Comments on: Yet another look at Zw* and Nt* functions https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Thu, 07 May 2026 06:50:04 +0000 http://wordpress.org/?v=2.3.3 By: Software Generalist » Blog Archive » Reading Notebook: 12-August-09 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-88408 Software Generalist » Blog Archive » Reading Notebook: 12-August-09 Wed, 12 Aug 2009 17:08:30 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-88408 [...] Zw… as fake interrupts (p. 129) - here is another view (remember that there are ntdll!Nt… and nt!Nt… functions): http://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/ [...] […] Zw… as fake interrupts (p. 129) - here is another view (remember that there are ntdll!Nt… and nt!Nt… functions): http://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/ […]

]]> By: Software Generalist » Blog Archive » Reading Notebook: 28-July-09 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-86335 Software Generalist » Blog Archive » Reading Notebook: 28-July-09 Tue, 28 Jul 2009 17:47:27 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-86335 [...] Zw (no parameter validation) vs. Nt (p. 73) - here is another look at their difference: http://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/ [...] […] Zw (no parameter validation) vs. Nt (p. 73) - here is another look at their difference: http://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/ […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-2523 Dmitry Vostokov Thu, 21 Jun 2007 23:16:37 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-2523 Thanks! Do you have any plans to write a second edition of your book and update it for x64 and Vista? :-) That would be great! Dmitry Thanks! Do you have any plans to write a second edition of your book and update it for x64 and Vista? :-) That would be great!
Dmitry

]]> By: Ric Vieler https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-2521 Ric Vieler Thu, 21 Jun 2007 22:55:32 +0000 https://www.dumpanalysis.org/blog/index.php/2007/04/10/yet-another-look-at-zw-and-nt-functions/#comment-2521 Dmitry: Great analysis of HOOK_INDEX! I just wanted to let you know that this type of kernel hooking is now detectable by most anti-rootkit software. Newer rootkits should follow the call table to the actual kernel function and replace the first few instructions with a jump to a trampoline function that can call hooks before and after the original function. As an additional benifit, trampoline kernel hooking works with the Microsoft Vista operating system. Ric Vieler :-) Dmitry:

Great analysis of HOOK_INDEX!
I just wanted to let you know that this type of kernel hooking is now detectable by most anti-rootkit software. Newer rootkits should follow the call table to the actual kernel function and replace the first few instructions with a jump to a trampoline function that can call hooks before and after the original function. As an additional benifit, trampoline kernel hooking works with the Microsoft Vista operating system.

Ric Vieler :-)

]]>