Getting the syscall caller's stack

Hi,

I am doing a simple SSDT hook on certain APIs. It works fine, and I’m
able to do a lot already, however I’d like to be able to get a pointer
to the caller thread’s stack at the moment of the syscall/sysenter/etc
instruction. I’m pretty sure it is possible since arguments get passed
via a pointer to the arguments which are on stack. Any help is
appreciated.

Thanks.

Since most of us hate hooking I suspect you will not get a lot of help here.
What are you really trying to accomplish, you can probably do better than
something that will likely cause crashes (the number of times people think
their hooking driver is working well when it isn’t is amazingly high) and
not work on 64-bit.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“chaplja” wrote in message news:xxxxx@ntdev…
> Hi,
>
> I am doing a simple SSDT hook on certain APIs. It works fine, and I’m
> able to do a lot already, however I’d like to be able to get a pointer
> to the caller thread’s stack at the moment of the syscall/sysenter/etc
> instruction. I’m pretty sure it is possible since arguments get passed
> via a pointer to the arguments which are on stack. Any help is
> appreciated.
>
> Thanks.
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4792 (20100121)

>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4792 (20100121)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

> I am doing a simple SSDT hook on certain APIs.

Won’t work on x64.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com