Contents

Build Automation 462

10.2 Kernel-Mode Shellcode 462

Project Settings: $(NTMAKEENV)\inakefi 1 e.new 463

Project Settings: SOURCES 464

Address Resolution 465

Loading Kernel-Mode Shellcode 468

10.3 Special Weapons and Tactics 471

10.4 Looking Ahead 473

Chapter 11 Modifying Call Tables ............ . ....... .. . .... .475

11.1 Hooking in User Space: The lAT 478

DLL Basics 478

Accessing Exported Routines 480

Injecting a DLL 482

Walking an lAT from a PE File on Disk 487

Hooking the I AT 492

11.2 Call Tables in Kernel Space 496

11.3 Hooking the IDT 497

Handling Multiple Processors: Solution #1 499

Naked Routines 503

Issues with Hooking the IDT 506

11.4 Hooking Processor MSRs 507

Handling Multiple Processors: Solution #2 509

11.5 Hooking the SSDT 514

Disabling the WP Bit; Technique #1 515

Disabling the WP Bit: Technique #2 517

Hooking SSDT Entries 519

SSDT Example: Tracing Systenn Calls 520

SSDT Example: Hiding a Process 523

SSDT Example: Hiding a Network Connection 529

11.6 Hooking IRP Handlers 530

11,7 Hooking the GDT: Installing a Call Gate 533

Ode to Dreg 542

11.8 Hooking Countermeasures 542

Checking for Kernel-Mode Hooks 543

Checking IA32_SYSENTER_EIP 546

Checking INT Ox2E 548

XIV