Hooking Native API (was: How to access KeServiceDescriptorTable)

OSR_Community_User · November 25, 2002, 5:20am

Hello Gary,

My apologies for arrogance in previous letter. I think that the hooking
Native API functions is very powerful and useful thing which can be used
to solve many problems in many different projects. Now I have several
projects and all of them can be solved by hooking Nt*() functions.
Of course I know that it is not the best solution but, please understand
me, I just want to learn more about hooking technology.

So my question is what is the most reliable way to hook Nt*() functions?

Patching the system services table (KeServiceDescriptorTable)
Patching the export table of ntoskrnl.exe
Other

I know about these methods in general and don’t have implementation.
I sincerely hope you will be able to help me with advice in this
matter.

Thanking you beforehand for your answer.

Respectfully yours, Felix.

GGL> Felix, really, whether they are or the aren’t or do or they don’t … it
GGL> really is no business of yours or your customers UNLESS … you develop code
GGL> that is dependent upon the current implementation. Once you start playing
GGL> outside the box, things tend to break across platforms and across releases
GGL> and across service packs. Unfortunately the perveyor of the OS and not the
GGL> wizard of the widget is the one that receives the accolades for breaking
GGL> things.

GGL> Not to mention the fact that most, if not all software gurus tend to be a
GGL> bit arrogant (VERY easily read in your query), and think we can do it
GGL> better. Someteims we can’t … but we never ever let on like we can’t. And
GGL> you still didn’t answer Nars question. What is it that you NEED, not want,
GGL> to do that you think you need to exit the sandbox?

GGL> –
GGL> Gary G. Little
GGL> Have Computer, Will Travel …
GGL> 909-698-3191
GGL> 909-551-2105

GGL> “Felix K” wrote in message news:xxxxx@ntdev…
>>
>> Hello Nar,
>>
>> NGM> Hooking the system services table is a very bad idea. You will
GGL> probably end
>> NGM> up with more problems later. If you tell us what you want to debug we
GGL> can
>> NGM> suggeste a better method.
>>
>> NGM> –
>> NGM> Nar Ganapathy
>> NGM> Windows Core OS group
>>
>> Why it is a VERY bad idea? Does Microsoft plan to heavily change the
>> system services table in next version of Windows?
>>
>> Which alternative method of hooking native API could you recommend?
>> What do you think about patching the export table of ntoskrnl.exe to
>> hook Nt*() functions?
>>
>> Thanks much.
>> —
>> Respectfully yours, Felix.

OSR_Community_User · November 25, 2002, 5:43am

Dear Felix.

There’s a very useful book “Undocumented Windows 2000 Secrets” by Sven
Schreiber. In this book the Native API hooking technique is described in
detail. So I strongly suggest you to take a glance at it. This book contains
CD with all sample sources and binaries. And there’s an utility which
monitors Native API calls by hooking them thru Service Descriptor Table
(with a detailed description of this method in the book).
If you from Russia (judging by your e-mail), this book is also translated
into Russian and I bought exactly this one. But this translation is very
inaccurate and therefore Russian edition contains many errors in text and
diagrams. But nevertheless this book is worth the reader’s attention to
observe.

----- Original Message -----
From: “Felix K”
To: “NT Developers Interest List”
Sent: Monday, November 25, 2002 1:22 PM
Subject: [ntdev] Hooking Native API (was: How to access
KeServiceDescriptorTable)

> Hello Gary,
>
> My apologies for arrogance in previous letter. I think that the hooking
> Native API functions is very powerful and useful thing which can be used
> to solve many problems in many different projects. Now I have several
> projects and all of them can be solved by hooking Nt*() functions.
> Of course I know that it is not the best solution but, please understand
> me, I just want to learn more about hooking technology.
>
> So my question is what is the most reliable way to hook Nt*() functions?
> 1. Patching the system services table (KeServiceDescriptorTable)
> 2. Patching the export table of ntoskrnl.exe
> 3. Other
>
> I know about these methods in general and don’t have implementation.
> I sincerely hope you will be able to help me with advice in this
> matter.
>
> Thanking you beforehand for your answer.
> —
> Respectfully yours, Felix.
>
>
> GGL> Felix, really, whether they are or the aren’t or do or they don’t …
it
> GGL> really is no business of yours or your customers UNLESS … you
develop code
> GGL> that is dependent upon the current implementation. Once you start
playing
> GGL> outside the box, things tend to break across platforms and across
releases
> GGL> and across service packs. Unfortunately the perveyor of the OS and
not the
> GGL> wizard of the widget is the one that receives the accolades for
breaking
> GGL> things.
>
> GGL> Not to mention the fact that most, if not all software gurus tend to
be a
> GGL> bit arrogant (VERY easily read in your query), and think we can do it
> GGL> better. Someteims we can’t … but we never ever let on like we
can’t. And
> GGL> you still didn’t answer Nars question. What is it that you NEED, not
want,
> GGL> to do that you think you need to exit the sandbox?
>
> GGL> –
> GGL> Gary G. Little
> GGL> Have Computer, Will Travel …
> GGL> 909-698-3191
> GGL> 909-551-2105
>
> GGL> “Felix K” wrote in message news:xxxxx@ntdev…
> >>
> >> Hello Nar,
> >>
> >> NGM> Hooking the system services table is a very bad idea. You will
> GGL> probably end
> >> NGM> up with more problems later. If you tell us what you want to debug
we
> GGL> can
> >> NGM> suggeste a better method.
> >>
> >> NGM> –
> >> NGM> Nar Ganapathy
> >> NGM> Windows Core OS group
> >>
> >> Why it is a VERY bad idea? Does Microsoft plan to heavily change the
> >> system services table in next version of Windows?
> >>
> >> Which alternative method of hooking native API could you recommend?
> >> What do you think about patching the export table of ntoskrnl.exe to
> >> hook Nt*() functions?
> >>
> >> Thanks much.
> >> —
> >> Respectfully yours, Felix.
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nival.com
> To unsubscribe send a blank email to %%email.unsub%%
>

Don_Burn_1 · November 25, 2002, 7:11am

From: “Felix K”
>
> My apologies for arrogance in previous letter. I think that the hooking
> Native API functions is very powerful and useful thing which can be used
> to solve many problems in many different projects. Now I have several
> projects and all of them can be solved by hooking Nt*() functions.
> Of course I know that it is not the best solution but, please understand
> me, I just want to learn more about hooking technology.
>
> So my question is what is the most reliable way to hook Nt*() functions?
> 1. Patching the system services table (KeServiceDescriptorTable)
> 2. Patching the export table of ntoskrnl.exe
> 3. Other
>
> I know about these methods in general and don’t have implementation.
> I sincerely hope you will be able to help me with advice in this
> matter.
>
I have done this for a customer, but there are a lot of problems and caveats
I made sure the customer understood. The problem lies in:

1. The call mechanism has changed from INT 2E to SYSENTER depending
on the processor

2. The numbers of the calls change since the table is in alphabetical
order, so
adding a new call displaces most numbers

3. The Nt/Zw functions are largely undocumented. Yes, Gary Nebbett’s book
gives most of them but there have been changes in existing calls and
new
calls.

4. Some of the calls have stack dependencies, I.E. if you insert a wrapper
routine in around the call ala RegMon the system will crash.

Given all this you need to seriously look at why you are doing something
like this.

Don Burn
Egenera, Inc