|
阅读:971回复:1
Dynamic Call - Native Function
I trace the userdump in NTDDK.
It using RtlImageNtHeader to search the NTOSKRNL spaces, to find its export functions. Does anyone know another way? ^_^ |
|
|
|
沙发#
发布于:2002-08-13 10:11
NT Kernel level hooking
There are several methods for achieving hooking of NT system services in kernel mode. The most popular interception mechanism was originally demonstrated by Mark Russinovich and Bryce Cogswell in their article [3] \"Windows NT System-Call Hooking\". Their basic idea is to inject an interception mechanism for monitoring NT system calls just bellow the user mode. This technique is very powerful and provides an extremely flexible method for hooking the point that all user-mode threads pass through before they are serviced by the OS kernel. You can find an excellent design and implementation in \"Undocumented Windows 2000 Secrets\" as well. In his great book Sven Schreiber explains how to build a kernel-level hooking framework from scratch [5]. Another comprehensive analysis and brilliant implementation has been provided by Prasad Dabak in his book \"Undocumented Windows NT\" [17]. However, all these hooking strategies, remain out of the scope of this article 引用自: http://www.codeproject.com/system/HookSys.asp |
|
|
