Hooking functions not exported by ntoskrnl [펌 www.rootkit.com]

Someone had been asking how to hook ZwShutdownSystem, the only problem being the function is exported by ntdll, not ntoskrnl. metro_mystery was helpful in providing the table entry number for the call, but unfortunately, the entry number would have to have been hardcoded into the driver. Fortunately, getting the id dynamically from a user land component is easy, simply do it the same way we always do :)

77F5B438 B8 00000000 MOV EAX, _FUNCTION_ID_
77F5B43D BA 0003FE7F MOV EDX,7FFE0300
77F5B442 FFD2 CALL EDX
77F5B444 C2 1800 RETN XX

increment the function by one. (for the mov eax part of the instruction) I have included a sample application in my vault for anyone interested. If you dont care about using a userland component in your rootkit, then just have the userland app send the rootkit an ioctl after installing it, giving it the function id's it needs. If you don't like userland applications, just use KeAttachProcess() to any process that has ntdll loaded, get the base ntdll through the PEB_LDR_DATA in the PEB, and then just make your own GetProcAddress() function.

I'm sure someone will say this article is simplistic, and unnecessary considering everyone already knows how to get the table entry number for kernel level procs, to which I say I just thought some people might find this useful. If you found it useful, great, if you didn't, great.