Thread: SYSENTER hook
View Single Post
  #14  
Old 08-12-2004, 02:50
homersux
 
Posts: n/a
Hi, instead of looking for ways to hook int 2E or sysenter/exit, you should consider hooking the function ptr table after this system service stub. Check the kernel api spy example published by Shreiber in his "Undocumented windows 2000" book.

The idea is to find out the KiServiceTable (exported by w2k and xp) and one of its member points to this function ptr table. You probably need a good kernel device driver to accomplish this task though.

Have fun
Reply With Quote