Re: Why i want to Hook GDI Sys call

Hi Hiten,
Thanks for reply.The reason for hooking GDI System call is that,I want third party’s GUI to be hidden(GUI of application). But my hooking the API calls(like SetShowWindow) the application will come to know that its GUI is hidden, so the alternative left with me is to hook GDI Sys call or DDI Hook. so by hooking GDI sys call the application will think that its GUI is displayed but actually the GUI will not be displayed.

Regards,
Thomas
:

Hi Thomas

Though I am not an expert on GDI, but I could not help wondering what
could
be the reason you would want to intercept Graphics calls at GDI level
and
attempt to travel the undocumented path. Because as far as I have
experienced in past 7 years, there is almost always a simpler,
documented,
solution to the problem.

If you would want, I can try to help you locate a possible alternative.
But
if you are convinced that there is absolutely no other alternative…
well
in that case all the best.
(You already have access to the best resources available on the topic
for
hooking GDI!!!)

Hiten

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

Use a global Windows message hook instead. You can do an infinite number
of things with a global message hook, and it’s documented to boot.
SetWindowsHookEx.

I’d rather give myself a root canal with a rusty cork opener that put
any type of win32k.sys service dispatch table(s) hooking in a commercial
product. This is far worse even than hooking NTOSKRNL calls since #1.
you can’t pull the service entry index from the first few bytes of the
corresponding Zw… Function, since there AIN’T none, and #2, you have
to update the shadow service table as well, which is not exported.

• Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of thomas mathew
Sent: Thursday, May 22, 2003 6:37 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Hi Hiten,
Thanks for reply.The reason for hooking GDI System call
is that,I want third party’s GUI to be hidden(GUI of
application). But my hooking the API calls(like
SetShowWindow) the application will come to know that its GUI
is hidden, so the alternative left with me is to hook GDI Sys
call or DDI Hook. so by hooking GDI sys call the application
will think that its GUI is displayed but actually the GUI
will not be displayed.

Regards,
Thomas
:

> Hi Thomas
>
> Though I am not an expert on GDI, but I could not help
wondering what
> could be the reason you would want to intercept Graphics
calls at GDI
> level and
> attempt to travel the undocumented path. Because as far as I have
> experienced in past 7 years, there is almost always a simpler,
> documented,
> solution to the problem.
>
> If you would want, I can try to help you locate a possible
> alternative. But if you are convinced that there is absolutely no
> other alternative… well
> in that case all the best.
> (You already have access to the best resources available
on the topic
> for
> hooking GDI!!!)
>
> Hiten
>
>

---

Sify Mail - now with Anti-virus protection powered by Trend
Micro, USA. Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

---

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes this is Risky terrian. Under nt4.0 it is
there with the KeServiceDescriptorTable, under 2k ntoskrnl.exe exports this
( so in the driver and extern … ) would link and
grab. Under xp ( I forgot, it seems like at
a negative offset from KeServiceDescriptorTable.

But the main problem under XP is that win32k.sys seems to get paged out
totally, so there might be a potential problem, unless an window instances
presents with the systems thread ( assuming the DriverEntry() trying to
hook).

But it is doable, and unfortunately lot of Antivirus etc are basing on this
technique.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nick Ryan
Sent: Thursday, May 22, 2003 12:43 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Use a global Windows message hook instead. You can do an infinite number
of things with a global message hook, and it’s documented to boot.
SetWindowsHookEx.

I’d rather give myself a root canal with a rusty cork opener that put
any type of win32k.sys service dispatch table(s) hooking in a commercial
product. This is far worse even than hooking NTOSKRNL calls since #1.
you can’t pull the service entry index from the first few bytes of the
corresponding Zw… Function, since there AIN’T none, and #2, you have
to update the shadow service table as well, which is not exported.

• Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of thomas mathew
Sent: Thursday, May 22, 2003 6:37 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Hi Hiten,
Thanks for reply.The reason for hooking GDI System call
is that,I want third party’s GUI to be hidden(GUI of
application). But my hooking the API calls(like
SetShowWindow) the application will come to know that its GUI
is hidden, so the alternative left with me is to hook GDI Sys
call or DDI Hook. so by hooking GDI sys call the application
will think that its GUI is displayed but actually the GUI
will not be displayed.

Regards,
Thomas
:

> Hi Thomas
>
> Though I am not an expert on GDI, but I could not help
wondering what
> could be the reason you would want to intercept Graphics
calls at GDI
> level and
> attempt to travel the undocumented path. Because as far as I have
> experienced in past 7 years, there is almost always a simpler,
> documented,
> solution to the problem.
>
> If you would want, I can try to help you locate a possible
> alternative. But if you are convinced that there is absolutely no
> other alternative… well
> in that case all the best.
> (You already have access to the best resources available
on the topic
> for
> hooking GDI!!!)
>
> Hiten
>
>

---

Sify Mail - now with Anti-virus protection powered by Trend
Micro, USA. Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

---

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Why in the world would an AV product need to hook into win32k.sys? There
is no chance that such a company’s product would pass WHQL for AVSF, I
hope.

• Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, May 22, 2003 1:07 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Yes this is Risky terrian. Under nt4.0 it is
there with the KeServiceDescriptorTable, under 2k
ntoskrnl.exe exports this ( so in the driver and extern … )
would link and grab. Under xp ( I forgot, it seems like at a
negative offset from KeServiceDescriptorTable.

But the main problem under XP is that win32k.sys seems to get
paged out totally, so there might be a potential problem,
unless an window instances presents with the systems thread (
assuming the DriverEntry() trying to hook).

But it is doable, and unfortunately lot of Antivirus etc are
basing on this technique.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nick Ryan
Sent: Thursday, May 22, 2003 12:43 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Use a global Windows message hook instead. You can do an
infinite number of things with a global message hook, and
it’s documented to boot. SetWindowsHookEx.

I’d rather give myself a root canal with a rusty cork opener
that put any type of win32k.sys service dispatch table(s)
hooking in a commercial product. This is far worse even than
hooking NTOSKRNL calls since #1. you can’t pull the service
entry index from the first few bytes of the corresponding
Zw… Function, since there AIN’T none, and #2, you have to
update the shadow service table as well, which is not exported.

• Nick Ryan

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of thomas mathew
> Sent: Thursday, May 22, 2003 6:37 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Why i want to Hook GDI Sys call
>
>
> Hi Hiten,
> Thanks for reply.The reason for hooking GDI System call is
> that,I want third party’s GUI to be hidden(GUI of
application). But my
> hooking the API calls(like
> SetShowWindow) the application will come to know that its GUI is
> hidden, so the alternative left with me is to hook GDI Sys
call or DDI
> Hook. so by hooking GDI sys call the application will think
that its
> GUI is displayed but actually the GUI will not be displayed.
>
>
> Regards,
> Thomas
> :
>
> > Hi Thomas
> >
> > Though I am not an expert on GDI, but I could not help
> wondering what
> > could be the reason you would want to intercept Graphics
> calls at GDI
> > level and
> > attempt to travel the undocumented path. Because as far as I have
> > experienced in past 7 years, there is almost always a simpler,
> > documented, solution to the problem.
> >
> > If you would want, I can try to help you locate a possible
> > alternative. But if you are convinced that there is absolutely no
> > other alternative… well in that case all the best.
> > (You already have access to the best resources available
> on the topic
> > for
> > hooking GDI!!!)
> >
> > Hiten
> >
> >
>
> -------------------------------------------------
> Sify Mail - now with Anti-virus protection powered by Trend Micro,
> USA. Know more at http://mail.sify.com
>
> Sify Power mail- a Premium Service from Sify Mail!
> know more at http://mail.sify.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nryan.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>

---

You are currently subscribed to ntdev as:
xxxxx@vormetric.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

---

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

In the AV and FW there are often processes ( w or w/o windows) that act as
the Master Protector, and if I have bring the system to its knee, the first
line of offence would be bring the protector down… Yes there are lot
of protection(s) that can be done, once the windows login and windows
service control(s) are well understood, but lot of the things are being done
( as if we are running w one
shoe of the pair, and other is leftout somewhere ).

For whatever reason(s), if someone want to
protect an window app from, dll being attached, msg(s) being sent to kill,
etc. etc
that is really a direct solution …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nick Ryan
Sent: Thursday, May 22, 2003 2:12 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Why in the world would an AV product need to hook into win32k.sys? There
is no chance that such a company’s product would pass WHQL for AVSF, I
hope.

• Nick Ryan

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, May 22, 2003 1:07 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Yes this is Risky terrian. Under nt4.0 it is
there with the KeServiceDescriptorTable, under 2k
ntoskrnl.exe exports this ( so in the driver and extern … )
would link and grab. Under xp ( I forgot, it seems like at a
negative offset from KeServiceDescriptorTable.

But the main problem under XP is that win32k.sys seems to get
paged out totally, so there might be a potential problem,
unless an window instances presents with the systems thread (
assuming the DriverEntry() trying to hook).

But it is doable, and unfortunately lot of Antivirus etc are
basing on this technique.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Nick Ryan
Sent: Thursday, May 22, 2003 12:43 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Use a global Windows message hook instead. You can do an
infinite number of things with a global message hook, and
it’s documented to boot. SetWindowsHookEx.

I’d rather give myself a root canal with a rusty cork opener
that put any type of win32k.sys service dispatch table(s)
hooking in a commercial product. This is far worse even than
hooking NTOSKRNL calls since #1. you can’t pull the service
entry index from the first few bytes of the corresponding
Zw… Function, since there AIN’T none, and #2, you have to
update the shadow service table as well, which is not exported.

• Nick Ryan

> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of thomas mathew
> Sent: Thursday, May 22, 2003 6:37 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Why i want to Hook GDI Sys call
>
>
> Hi Hiten,
> Thanks for reply.The reason for hooking GDI System call is
> that,I want third party’s GUI to be hidden(GUI of
application). But my
> hooking the API calls(like
> SetShowWindow) the application will come to know that its GUI is
> hidden, so the alternative left with me is to hook GDI Sys
call or DDI
> Hook. so by hooking GDI sys call the application will think
that its
> GUI is displayed but actually the GUI will not be displayed.
>
>
> Regards,
> Thomas
> :
>
> > Hi Thomas
> >
> > Though I am not an expert on GDI, but I could not help
> wondering what
> > could be the reason you would want to intercept Graphics
> calls at GDI
> > level and
> > attempt to travel the undocumented path. Because as far as I have
> > experienced in past 7 years, there is almost always a simpler,
> > documented, solution to the problem.
> >
> > If you would want, I can try to help you locate a possible
> > alternative. But if you are convinced that there is absolutely no
> > other alternative… well in that case all the best.
> > (You already have access to the best resources available
> on the topic
> > for
> > hooking GDI!!!)
> >
> > Hiten
> >
> >
>
> -------------------------------------------------
> Sify Mail - now with Anti-virus protection powered by Trend Micro,
> USA. Know more at http://mail.sify.com
>
> Sify Power mail- a Premium Service from Sify Mail!
> know more at http://mail.sify.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nryan.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>

---

You are currently subscribed to ntdev as:
xxxxx@vormetric.com To unsubscribe send a blank email to
xxxxx@lists.osr.com

---

You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Create a hidden window station.

Yes that might be an idea for not running w/only one shoe on and other pair
is leftout somewhere …

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of benson
Sent: Thursday, May 22, 2003 4:36 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Create a hidden window station.

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> For whatever reason(s), if someone want to

protect an window app from, dll being attached, msg(s) being sent to
kill,

Hygiene is a best way of AIDS prevention in both personal life and
computing

For me personally, having a “Master Protector” which hooks the GDI
syscalls running on my machine is nearly as bad as having a virus :-),
provided the virus is not very destructive.

In fact, I consider any online AV products evil. Why not do the good
old virus scan procedure using the offline tool, maybe even command
line?

Max

Max,

I totally agree with you, Hygiene…

But the fact is that those who are dealing with this is in an undefined
state.

For SAR, if some authority comes, persuade, and eventually sales distilled
water (intervenous), scared and paranoid people would take that rightaway.
They would think, they have the prevention… Here for virus,
people try to protect their systems by any means…

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Friday, May 23, 2003 12:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

For whatever reason(s), if someone want to
protect an window app from, dll being attached, msg(s) being sent to
kill,

Hygiene is a best way of AIDS prevention in both personal life and
computing

For me personally, having a “Master Protector” which hooks the GDI
syscalls running on my machine is nearly as bad as having a virus :-),
provided the virus is not very destructive.

In fact, I consider any online AV products evil. Why not do the good
old virus scan procedure using the offline tool, maybe even command
line?

Max

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’m catching this thread on the fly, so, I may be spewing nonsense - but how
about writing a good old display driver that voids the required interfaces ?
No need to hook the GDI. When I did display stuff for a living we used to
have such drivers to generate what we called a ‘null driver’, which blanks
out all 2D displaying functions. We then ran Winbench and other benchmarks
on the null driver, and that told us the absolute maximum throughput that
our video subsystem would handle, and that was a nice upper limit for our
optimization. The hard part of a display driver is to actually do the calls,
so, just return an OK status shouldn’t be that unfeasible.

Alberto.

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@vormetric.com]
Sent: Friday, May 23, 2003 12:59 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Max,

I totally agree with you, Hygiene…

But the fact is that those who are dealing with this is in an undefined
state.

For SAR, if some authority comes, persuade, and eventually sales distilled
water (intervenous), scared and paranoid people would take that rightaway.
They would think, they have the prevention… Here for virus,
people try to protect their systems by any means…

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Friday, May 23, 2003 12:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

For whatever reason(s), if someone want to
protect an window app from, dll being attached, msg(s) being sent to
kill,

Hygiene is a best way of AIDS prevention in both personal life and
computing

For me personally, having a “Master Protector” which hooks the GDI
syscalls running on my machine is nearly as bad as having a virus :-),
provided the virus is not very destructive.

In fact, I consider any online AV products evil. Why not do the good
old virus scan procedure using the offline tool, maybe even command
line?

Max

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

Alberto:

You are not totally offbit. But, just to get you on the page, there are
engineers trying to get help ( I suppose) on hooking GDI and/or Native
service calls. As some of us know, how the dispatch table changes, how some
of them are not exported from kernel modules (libs etc), and how the
syscalls dispatching got changes between versions ( int 2e vs syscalls).
With all the changes, and sometime may be lack of full research on other
ways to do it, we often land on to the (love and hate)full of undocumented
staff.

And always question(s) and opinion comes about how to solve it…

So this thread started, I am glad some of you
‘big guns’ are shading lights. I just happened to be on that area for a
while, so trying to help those guys to shoot the problem(s) or shoot their
feet ( by themselves).

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Moreira, Alberto
Sent: Friday, May 23, 2003 10:14 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

I’m catching this thread on the fly, so, I may be spewing nonsense - but how
about writing a good old display driver that voids the required interfaces ?
No need to hook the GDI. When I did display stuff for a living we used to
have such drivers to generate what we called a ‘null driver’, which blanks
out all 2D displaying functions. We then ran Winbench and other benchmarks
on the null driver, and that told us the absolute maximum throughput that
our video subsystem would handle, and that was a nice upper limit for our
optimization. The hard part of a display driver is to actually do the calls,
so, just return an OK status shouldn’t be that unfeasible.

Alberto.

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@vormetric.com]
Sent: Friday, May 23, 2003 12:59 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Max,

I totally agree with you, Hygiene…

But the fact is that those who are dealing with this is in an undefined
state.

For SAR, if some authority comes, persuade, and eventually sales distilled
water (intervenous), scared and paranoid people would take that rightaway.
They would think, they have the prevention… Here for virus,
people try to protect their systems by any means…

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Friday, May 23, 2003 12:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

For whatever reason(s), if someone want to
protect an window app from, dll being attached, msg(s) being sent to
kill,

Hygiene is a best way of AIDS prevention in both personal life and
computing

For me personally, having a “Master Protector” which hooks the GDI
syscalls running on my machine is nearly as bad as having a virus :-),
provided the virus is not very destructive.

In fact, I consider any online AV products evil. Why not do the good
old virus scan procedure using the offline tool, maybe even command
line?

Max

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello,
Thanks to all for their reply and special thanks to prokash. prokash for what ever method u have specified to hook GDI sys call, it require signature of function but i still only have address and nos of parameter. So how should i proceed. Also i know that all GDI sys call calls interrupt INT 2E for their respectively calls, so if i hook INT 2E can the work will be done but there the problem is that how do i come to know what which application or which sys tem making GDI sys calls.

Thomas
Quoting xxxxx@vormetric.com:

Max,

I totally agree with you, Hygiene…

But the fact is that those who are dealing with this is in an undefined
state.

For SAR, if some authority comes, persuade, and eventually sales
distilled
water (intervenous), scared and paranoid people would take that
rightaway.
They would think, they have the prevention… Here for virus,
people try to protect their systems by any means…

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Friday, May 23, 2003 12:20 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

> For whatever reason(s), if someone want to
> protect an window app from, dll being attached, msg(s) being sent to
kill,

Hygiene is a best way of AIDS prevention in both personal life and
computing

For me personally, having a “Master Protector” which hooks the GDI
syscalls running on my machine is nearly as bad as having a virus :-),
provided the virus is not very destructive.

In fact, I consider any online AV products evil. Why not do the good
old virus scan procedure using the offline tool, maybe even command
line?

Max

---

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---

You are currently subscribed to ntdev as: xxxxx@sify.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sify Mail - now with Anti-virus protection powered by Trend Micro, USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

Thomas,
You really do not want to take this route. I believe before you
start looking into hooking int 2E or hooking GDI/USER descriptor table.
I believe you should do some research into injecting DLLs into another
process address space and hooking import address tables. Once you are
convinced that none of these solve your problem as a last resort, think
of what prokash is suggesting. If I were you with the kind of questions
you are asking I would be far from hooking service descriptor tables.

Hope this helps,
Srin.

-----Original Message-----
From: thomas mathew [mailto:xxxxx@sify.com]
Sent: Sunday, May 25, 2003 9:24 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Hello,
Thanks to all for their reply and special thanks to prokash.
prokash
for what ever method u have specified to hook GDI sys call, it require
signature of function but i still only have address and nos of
parameter.
So how should i proceed. Also i know that all GDI sys call calls
interrupt
INT 2E for their respectively calls, so if i hook INT 2E can the work
will
be done but there the problem is that how do i come to know what which
application or which sys tem making GDI sys calls.

Thomas
Quoting xxxxx@vormetric.com:

> Max,
>
> I totally agree with you, Hygiene…
>
> But the fact is that those who are dealing with this is in an
undefined
> state.
>
> For SAR, if some authority comes, persuade, and eventually sales
> distilled
> water (intervenous), scared and paranoid people would take that
> rightaway.
> They would think, they have the prevention… Here for virus,
> people try to protect their systems by any means…
>
> -prokash
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> Sent: Friday, May 23, 2003 12:20 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Why i want to Hook GDI Sys call
>
>
> > For whatever reason(s), if someone want to
> > protect an window app from, dll being attached, msg(s) being sent
to
> kill,
>
> Hygiene is a best way of AIDS prevention in both personal life and
> computing
>
> For me personally, having a “Master Protector” which hooks the GDI
> syscalls running on my machine is nearly as bad as having a virus
:-),
> provided the virus is not very destructive.
>
> In fact, I consider any online AV products evil. Why not do the good
> old virus scan procedure using the offline tool, maybe even command
> line?
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vormetric.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@sify.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

---

Sify Mail - now with Anti-virus protection powered by Trend Micro,
USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

---

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thomas,

As Srin said, this should not be encouraged w/o researching other paths. If
U are set out tackle this, I would also recommend to look for other
means…, and quite frankly, you should be given enought time to tackle
this, so I assume Ur not in a panic mode.

But if you really want to hook, then the books we told you about, and the
example I told you should give you enough to tackle this …

Anyway, hooking int2e is a bad idea, as Max already mentioned, for xp it is
different, you can find all these infos from intel site… Also there are
other
things I mentioned in earlier note, that has to be taken care.

If run out of all your possibilities, post Ur request with a big YELL AT US,
THEN WE WILL SHOW YOU THE NASTY WAY TO TACKLE THIS PROBLEM.

-prokash

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@NAI.com
Sent: Saturday, May 31, 2003 8:30 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Thomas,
You really do not want to take this route. I believe before you
start looking into hooking int 2E or hooking GDI/USER descriptor table.
I believe you should do some research into injecting DLLs into another
process address space and hooking import address tables. Once you are
convinced that none of these solve your problem as a last resort, think
of what prokash is suggesting. If I were you with the kind of questions
you are asking I would be far from hooking service descriptor tables.

Hope this helps,
Srin.

-----Original Message-----
From: thomas mathew [mailto:xxxxx@sify.com]
Sent: Sunday, May 25, 2003 9:24 PM
To: NT Developers Interest List
Subject: [ntdev] Re: Why i want to Hook GDI Sys call

Hello,
Thanks to all for their reply and special thanks to prokash.
prokash
for what ever method u have specified to hook GDI sys call, it require
signature of function but i still only have address and nos of
parameter.
So how should i proceed. Also i know that all GDI sys call calls
interrupt
INT 2E for their respectively calls, so if i hook INT 2E can the work
will
be done but there the problem is that how do i come to know what which
application or which sys tem making GDI sys calls.

Thomas
Quoting xxxxx@vormetric.com:

> Max,
>
> I totally agree with you, Hygiene…
>
> But the fact is that those who are dealing with this is in an
undefined
> state.
>
> For SAR, if some authority comes, persuade, and eventually sales
> distilled
> water (intervenous), scared and paranoid people would take that
> rightaway.
> They would think, they have the prevention… Here for virus,
> people try to protect their systems by any means…
>
> -prokash
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S.
Shatskih
> Sent: Friday, May 23, 2003 12:20 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Why i want to Hook GDI Sys call
>
>
> > For whatever reason(s), if someone want to
> > protect an window app from, dll being attached, msg(s) being sent
to
> kill,
>
> Hygiene is a best way of AIDS prevention in both personal life and
> computing
>
> For me personally, having a “Master Protector” which hooks the GDI
> syscalls running on my machine is nearly as bad as having a virus
:-),
> provided the virus is not very destructive.
>
> In fact, I consider any online AV products evil. Why not do the good
> old virus scan procedure using the offline tool, maybe even command
> line?
>
> Max
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@vormetric.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@sify.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

---

Sify Mail - now with Anti-virus protection powered by Trend Micro,
USA.
Know more at http://mail.sify.com

Sify Power mail- a Premium Service from Sify Mail!
know more at http://mail.sify.com

---

You are currently subscribed to ntdev as: xxxxx@nai.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@vormetric.com
To unsubscribe send a blank email to xxxxx@lists.osr.com