Hello,
I just tuned into the KeSystemServiceTable thread as this is something I
accomplished in a past life for the purposes of KM rootkit seek/destroy
(no small ammount of hair-pulling involved - really…)
If the purpose of the exploration is to simply watch the calling patterns
of user-mode threads as they make Executive System Function (ESF) calls,
it would be far simpler to hook the NTDLL.DLL exports in user-mode. This
too requires some work but the information is out there.
- Regards
Chris