Vulnerability Development mailing list archives
Shellcode & NT System Calls
From: ma1ler_deamon <ma1ler_deamon () yahoo com>
Date: Mon, 29 Dec 2003 17:10:52 -0800 (PST)
If you were to use the NT system call int2E interupt to do things like the filewriting etc as mentioned above, would this bypass things like virus scanners? [quote http://www.internals.com/articles/apispy/apispy.htm ] If you have ever examined ntdll.dll with QuickView, you might have noticed that it exports a set of functions that begin with the Nt prefix. These functions are actually small stubs of code that pass control to the Windows NT kernel (NTOSKRNL) using interrupt 2E. Many of the functions exported from kernel32.dll are nothing more than control transfer routines to the stubs located in ntdll. For example, when a Windows application issues a call to CreateFile located in kernel32.dll, the call is redirected to NtCreateFile, which passes it on to NT's kernel for further processing. The special design of this mechanism allows a device driver to hook these interfaces, thus providing a way for monitoring activities performed by Windows NT/2000 applications [/quote] __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/
Current thread:
- Shellcode & NT System Calls ma1ler_deamon (Dec 30)