What to Hook?


Now that you know how to hook the functions in the system call table, you will want to know what those functions are and how they work. There are several hundred exported functions in ntdll.dll, so listing each function and detailing its use is beyond the scope of this book. Fortunately, details can be addressed by a functional group.

To see each of the exported functions in ntdll.dll, you can simply drag and drop ntdll.dll (usually found in c:\windows\system32) into IDA. Once IDA has processed the file, you can select the menu option Navigate image from book Jump To image from book Function, to see a list of all exported functions. Moreover, if you have the time, jumping to a few of these functions can introduce you to the world of reverse engineering.

This is not a primer for kernel mode programming; so don’t expect a lot of detail. There is enough detail here to get started, but working with these functions will require kernel mode programming expertise.

The exported functions of ntdll.dll are conveniently prefixed to indicate functional grouping. The following sections describe the functional groups.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net