Hi all,
i am trying to write an interceptor for CreateProcessXXX calls.
After checking several system call interception techniques, the
one that would fit my needs best is changing the ntoskrnl (win32K?)
service table entry. Of course, now i need to know the system-call numbers
for the CreateProcess-family of functions for both WinNT 4.0 and Win2K.
Does anyone know where to get these?
Thanx,
Holger
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Hi,
You can get the system call nos. for the requeired functions by inspecting
the disassembly of ntdll.dll. You can use the dumpbin.exe for this purpose.
First get the address of the system call you wish to hook by inspecting the
exported system calls list. (Use dumpbin ntdll.dll /exports command.) Once
you get the address, then get the disassembly of ntdll.dll by using the
“dumpbin ntddl.dll /disasm” command. Then go to the address of the sys.
call in the assembly code by adding the base address of ntdll.dll in the
offset address of the syscall. There you will see the code of the system
call. The number that is moved in the EAX register is what you need.
Regards.
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Whew!
Did you ever consider a career as a textbook writer?
Thanx a lot.
Holger
-----Ursprungliche Nachricht-----
Von: xxxxx@yahoo.com [mailto:xxxxx@yahoo.com]
Gesendet: Montag, 27. August 2001 03:54
An: NT Developers Interest List
Betreff: [ntdev] Re: System-call numbers needed
Hi,
You can get the system call nos. for the requeired functions
by inspecting
the disassembly of ntdll.dll. You can use the dumpbin.exe for
this purpose.
First get the address of the system call you wish to hook by
inspecting the
exported system calls list. (Use dumpbin ntdll.dll /exports
command.) Once
you get the address, then get the disassembly of ntdll.dll by
using the
“dumpbin ntddl.dll /disasm” command. Then go to the address of
the sys.
call in the assembly code by adding the base address of
ntdll.dll in the
offset address of the syscall. There you will see the code of
the system
call. The number that is moved in the EAX register is what you need.
Regards.
You are currently subscribed to ntdev as: xxxxx@david-gmbh.de
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You can see the contents of the a _ZwXXXX function exported from
ntdll.dll to get the correct index into the ntoskrnl service table. In
this case it is _ZwCreateProcess. The indice is moved into eax while edx
has the pointer to call data. For _NTCreateProcess the index is 0x29.
Regards
-----Original Message-----
From: Holger Thiele [mailto:xxxxx@DAVID-GmbH.de]
Sent: Friday, August 24, 2001 4:17 AM
To: NT Developers Interest List
Subject: [ntdev] System-call numbers needed
Hi all,
i am trying to write an interceptor for CreateProcessXXX calls.
After checking several system call interception techniques, the
one that would fit my needs best is changing the ntoskrnl (win32K?)
service table entry. Of course, now i need to know the system-call
numbers
for the CreateProcess-family of functions for both WinNT 4.0 and Win2K.
Does anyone know where to get these?
Thanx,
Holger
You are currently subscribed to ntdev as: xxxxx@greenborder.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Oh, i forgot to mention that the index value i reported is from a free
build of Windows 2000 proffesional.
Regards
-----Original Message-----
From: Asit Kharshikar
Sent: Tuesday, August 28, 2001 7:48 PM
To: ‘NT Developers Interest List’
Subject: RE: [ntdev] System-call numbers needed
You can see the contents of the a _ZwXXXX function exported from
ntdll.dll to get the correct index into the ntoskrnl service table. In
this case it is _ZwCreateProcess. The indice is moved into eax while edx
has the pointer to call data. For _NTCreateProcess the index is 0x29.
Regards
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com