Shellcode & NT System Calls
From: ma1ler_deamon (ma1ler_deamon_at_yahoo.com)
Date: 12/30/03
- Previous message: Bugtraq Security Systems: "Bugtraq Security Systems (ADV 0001)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 17:10:52 -0800 (PST) To: vuln-dev@securityfocus.com
If you were to use the NT system call int2E interupt to do things
like the filewriting etc as mentioned above, would this bypass things
like virus scanners?
[quote http://www.internals.com/articles/apispy/apispy.htm ]
If you have ever examined ntdll.dll with QuickView, you might have noticed that
it exports a set of functions that begin with the Nt prefix. These functions
are actually small stubs of code that pass control to the Windows NT kernel
(NTOSKRNL) using interrupt 2E. Many of the functions exported from kernel32.dll
are nothing more than control transfer routines to the stubs located in ntdll.
For example, when a Windows application issues a call to CreateFile located in
kernel32.dll, the call is redirected to NtCreateFile, which passes it on to
NT's kernel for further processing. The special design of this mechanism allows
a device driver to hook these interfaces, thus providing a way for monitoring
activities performed by Windows NT/2000 applications
[/quote]
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
- Previous message: Bugtraq Security Systems: "Bugtraq Security Systems (ADV 0001)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
