Re: Gdi Sys call Hooking

NTDEV
1

Hello,
I have problem in Hooking GDI System Call. I got the address and nos of parameter of GDI sys call but no information regarding type of parameters and return type through symbol file in GDI32.dll.
Do anybody knows about GDI System call, if so plz post reply.Those all are undocumented so no information in export table or import table of any dll.

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

2

I assume U are trying to do it for Win2k ( not for XP, am I right on this
?). If NT4.0 or Win2k, you have easier stuff to tackle, since I mentioned
that the sys call dispatching technique changed, and win32k.sys file seems
to be pageable…

If you use debugger ( windbg, or soft-ice), I
would recommend you using an example from NT
undoc for syshooking(this does not depend on the vector #, so version
incompatibilites may
not be a factor)…

Assuming you want to hook individual APIs in the GDI native support ( ie. to
hook the GdiGetWindowHandle() or something like that)

How do you find the prtotoypes ???
Look at Gary Nibetts book or the Graphics Window book you have, finally if
all fails search the headers of DDK/IFS kit you have installed.

Undersand the data structs for Service Descriptor table, that is laid out in
those
two undoc books, use the debugger to see if
that is correct or not. IF I COULD RECALL,
THERE IS A SHADOW DESCRIPTOR that you have to
make sure to get a hold of it. This is completly version dependent…

Once you are done with it, you have to use
the memory protection disabling ( it used to be on ntndis.com )

But if you try to hook the dispatch itself, the so called main gate of usr
to krnl service dispatch, under NT and win2k you have
to hook int2E, on Xp it is a different story…

So depending on where you want to put the hook’s you might have to play with
it a bit…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of thomas mathew
Sent: Tuesday, May 20, 2003 11:51 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Gdi Sys call Hooking

Hello,
I have problem in Hooking GDI System Call. I got the address and nos of
parameter of GDI sys call but no information regarding type of parameters
and return type through symbol file in GDI32.dll.
Do anybody knows about GDI System call, if so plz post reply.Those all are
undocumented so no information in export table or import table of any dll.

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

Hi,
Thanks for the reply prokash.I am doing for win2k and winnt not for XP.I have doubts regarding the reply.Tell me what all information required for hooking GDI system call

The following is the output of the program of Feng Book , which gives the address of GDI System call, which loaded the GDI32.dll and with help of Symbol file it got the following information and with API SymEnumerateSymbols64

Address : 77F4B145 Callid: 0x107e Nos of paremeter:1 Name : NtGdiEndPage

Address : 77F447C4 Callid: 0x10f6 Nos of paremeter:1 Name : NtGdiSaveDC

The doubt are:
1.I am not able to find the protype of function nor from DDK Header(checked all *.h)
2.i donot have e.g of example from NT undoc for syshooking, so if u have plz send me .
3.what is data structs for Service Descriptor table adn why i need that ?

If u have any doc and code regarding this plz send me to xxxxx@sify.com. I am trying to hook GDI System call from GDI32.dll file.

Regards,
Thomas

:

I assume U are trying to do it for Win2k ( not for XP, am I right on
this
?). If NT4.0 or Win2k, you have easier stuff to tackle, since I
mentioned
that the sys call dispatching technique changed, and win32k.sys file
seems
to be pageable…

If you use debugger ( windbg, or soft-ice), I
would recommend you using an example from NT
undoc for syshooking(this does not depend on the vector #, so version
incompatibilites may
not be a factor)…

Assuming you want to hook individual APIs in the GDI native support (
ie. to
hook the GdiGetWindowHandle() or something like that)

How do you find the prtotoypes ???
Look at Gary Nibetts book or the Graphics Window book you have, finally
if
all fails search the headers of DDK/IFS kit you have installed.

Undersand the data structs for Service Descriptor table, that is laid
out in
those
two undoc books, use the debugger to see if
that is correct or not. IF I COULD RECALL,
THERE IS A SHADOW DESCRIPTOR that you have to
make sure to get a hold of it. This is completly version dependent…

Once you are done with it, you have to use
the memory protection disabling ( it used to be on ntndis.com )

But if you try to hook the dispatch itself, the so called main gate of
usr
to krnl service dispatch, under NT and win2k you have
to hook int2E, on Xp it is a different story…

So depending on where you want to put the hook’s you might have to play
with
it a bit…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of thomas mathew
Sent: Tuesday, May 20, 2003 11:51 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Gdi Sys call Hooking

Hello,
I have problem in Hooking GDI System Call. I got the address and nos of
parameter of GDI sys call but no information regarding type of
parameters
and return type through symbol file in GDI32.dll.
Do anybody knows about GDI System call, if so plz post reply.Those all
are
undocumented so no information in export table or import table of any
dll.

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@sify.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

4

GDI32.dll runs in usr mode, and it gives you
the API’s wrapper to go down to kernel. Look
at some driver books ( that we mentioned earlier) for the flow of calls,
there is a
difference between Native services, and GDI services…

Then depending on the layer you want to hook(
if at the usr level or at the kernel level).

KeServiceDescriptorTable is the one that is exported from ntoskrnl.exe is
the one that has information to grab the Shadowdescriptor
table ( this is where you get the vector
table for GDI calls).

Also look at some src code (TokenMon ) etc
from sysinternals website. You will see how
to do this…

prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of thomas mathew
Sent: Wednesday, May 21, 2003 10:30 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Gdi Sys call Hooking

Hi,
Thanks for the reply prokash.I am doing for win2k and winnt not for XP.I
have doubts regarding the reply.Tell me what all information required for
hooking GDI system call

The following is the output of the program of Feng Book , which gives the
address of GDI System call, which loaded the GDI32.dll and with help of
Symbol file it got the following information and with API
SymEnumerateSymbols64

Address : 77F4B145 Callid: 0x107e Nos of paremeter:1 Name : NtGdiEndPage

Address : 77F447C4 Callid: 0x10f6 Nos of paremeter:1 Name : NtGdiSaveDC

The doubt are:
1.I am not able to find the protype of function nor from DDK
Header(checked all *.h)
2.i donot have e.g of example from NT undoc for syshooking, so if u have
plz send me .
3.what is data structs for Service Descriptor table adn why i need that ?

If u have any doc and code regarding this plz send me to
xxxxx@sify.com. I am trying to hook GDI System call from
GDI32.dll file.

Regards,
Thomas

:

I assume U are trying to do it for Win2k ( not for XP, am I right on
this
?). If NT4.0 or Win2k, you have easier stuff to tackle, since I
mentioned
that the sys call dispatching technique changed, and win32k.sys file
seems
to be pageable…

If you use debugger ( windbg, or soft-ice), I
would recommend you using an example from NT
undoc for syshooking(this does not depend on the vector #, so version
incompatibilites may
not be a factor)…

Assuming you want to hook individual APIs in the GDI native support (
ie. to
hook the GdiGetWindowHandle() or something like that)

How do you find the prtotoypes ???
Look at Gary Nibetts book or the Graphics Window book you have, finally
if
all fails search the headers of DDK/IFS kit you have installed.

Undersand the data structs for Service Descriptor table, that is laid
out in
those
two undoc books, use the debugger to see if
that is correct or not. IF I COULD RECALL,
THERE IS A SHADOW DESCRIPTOR that you have to
make sure to get a hold of it. This is completly version dependent…

Once you are done with it, you have to use
the memory protection disabling ( it used to be on ntndis.com )

But if you try to hook the dispatch itself, the so called main gate of
usr
to krnl service dispatch, under NT and win2k you have
to hook int2E, on Xp it is a different story…

So depending on where you want to put the hook’s you might have to play
with
it a bit…

-prokash
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of thomas mathew
Sent: Tuesday, May 20, 2003 11:51 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Gdi Sys call Hooking

Hello,
I have problem in Hooking GDI System Call. I got the address and nos of
parameter of GDI sys call but no information regarding type of
parameters
and return type through symbol file in GDI32.dll.
Do anybody knows about GDI System call, if so plz post reply.Those all
are
undocumented so no information in export table or import table of any
dll.

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@sify.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com