Sender: tbsoft (tbsoft), letter area: Sysinternals Title: Part Unprecedented Windows 2000 Core Function Call Station: Wuhan Baiyun Yunhe Station (Sun Aug 6 20:45:20 2000), the station letter part has not been disclosed Windows 2000 Core Function Call These unusless Windows 2000 core function calls (Windows NT 4.0 can also be called) is for Intel 80386 (i386) CPU, no transplantability, may be the reason for Microsoft's non-disclosure. These calls typically begin with KE386 or KEI386, partial calls are quite useful, and the author only analyzes a part of the modified function prototype, and then analyze the remaining calls later. 1, Ke386SetIoAccessMap function prototype: void Ke386SetIoAccessMap (int, IOPM *); outbound symbol: _Ke386SetIoAccessMap @ 8 2, Ke386QueryIoAccessMap function prototype: void Ke386QueryIoAccessMap (int, IOPM *); outbound symbol: _Ke386QueryIoAccessMap @ 8 3, Ke386IoSetAccessProcess function prototype: void Ke386IoSetAccessProcess (Peprocess, int); extraction symbol: _Ke386ioseetAccessProcess @ 8 or more adjustment allows NT / 2000 like Windows 95/98 in Ring 3 freely implement hardware I / O at IN / O, specific usage, the author will follow Description.
4, Ke386CallBios function prototype: Unknown outbound symbol: _Ke386CallBios @ 8 calling function: Possible BIOS function call 5, KeI386SetGdtSelector function prototype: NTSTATUS KeI386SetGdtSelector (IN ULONG sels, IN PVOID desc); outbound symbol: _KeI386SetGdtSelector @ 8 call functions: setting a global descriptor 6, KeI386ReleaseLid function prototype: Unknown outbound symbol: _KeI386ReleaseLid @ 8 calling function: unknown 7, KeI386ReleaseGdtSelectors function prototype: NTSTATUS KeI386ReleaseGdtSelectors (OUT PUSHORT SelArray, IN int NumOfSelectors); outbound symbol: _KeI386ReleaseGdtSelectors @ 8 calling function: releasing a global Descriptor 8, Kei386MachineType function prototype: unknown symbol: _kei386machineType call function: may be the type 9 of the computer (CPU) 9, KEI386GetLid function prototype: unknown symbol: _KEi386GetLid @ 20 call function: unknown 10, kei386flattogdtselector function prototype: unknown symbols: _KeI386FlatToGdtSelector @ 12 calls the function: may be converted to a memory address related to 11, KeI386Call16BitFunction function prototype: Unknown outbound symbol: _KeI386Call16BitFunction @ 4 calls the function: may call 16-bit code about 12, KeI386Call16BitCStyleFunction function prototype: Unknown outbound symbol: _KeI386Call16BitCStyleFunction @ 16 function call: calling the 16-bit code may be about 13, KeI386AllocateGdtSelectors function prototype: NTSTATUS KeI386AllocateGdtSelectors (OUT PUSHORT SelArray, IN int NumOfSelectors); outbound symbol: _KeI386AllocateGdtSelectors @ 8 function call: assign a global descriptor This feature is functioning with the Kei386SETGDTSELECTOR function, and the Kei386ReleaseGdtSelectors function can modify the GDT, so that you can define your own call doors, enter the real NT Ring 0 layer, so you can directly modify GDT, IDT, LDT, directly access all memory and all hardware, function Extremely powerful.
