Gary Nebbett in “Native API Reference” back in the year 2000. Furthermore, IIRC, much earlier than that in one of Sysinternals publications Mark Russinovich gave a detailed expaination of how the system calls work on NT-based system. Ironically, in the same publication he also presented the concept of SSDT hooking, i.e. the technique that was later used by infamous “Sony rootkit” that Mark had exposed to the world.

This is an example of how advanced info that you present with good intentions may be subsequently used for not-so-noble purposes. The only reason why I speak about this is because literally half an hour ago I received a message from some malware writer who asked me for help with hooking ZwTerminateProcess() - he wants to make sure his process cannot get terminated via either Task Manager or Process Explorer…

Anton Bassov