Create time: 2005-03-09
Article attribute: original
Article submission:
SUEI8423 (SUEI8423_AT_163.COM)
Author: ZwelL
Work needs, want to control the creation of the process, so Hook has ZwcreateProcess, and then discovers that the process in XP and 2003 uses NTCReateProcessex (see [1]).
However, ZwcreateProcessex is not exported by Ntoskrnl.exe, and has not seen the NTCALL command with Softice, and the relevant code is not found online. No way, track ntoskrnl! ZwcreateProcess
> u ntoskrnl! ZwcreateProcessex
_Zwcreateprocess
0008: 804E7AE2 BB32000000 MOV Eax, 00000032
However, ZwcreateProcessex has 9 parameters, the last unknown, 4 bytes, guessing the Handle.
The prototype is as follows:
Typedef NTSTATUS (* NTCREATEPROCESSEX)
Out phaldle processhandle,
IN Access_mask desidaccess,
In POBJECT_ATTRIBUTES OBJECTATTRIBUTES OPTIONAL,
In Handle ParentProcess,
In Boolean InheritObjectTable,
In Handle SectionHandle Optional,
In Handle Debugport Optional,
In Handle ExceptionPort Optional,
In Handle Unknown;
The final code hook is successfully encoded, the code is as follows:
#include "ntddk.h"
#include "stdarg.h"
#include "stdio.h"
#include "ntiologc.h"
#define DWORD unsigned long
#define word unsigned short
#define bool unsigned long
Typedef struct service {
Unsigned Int * ServiceTableBase;
Unsigned int * service; // buy only in checked build
Unsigned int numberofservices;
Unsigned char * paramtablebase;
ServicesDescriptAblentry, * pservicedescriptable;
Extern PserveDescriptAblentry KeserviceDescriptable;
Typedef NTSTATUS (* NTCREATEPROCESSEX)
Out phaldle processhandle,
IN Access_mask desidaccess,
In POBJECT_ATTRIBUTES OBJECTATTRIBUTES OPTIONAL,
In Handle ParentProcess,
In Boolean InheritObjectTable,
In Handle SectionHandle Optional,
In Handle Debugport Optional,
In Handle ExceptionPort Optional,
In Handle Unknown;
NtcreateProcessex OldntcreateProcessex; // length of process name (Rounded Up to Next Dword)
#define procnamelen 20
// Maximum Length of NT Process Name
#define NT_Procnamelen 16
Ulong gprocessnameoffset;
Void getProcessNameOffset ()
{
Peprocess curproc;
INT I;
Curproc = psgetcurrentprocess ();
For (i = 0; i <3 * Page_size; i )
{
IF (! "," system ", (pchar) Curproc i, Strlen (" System "))))))))
{
GProcessNameOffset = i;
}
}
}
Bool getProcessName (Pchar Thename)
{
Peprocess curproc;
Char * nameptr;
Ulong i;
KIRQL Oldirql;
IF (gprocessnameoffset)
{
Curproc = psgetcurrentprocess ();
Nameptr = (PCHAR) CURPROC GPROCESSNAMEOFFSET;
STRNCPY (THENAME, NAMEPTR, NT_PROCNAMELEN);
Thename [nt_procnamelen] = 0; / * NULLAT END * /
Return True;
}
Return False;
}
NTSTATUS NewNTCreateProcessex
Out phaldle processhandle,
IN Access_mask desidaccess,
In POBJECT_ATTRIBUTES OBJECTATTRIBUTES OPTIONAL,
In Handle ParentProcess,
In Boolean InheritObjectTable,
In Handle SectionHandle Optional,
In Handle Debugport Optional,
In Handle ExceptionPort Optional,
In Handle Unknown Optional
{
CHAR APROCESSNAME [procnamelen];
GetProcessName (AprocessName);
DBGPrint ("rootkit: newntcreateprocessex () from () from% s / n", AprocessName);
// DBGPRINT ("OK");
Return OldntcreateProcessex (ProcessHandle, DesiredAccess,
Objectattributes, ParentProcess, InheritObjectTable, SectionHandle, Debugport, ExceptionPort, Unknown;
}
NTSTATUS
Onstubdispatch
In PDEvice_Object DeviceObject,
In PIRP IRP
)
{
IRP-> iostatus.status = status_success;
IOCOMPLETEREQUEST (IRP,
IO_NO_INCREMENT
);
Return IRP-> iostatus.status;}
Void Onunload (in PDRIVER_Object DriverObject)
{
DBGPrint ("rootkit: onunload caled / n");
_asm
{
CLI / / DISSABLE INTERRUPT
Mov Eax, Cr0 // Move CR0 Register INTO EAX
And Eax, NOT 10000H // Disable WP bit
MOV CR0, EAX / / WRITE Register Back
}
(NTCREATEPROCESSEX) ((PserviceDescriptableEntry "KESERVICEDESCRIPTORTABLE) -> ServiceTableBase 0x32) = OldntCreateProcessEx;
_asm
{
Mov Eax, Cr0 // Move CR0 Register INTO EAX
OR EAX, 1000H // Enable WP Bit
MOV CR0, EAX / / WRITE Register Back
STI // enable interrupt
}
}
NTSTATUS DRIVERENTRY (in PDRIVER_OBJECT THEDRIVEROBJECT, In Punicode_String ThegegistryPath)
{
INT I;
DBGPRINT ("My Driver Loaded!");
GetProcessNameOffset ();
// register a dispatch function
For (i = 0; i { THEDRIVEROBJECT-> Majorfunction [i] = onstubdispatch; } THEDRIVEROBJECT-> Driverunload = onunload; // Save Old System Call Locations // OldntCreateProcessex = (NTCreateProcessEx) (SystemService); OldntCreateProcessex = (NTCREATEPROCESSEX) (((pservicedescriptableentable) -> ServiceTableBase 0x32)); _asm { CLI / / DISSABLE INTERRUPT Mov Eax, Cr0 // Move CR0 Register INTO EAX And Eax, NOT 10000H // Disable WP bit MOV CR0, EAX / / WRITE Register Back } (NTCREATEPROCESSEX) ((PserviceDescriptableEntry "keserviceDescriptable) -> ServiceTableBase 0x32) = newntcreateprocessex; _asm { Mov Eax, Cr0 // Move CR0 Register INTO EAX OR EAX, 1000H // Enable WP Bit MOV CR0, Eax // Write Register Backsti // Enable Interrupt } Return status_success; } This is very uncomfortable, every time you have to look like this, ask SOBEIT, you can get the service index number from NTDLL: From rookkit: #include #include Bool getId (Char * funcname, ulong * functionid) { // Get the function's address Pbyte function = (pbyte) getProcadDress ("NTDLL.DLL"), FUNCNAME); / * Do Some Sanity Checks, Make Sure this function Has a Corresponding Kernel Level function * / * FunctionID = 0; // Func Not Found ... IF (function == null) { Return False; } / * 77F5B438 B8 00000000 MOV EAX, _Function_ID_ 77F5B43D BA 0003FE7F MOV EDX, 7FFE0300 77F5B442 FFD2 Call Edx 77F5B444 C2 1800 RETN XX * / // Mov EAX IF (* function! = 0xB8) { Return False; } / * Since the address of The Function Which Actually Makes The Call (Syscall) May Change, We Just Check for MOV EDX * / IF (* (Function 5)! = 0xBA) { Return False; } // Call EDX / * if (* (pword) (Function 10)! = 0xD2FF) { Return False; } // Retn IF (* (Function 12)! = 0xc2) { Return False; } * / * FunctionID = * (PDWORD) (Function 1); Return True; } Int main (int Argc, char * argv []) { Ulong ID; Printf ("Function Name: NTCREATEPROCESSEX / N"); GetId ("NTCREATEPROCESSEX", & ID); Printf ("Function ID:% 08X / N", ID); Return 0; } /// This is not so cool, to pass from the user to the drive layer is inconvenient, finally, with this code: #include "ntddk.h" #include "stdarg.h" #include "stdio.h" #include "ntiologc.h" #include "ntimage.h" #define DWORD unsigned long #define Word unsigned Short # define bool unsigned long #define byte unsigned char #define sec_image 0x01000000 TYPEDEF STRUCT _SECTION_IMAGE_INFORMATION { PVOID ENTRYPOINT; Ulong stackzerobits; Ulong stackreserved; Ulong stackcommit; Ulong imageSubsystem; Word subsystemversionLow; Word subsystemversionhigh; Ulong UNKNOWN1; Ulong Imagecharacteristics; Ulong ImageMachineType; Ulong UNKNOWN2 [3]; } Section_image_information, * psection_image_information; DWORD getDLFunctionAddress (Char * LPFunctionName, Punicode_String PDLNAME) { Handle Hthread, HSECTION, HFILE, HMOD; Section_image_information sii; Image_dos_header * dosheader; Image_optional_header * OPTHDR; Image_export_directory * pEXPostTable; DWORD * ArrayOffunctionAddresses; DWORD * ArrayoffunctionNames; Word * arrayoffunctionordinal; DWORD FUNCTIONORDINAL; DWORD BASE, X, FunctionAddress; Char * functionname; String NTFunctionName, NTFunctionNamesearch; Pvoid Baseaddress = NULL; SIZE_T SIZE = 0; Object_attributes OA = {SizeOf OA, 0, PDLLNAME, OBJ_CASE_INSENSITIVE}; IO_STATUS_BLOCK IOSB; // _ ASM INT 3; Zwopenfile (& Hfile, File_execute | Synchronize, & Oa, & iOSB, File_Share_read, File_Synchronous_io_nonalert); Oa.Objectname = 0; ZWCREATESECTION (& Hsection, Section_All_Access, & Oa, 0, Page_execute, Sec_Image, HFile); ZWMapViewOfSecion (HSECTION, NTCurrentProcess (), & Baseaddress, 0, 1000, 0, & size, (section_inherit) 1, MEM_TOP_DOWN, PAGE_READWRITE ZWClose (HFILE); HMOD = BaseAddress; DOSHEADER = (image_dos_header *) hmod; OPTHDR = (Image_Optional_Header *) ((byte *) hmod dosheader-> e_lfanew 24); pExportTable = (IMAGE_EXPORT_DIRECTORY *) ((BYTE *) hMod opthdr-> DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] VirtualAddress.); // now we can get the exported functions, but note we convert from RVA to address ArrayoffunctionAddresses = (DWORD *) ((byte *) hmod pexporttable-> addressoffunctions; ArrayoffunctionNames = (DWORD *) (Byte *) HMOD PEXPORTTABLE-> AddressOfNames); Arrayoffunctionordinals = (word *) HMOD PEXPORTTABLE-> AddressOfNameOrdinals; Base = pexporttable-> base; RTLinitstring (& NTFunctionNamesearch, lpfunctionname); For (x = 0; x { FunctionName = (CHAR *) (Byte *) HMOD ArrayoffunctionNames [x]); RTLinitstring (& ntfunctionName, FunctionName); Functionordinal = arrayoffunctionordinals [x] base - 1; // ALWAYS NEED TO Add Base, -1 ARRAY Count // this is the funny bit. You Would EXPECT The Function Pointer to Simply Be ArrayoffunctionAddresses [x] ... // oh no ... Thats Too Simple. It is actually arrayoffunctionAddresses [FunctionOrdinal] !! FunctionAddress = (DWORD) (Byte *) HMOD ArrayOffunctionAddresses [FunctionOrdinal]); IF (RTLcompareString (& ntfunctionName, & ntfunctionNamesearch, True) == 0) { ZWClose (HSECTION); Return FunctionAddress; } } ZWClose (HSECTION); Return 0; } NTSTATUS Onstubdispatch In PDEvice_Object DeviceObject, In PIRP IRP ) { IRP-> iostatus.status = status_success; IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT ); Return IRP-> iostatus.status; } Void Onunload (in PDRIVER_Object DriverObject) { DBGPrint ("rootkit: onunload caled / n"); } NTSTATUS DRIVERENTRY (in PDRIVER_OBJECT THEDRIVEROBJECT, IN PUNICODE_STRING TheregistryPath) { INT I; Unicode_string dllname; DWORD FunctionAddress; INT position; DBGPRINT ("My Driver Loaded!"); THEDRIVEROBJECT-> Driverunload = onunload; RTLinitunicodeString (& Dllname, L "// device // harddiskvolume1 // windows // system32 // ntdll.dll"); FunctionAddress = GetdllFunctionAddress ("ZWCREATEPROCESSEX", & DLLNAME Position = * ((Word *) (FunctionAddress 1); DBGPRINT ("ID:% D / N", POSITION; Return status_success; } The above code loads NTDLL from the drive layer, then finds the function address in the output table, the words behind the B8 corresponding to the MOV EAX, [ID] are index numbers, in fact, it is similar to the previous code. Just the drive layer is not LoadLibrary, can only solve this. Integrating the above code is relatively complete, everyone looks at change. By the way, the service description in 2003 is used, I hope to help everyone: Service Table Address: 0x80567980 Number of Services: 280 = 0x127 Index Address Parameters Name -------------------------------------------------- ----------------------------------------------- 0x0 0x8058DDCE 6 NTACCEPTCONNECTPORT 0x1 0x80596b7e 8 NTACCESSCHECK 0x2 0x805976ce B NTAccessCheckandauditararm 0x3 0x805a8bb7 b NTAccessCheckbytepe 0x4 0x8059968a 10 NTACCESSCHECKBYTYPEANDAUDITAlarm 0x5 0x80658705 b NTAccessCheckbyTypeResultlist 0x6 0x8065a9b2 10 ntaccesscheckbytyperesultListandauditararm 0x7 0x8065a9f5 11 ntaccesscheckbytyperesultListandauditaRmbyHandle 0x8 0x8059dc4f 3 ntaddatom 0xB 0x806581E2 6 NTADJUSTGROUPSTOKEN 0xc 0x80597836 6 NTADJUSTPRIVILEGESTOKEN 0xD 0x8065104B 2 ntalertResumethread 0xe 0x805971ea 1 ntalertthread0xf 0x805996cc 1 ntallocatelocallyLoNiqueId 0x10 0x80647eb9 3 NTALLOCATEUSERPHYSICALPAGES 0x11 0x805a70dc 4 ntallocateuuiDS 0x12 0x80583188 6 NTALLOCATEVIRTUALMEMORY 0x13 0x8058FAFF 2 NTAPPHELPCACHECONTROL 0x14 0x805e92fb 2 ntaremappedfilesthesame 0x15 0x805ae6f 2 ntassignprocesstojobiBject 0x16 0x804ebbbcc 3 ntcallbackreturn 0x18 0x805eb49d 2 ntcanceliofile 0x19 0x804f7445 2 NTCANCELTIMER 0x1a 0x8058c43a 1 NTCLEAREVENT 0x1b 0x805768ac 1 ntclose 0x1c 0x80596ee 3 NTCloseObjectAuditararm 0x1D 0x80626f6f 2 ntcompactKeys 0x1e 0x8065B8FF 3 NTcompareToKens 0x1f 0x8058dc82 1 NTcompleteConnectport 0x20 0x806271d6 1 NTcompressKey 0x21 0x8058c55a 8 NTConnectport 0x22 0x804eb14b 2 ntcontinue 0x23 0x805B0B1E 4 NTCreateDebugObject 0x24 0x805AABAF 3 NTCREATEDIRECTORYOBJECT 0x25 0x80578522 5 NTCREATEEVENT 0x26 0x80668009 3 NTCREATEEVENTPAIR 0x27 0x805790cb b NTCREATEFILE 0x28 0x8059f5ab 4 ntcreateioocompletion 0x29 0x805e09eb 3 NTCREATEJOBOBIECT 0x2a 0x80651805 3 NTCREATEJOBSET 0x2B 0x80592A39 7 NTCREATEKEY 0x2c 0x805f225d 8 ntcreatemailslotfile 0x2D 0x805863A1 4 NTCREATEMUTANT 0x2e 0x8058f416 e ntcreatenamedpipefile0x2f 0x805c8e1e 4 NTCreatePagingFile 0x30 0x805a32a4 5 ntcreateport 0x31 0x805BD684 8 NTCREATEPROCESS 0x32 0x8058EFE3 9 NTCREATEPROCESSEX 0x33 0x806685B7 9 NTCREATEPROFILE 0x34 0x80573eca 7 NTCREATeSecion 0x35 0x8059afa9 5 NTCREATESEMAPHORE 0x36 0x805AB548 4 NTCREATESYMBOLICLIINKOBJECT 0x37 0x80588254 8 NTCREATTHREAD 0x38 0x805a2688 4 ntcreatetimer 0x39 0x805a62a4 d ntcreatetoken 0x3a 0x805bc212 5 ntcreatewaitableport 0x3B 0x805B12C1 2 NTDebugActiveProcess 0x3c 0x805b17dc 3 NTDebugContinue 0x3D 0x80574c08 2 NTDELAYEXECUTION 0x3e 0x8059ab90 1 NTDeleTeatom 0x41 0x805B7979 1 NTDELETEFILE 0x42 0x805eca87 1 ntdeletekey 0x43 0x8065aa3a 3 NTDeleteObjectauditararm 0x44 0x805a20d4 2 NTDeleteValueKey 0x45 0x80586f5e a ntdeviceioocontrolfile 0x46 0x805c9f0b 1 NTDISPLAYSTRING 0x47 0x8058051e 7 NTDUPLICATEOBJECT 0x48 0x8059cc7c 6 NTDUPLICATETOKEN 0x4b 0x8059a085 6 nTenumerateKey 0x4c 0x80667a42 3 ntenumeratesystemstemenvironmentValuesex 0x4D 0x8059D849 6 NTenumerateValueKey 0x4e 0x805ac037 2 NTEXTENDSECTION 0x4f 0x805e41d5 6 NTFILTERTOKEN 0x50 0x8059e01a 3 ntfindatom 0x51 0x805920A7 2 NTFLUSHBUFFERSFILE 0x52 0x8058A8B5 3 NTFLUSHINSTRUCECACHE 0x53 0x805E715B 1 NTFLUSHKEY 0x54 0x805a130d 4 NTFLUSHVIRTUALMEMORY 0x55 0x80648B20 0 NTFLUSHWRITEBUFFER 0x56 0x8064852a 3 ntfreeuserphysicalpages 0x57 0x8057B2BF 4 NTFreevirtualMemory 0x58 0x8057f504 a NTFSControlFile 0x59 0x805e8674 2 NTGETCONTEXTTHREAD 0x5a 0x8064de05 2 NtgetDevicePowerstate 0x5b 0x805e8ccb 4 NTGETPLUGPLAYEVENT 0x5c 0x80544ec4 7 NtgetWritewatch 0x5d 0x805f12e2 1 ntimpersonateAnonymoustoke 0x5e 0x80597fdf 2 ntimpersonateclientofport 0x5f 0x8059b9c8 3 ntimpersonatethread 0x60 0x805b77c8 1 ntinitializeRegistry 0x61 0x8064dc59 4 ntinitiatepowraction 0x62 0x8058ec31 2 ntisprocessinjob 0x63 0x8064ddf2 0 ntissystemResumeautomatic 0x64 0x805bc19c 2 ntlistenport 0x65 0x805B9DFE 1 NTLOADDRIVER 0x66 0x805B2D8F 2 NTLOADKEY 0x67 0x8062758c 3 ntlykey2 0x68 0x805B4A6C 4 NTLOADKEYEX 0x69 0x805a2342 a NTLOCKFILE 0x6a 0x805e4eaa 2 NtlockProductActivationKeys 0x6b 0x805de064 1 NTLOCKREGISTRYKEY 0x6c 0x805e4a65 4 ntlockvirtualMemory 0x6D 0x805AB8BA 1 NTMAKEPERMANENTOBJECT 0x6e 0x805abbb05 1 NTMAKETEMPORARYOBJECT 0x6f 0x80647392 3 NTMapUserphysicalpages 0x70 0x80647859 3 NTMapUserphysicalpagesscatter 0x71 0x80589905 a ntmapviewofsection 0x74 0x805ef59d 9 NTNotifyChangeDirectoryFile 0x75 0x80599f1c a NTNotifyChangeKey 0x76 0x80599d2d c ntnotifychangemultipleKeys 0x77 0x8058ef66 3 NTOPENDIRECTORYOBJECT 0x78 0x80599615 3 NTOPENEVENT 0x79 0x806680f4 3 NTOPENEVENTPAIR 0x7a 0x8057909d 6 NTOPENFILE 0x7b 0x80634e03 3 NtopenioCompletion 0x7c 0x805af8b0 3 NTOPENJOBOBJECT 0x7D 0x80578D88 3 NTOPENKEY 0x7e 0x80586508 3 NTOPENMUTANT 0x7f 0x805ed885 C NTOpenObjectAuditararm 0x80 0x80593613 4 NTOPENPROCESS 0x81 0x8057e110 3 NTOPENPROCESSTOKEN 0x82 0x8057e816 4 NTOPENPROCESSTOKENEX 0x83 0x8058A94B 3 NTOPENSECTION 0x84 0x805B3152 3 NTOPENSEMAPHORE 0x85 0x8058EA10 3 NTOPENSYMBOLICLINKOBJECT 0x86 0x805a2a8c 4 ntopenthread 0x87 0x8057f976 4 NTOPENTHREADTOKEN 0x88 0x8057f8E5 5 NTOPENTHREADTOKENEX 0x89 0x805eb40f 3 NTOPENTIMER 0x8a 0x805a24a2 3 ntplugplayControl 0x8b 0x805ae364 5 ntpowerinformation 0x8c 0x805a2c28 3 NTPrivilegecheck 0x8D 0x805E48CE 6 NTPrivileGeObjectAuditararm 0x8e 0x805a7bf0 5 NTPrivilegedServiceAuditararm 0x8f 0x80584a67 5 NTProtectVirtualMemory 0x90 0x8059f752 2 NTPULSEEVENT 0x91 0x80585755 2 NTQueryattributesfile 0x94 0x80508c75 2 ntquerydebugfilterstate0x95 0x8057ffd5 2 NTQueryDefaultlocale 0x96 0x80587c53 1 ntquerydefaultuilanguage 0x97 0x8058731c B NTQueryDirectoryFile 0x98 0x80595d65 7 ntquerydirectoryObject 0x9a 0x80635410 9 NTQUERYAFILE 0x9b 0x805a2d89 5 ntqueryevent 0x9c 0x8059b735 2 ntqueryfullattributesfile 0x9D 0x805edffe 5 NtQueryInformationArtom 0x9e 0x805852cf 5 NTQueryInformationFile 0x9f 0x805af5ab 5 NTQueryInformationJobiPject 0xA0 0x80644A66 5 NTQUERYINFORMATIONPORT 0xA1 0x8057fdea 5 NTQueryInformationProcess 0xA2 0x80576DC6 5 NTQueryInformationthread 0xA3 0x8057E718 5 NTQUERYINFORMATIONTOKEN 0xA4 0x8059D58C 1 NTQueryInstalluilanguage 0xA5 0x80668A4E 2 NTQueryIntervalprofile 0xA6 0x80634EBC 5 NTQueryiocompletion 0xA7 0x80580c31 5 ntquerykey 0xA8 0x80626765 6 NTQueryMultiPLEValueKey 0xA9 0x80668412 5 NTQuerymutant 0xAA 0x805f1cad 5 NTQueryObject 0xAb 0x80626953 2 NTQueryOpenSubkeys 0xac 0x80626b89 4 ntqueryopensubkeysex 0xAD 0x8057F59E 2 NTQueryperFormanceCounter 0xae 0x80635c9d 9 ntqueryquotainformationfile 0xAF 0x8058679A 5 ntquerysection 0xB0 0x805997E7 5 NTQuerySecurityObject 0xB1 0x80667325 5 NTQuerysemaphore 0xB2 0x8058E816 3 NTQuerysymbolicLinkObject 0xB3 0x80667A76 4 NTQuerySystemEmenvironmentValue 0xB5 0x8057cbe2 4 NTQuerySystemInformation 0xB6 0x80597E57 1 NTQuerySystemTime 0xB7 0x8058c677 5 NTQueryTimer 0xB8 0x8059E436 3 NTQueryTimerResolution 0xB9 0x80577D61 6 NTQueryValueKey 0xBA 0x80582264 6 NTQueryVirtualMemory 0xBB 0x8057960D 5 NTQueryVolumeInformationFile 0xBC 0x8058C78E 5 NTQueueapcthRead 0xBD 0x804EB198 3 NTRAISEEXCEPTION 0xbe 0x80667075 6 NTRAISEHARDERRORROR 0xBF 0x8057D886 9 NTREADFILE 0xc0 0x805aeb82 9 ntreadfilescatter 0xc1 0x8059859d 6 NtreadRequestData 0xc2 0x805861e0 5 NtreadVirtualMemory 0xc3 0x80588402 1 ntregisterthreadterminateport 0xc4 0x80574b77 2 NTRELESEMUTANT 0xc5 0x80598eb5 3 NTRELEASEMAPHORE 0xC6 0x80577945 5 NTREMOVEIOCOMPLETION 0xC7 0x8066E462 2 NTREMOVEPROCESSDEBUG 0xc8 0x80626Dec 2 NtrenameKey 0xc9 0x8062748f 3 NtreplaceKey 0xca 0x80580e50 2 ntreplyport 0xcb 0x8057b2a0 4 ntreplywaitreceport 0xcc 0x8057adb0 5 ntreplywaitreceportex 0xcd 0x80644b39 2 ntreplywaitreport 0xCE 0x80667A4F 1 NTMODIFYDRIVERENTRY 0xcf 0x805985f2 2 ntrequestport 0xD0 0x8058cbc3 3 ntrequestwaitreport 0xD1 0x8064DC04 1 ntrequestwakeuplatency 0xD2 0x805a4751 2 nthresetevent 0xD3 0x8054543e 3 ntresetWritewatch0XD4 0x80627286 3 NTRESTOREKEY 0xD5 0x80650FF5 1 NTRESUMEPROCESS 0xD6 0x805806fa 2 NtResuMethread 0xD7 0x80627325 2 NTSAVEKEY 0xD8 0x806273B2 3 NTSAVEKEYEX 0xD9 0x80625f0d 3 ntsavemergedKeys 0xDA 0x8058D4B2 9 NTSecureConnectport 0xDD 0x805B16F1 2 NTSETCONTEXTTHREAD 0xDE 0x8066E4F1 3 NtSetDebugfilterstate 0xDF 0x805ca1ac 1 ntsetdefaultharderrorport 0xE0 0x805B748B 2 NtSetDefaultlocale 0xE1 0x805B7433 1 NtSetDefaultuilanguage 0xE2 0x80667A5C 2 NtsetBootryOrder 0xe3 0x8063594e 4 ntseteafile 0xE4 0x8057ABD7 2 NTSETEVENT 0xE5 0x80575690 1 NtseteventBoostPriority 0xE6 0x806683B0 1 NTSETHIGHEVENTPAIR 0xe7 0x806682e6 1 ntsethighwaitloweventpair 0xE8 0x8066E255 5 NtsetInformationDebugObject 0xE9 0x80578747 5 ntsetinformationfile 0xEA 0x805E0B5F 4 NtsetInformationJobiect 0xeb 0x80626400 4 NtsetInformationKey 0xec 0x8059223e 4 NtsetInformationObject 0xed 0x80580221 4 ntsetinformation process 0xee 0x80577629 4 ntsetinformationthread 0xef 0x805a6844 4 ntsetinformationToken 0xf0 0x806685a0 2 NtsetIntervalprofile 0xF1 0x8057c39a 5 ntsetiocompletion 0xf2 0x806508db 6 ntsetldtentries 0xF3 0x8066834f 1 ntsetloweventpair 0xF4 0x8066827d 1 ntsetlowwaithigheventpair0xf5 0x80635c7e 4 ntsetquotainformationfile 0xF6 0x805a5626 3 ntsetsecurityObject 0xf7 0x80667d39 2 ntsetsystemenvironmentValue 0xF8 0x80667a35 5 ntsetsystemEnvironmentValueex 0xF9 0x80597238 3 ntsetsystemInformation 0xfa 0x8067b325 3 ntsetsystempowerstate 0xfb 0x8066697b 2 ntsetsystemtime 0xfc 0x805abc19 2 ntsetthreadexecutionState 0xfd 0x804ee9bf 7 ntsettimer 0xfe 0x805acb3b 3 ntsettimerResolution 0xff 0x805bc73c 1 ntsetuuidseed 0x100 0x80592859 6 NtSetValueKey 0x101 0x806361ed 5 NtsetVolumeInformationFile 0x102 0x8066614b 1 ntshutdownsystem 0x103 0x80546d9e 4 ntsignalandWaitforsingleObject 0x104 0x806687ec 1 ntstartprofile 0x105 0x80668999 1 NTSTOPPROFILE 0x106 0x80650fa0 1 NTSUSPENDPROCESS 0x107 0x805B0163 2 NTSUSPENDTHREAD 0x108 0x80668af2 6 NTSystemdebugControl 0x109 0x80651a9b 2 NTTERMINATEJOBOBJECT 0x10a 0x80590cba 2 NTTERMINATEPROCESS 0x10b 0x80576714 2 NTTERMINATTHREAD 0x10c 0x8057e4f8 0 NTTESTALERT 0x10D 0x8051ed5e 4 NTTRACEEVENT 0x10e 0x80667a69 4 nttranslateFilePath 0x10f 0x806383c5 1 ntunloadDriver 0x110 0x8062747c 1 ntunloadKey 0x11 0x80625fc6 2 ntunloadKey2 0x112 0x806261cb 2 ntunloadKeyex 0x113 0x805a220b 5 ntunlockfile0x114 0x805ae977 4 NTUNLOCKVIRTUALMEMORY 0x115 0x80589E79 2 NTUNMAPVIEWOFSECTION 0x116 0x805c5aa2 2 NTVDMControl 0x117 0x805B07C8 4 NTWAITFORDEBUGEVENT 0x118 0x80574d38 5 NTWAITFORMULTIPLEOBJECTS 0x119 0x8057428d 3 NTWAITFORSINGLEOBJECT 0x11a 0x8066821c 1 NTWAIGHEVENTPAIR 0x11b 0x806681bb 1 NTWAITLOWEVENTPAIR 0x11c 0x80578248 9 NTWRITEFILE 0x11D 0x805aefe1 9 NTWRITEFILEGATHER 0x11e 0x805990a6 6 NTWRITEREQUESTDATA 0x11f 0x805862d7 5 NTWRITEVIRTUALMEMORY 0x120 0x805091c1 0 ntyieldexecution 0x121 0x805d7d7f 4 ntcreateKeyedEvent 0x122 0x8058f5cf 3 NTOPENKEYEDEVENT 0x123 0x8066922f 4 NTRELEASEKEYEDEVENT 0x124 0x806694AA 4 NTWAITFORKEYEDEVENT 0x125 0x8064f170 0 NTQueryportInformationProcess 0x126 0x8064f1a4 0 NTGETCURRENTPROCESSORNUMBER Reference: 1. MSDN Series (3) - Administrator users directly acquire SYSTEM privilege SCZ http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1900 2.Hooking Functions NOT Exported by Ntoskrnl http://www.rootkit.com/newsread.php?newsid=151 3.SIMPLE Hooking of Functions NOT Exported by Ntoskrnl.exe http://www.rootkit.com/newsread.php?newsid=248
