Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Hooking the nt api

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source
View previous topic :: View next topic  
Author Message
skeet8812
How do I cheat?
Reputation: 0

Joined: 09 May 2005
Posts: 4
PostPosted: Mon May 09, 2005 3:21 pm    Post subject: Hooking the nt api Reply with quote
im writing a kernel driver and trying to hook some of the nt api. im mainly trying to hide a program of mine from another process. i took a look at some of your code and noticed NtUserBuildHwndList and a few other nt api that you hook. im wondering how you figured out what the call number for these were in the descriptor table? i read up that the Zw functions just load eax with the call number of the equivalent nt api function and int 2eh it to the kernel so i can figure out what those call are but what about NtUserBuildHwndList and the other few nt functions, how did you find out what each of thier call numbers were?
Back to top
View user's profile Send private message
stomperz
Expert Cheater
Reputation: 0

Joined: 18 Jul 2004
Posts: 193
Location: USA Chicago
PostPosted: Mon May 09, 2005 5:16 pm    Post subject: Re: Hooking the nt api Reply with quote
skeet8812 wrote:
im writing a kernel driver and trying to hook some of the nt api. im mainly trying to hide a program of mine from another process. i took a look at some of your code and noticed NtUserBuildHwndList and a few other nt api that you hook. im wondering how you figured out what the call number for these were in the descriptor table? i read up that the Zw functions just load eax with the call number of the equivalent nt api function and int 2eh it to the kernel so i can figure out what those call are but what about NtUserBuildHwndList and the other few nt functions, how did you find out what each of thier call numbers were?


Does this help
http://www.fengyuan.com/article/win32ksyscall.html
Back to top
View user's profile Send private message Send e-mail
skeet8812
How do I cheat?
Reputation: 0

Joined: 09 May 2005
Posts: 4
PostPosted: Mon May 09, 2005 5:40 pm    Post subject: Reply with quote
yes if those are correct. i found that page but wasnt sure if it was correct though. i would also like to know how they were found so i know 100% sure they're right and maybe i then can write a function for finding the values without disassembling things by hand.
Back to top
View user's profile Send private message
stomperz
Expert Cheater
Reputation: 0

Joined: 18 Jul 2004
Posts: 193
Location: USA Chicago
PostPosted: Mon May 09, 2005 5:46 pm    Post subject: Reply with quote
skeet8812 wrote:
yes if those are correct. i found that page but wasnt sure if it was correct though. i would also like to know how they were found so i know 100% sure they're right and maybe i then can write a function for finding the values without disassembling things by hand.


Dark Byte.... Where are you!! Rolling Eyes
Back to top
View user's profile Send private message Send e-mail
Leonidas
Advanced Cheater
Reputation: 0

Joined: 07 Mar 2005
Posts: 98
PostPosted: Tue May 10, 2005 12:58 am    Post subject: Reply with quote
I'm dark byte, but not at home right now (And since I havn't added this ip to Dark Byte's allowed ip list I can't go on it without getting ip banned)

The method I use to find the callnumbers:
I wrote a small program (systemcallsignaler) that calls some windows apis that use those internal ntuser api's
before it makes such a call it signals the debugger(systemcallretriever) that It's going to enter such a api and tell it which api it is. The debugger will then start single stepping till a call to the system is made (eg int 2e or that fastcall api) at that point eax will hold the callnumber and thats what I store. (note that the value of eax will need to be decreased with 0x100 to get a valid callnumber)
I then verify it's correct by looking at the shadow table parameter list and confirm the number of parameters equals to what I need.

The driver searches the shadowdescriptortable by looking for a descriptor table that points to the memory of win32k.sys (usually a0000000)
Back to top
View user's profile Send private message
skeet8812
How do I cheat?
Reputation: 0

Joined: 09 May 2005
Posts: 4
PostPosted: Tue May 10, 2005 3:48 am    Post subject: Reply with quote
ok i see now. thanks a ton for the help. ive never written a debugger so i guess its time to learn that lol
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites