Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

Upcoming OSR Seminars:
WDM Lab, Seattle, WA 16 August 2010
WDF Lab, Santa Clara, CA 27 September 2010
Debug Lab, Portland, OR 18 October 2010
Windows Internals & Software Drivers Lab, Santa Clara, CA 15 November 2010


Go Back   OSR Online Lists > ntdev
link System-call numbers needed
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
24 Aug 01 07:05
ntdev member 6303
xxxxxx@DAVID-GmbH.de
Join Date:
Posts To This List: 13
System-call numbers needed
Hi all, i am trying to write an interceptor for CreateProcessXXX calls. After checking several system call interception techniques, the one that would fit my needs best is changing the ntoskrnl (win32K?) service table entry. Of course, now i need to know the system-call numbers for the CreateProcess-family of functions for both WinNT 4.0 and Win2K. Does anyone know where to get these? Thanx, Holger --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 2 of 5  
27 Aug 01 01:57
ntdev member 6051
xxxxxx@yahoo.com
Join Date: 25 Jul 2001
Posts To This List: 32
Re: System-call numbers needed
Hi, You can get the system call nos. for the requeired functions by inspecting the disassembly of ntdll.dll. You can use the dumpbin.exe for this purpose. First get the address of the system call you wish to hook by inspecting the exported system calls list. (Use dumpbin ntdll.dll /exports command.) Once you get the address, then get the disassembly of ntdll.dll by using the "dumpbin ntddl.dll /disasm" command. Then go to the address of the sys. call in the assembly code by adding the base address of ntdll.dll in the offset address of the syscall. There you will see the code of the system call. The number that is moved in the EAX register is what you need. Regards. --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 3 of 5  
27 Aug 01 02:45
ntdev member 6303
xxxxxx@DAVID-GmbH.de
Join Date:
Posts To This List: 13
Re: System-call numbers needed
Whew! Did you ever consider a career as a textbook writer? Thanx a lot. Holger >-----Ursprungliche Nachricht----- >Von: xxxxx@yahoo.com [mailto:xxxxx@yahoo.com] >Gesendet: Montag, 27. August 2001 03:54 >An: NT Developers Interest List >Betreff: [ntdev] Re: System-call numbers needed > > >Hi, > <...excess quoted lines suppressed...> --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 4 of 5  
28 Aug 01 22:51
ntdev member 5603
xxxxxx@greenborder.com
Join Date:
Posts To This List: 19
RE: System-call numbers needed
You can see the contents of the a _ZwXXXX function exported from ntdll.dll to get the correct index into the ntoskrnl service table. In this case it is _ZwCreateProcess. The indice is moved into eax while edx has the pointer to call data. For _NTCreateProcess the index is 0x29. Regards - asit -----Original Message----- From: Holger Thiele [mailto:xxxxx@DAVID-GmbH.de] Sent: Friday, August 24, 2001 4:17 AM To: NT Developers Interest List Subject: [ntdev] System-call numbers needed Hi all, i am trying to write an interceptor for CreateProcessXXX calls. After checking several system call interception techniques, the one that would fit my needs best is changing the ntoskrnl (win32K?) service table entry. Of course, now i need to know the system-call numbers for the CreateProcess-family of functions for both WinNT 4.0 and Win2K. Does anyone know where to get these? Thanx, Holger --- You are currently subscribed to ntdev as: xxxxx@greenborder.com To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
  Message 5 of 5  
28 Aug 01 22:58
ntdev member 5603
xxxxxx@greenborder.com
Join Date:
Posts To This List: 19
Re: System-call numbers needed
Oh, i forgot to mention that the index value i reported is from a free build of Windows 2000 proffesional. Regards - asit -----Original Message----- From: Asit Kharshikar Sent: Tuesday, August 28, 2001 7:48 PM To: 'NT Developers Interest List' Subject: RE: [ntdev] System-call numbers needed You can see the contents of the a _ZwXXXX function exported from ntdll.dll to get the correct index into the ntoskrnl service table. In this case it is _ZwCreateProcess. The indice is moved into eax while edx has the pointer to call data. For _NTCreateProcess the index is 0x29. Regards - asit --- You are currently subscribed to ntdev as: $subst('Recip.EmailAddr') To unsubscribe send a blank email to leave-ntdev-$subst('Recip.MemberIDChar')@lists.osr.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 06:45.

Contact Us - Osr Online Homepage - Top

Copyright ©2005, OSR Open Systems Resourcs, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license