WHQL doesn’t say a lot of things, but the bottom line is that you cannot
safely and reliably hook the system call table. And cosidering that a large
number of the calls in the table are not officially documented, it would be
dangerous if you did figure a way to hook.
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
----- Original Message -----
From: “Mesdaq, Ali”
To: “Windows System Software Devs Interest List”
Sent: Thursday, January 29, 2004 5:59 PM
Subject: RE: [BULK] - Re:[ntdev] [BULK] - Re:Hooking system services (was
NtCreateSection() - relation between parent and child process)
What exactly is being broken by hooking. I been going through the MS
documents for WHQL Certification and its hard to get a CLEAR answer. It
seems to leave a lot of subjectivity open. It doesn’t clearly say that
you can not hook. It says things like you SHOULDN’T or its better NOT
to. The wording is vague. Has anyone dealt with MS on this issue before?