hi I have question,
What is lowest level I can program in Windows using assembly. Is there any way to bypass SSDT syscalls? For example, if I want printf but want my own custom printf, can I somehow write directly to output?
Posts made by Master
RE: Executing malware on a Mac
@92jn8jdd have you tried going to your settings and setting “Anywhere”:
RE: MALWARE ANALYSIS RESOURCES//NOOBS READ FIRST
Hi, you should add this YouTube channel:
Also good content.
The Nt*/Zw* routines exported by NTDLL aren’t the real routines, they are just user-mode wrapper routines which will perform a user-mode to kernel-mode transition via a system call.
MiVerifyImageHeader (NTOSKRNL) is called by MiCreateImageFileMap (NTOSKRNL). MiCreateImageFileMap is called by MiCreateNewSection and this routine is called by MiCreateImageOrDataSection, which is called by MiCreateSection… Which happens to be invoked by MmCreateSection. For the record, NtCreateSection calls MmCreateSection.
You cannot invoke any of these routines from user-mode, but you can call NtCreateSection/ZwCreateSection (NTDLL - Nt*/Zw* have the same address in user-mode) in user-mode which will cause NtCreateSection (NTOSKRNL) to be called by the Windows Kernel once the system call operation is handled. Even from kernel-mode where those Mm* and Mi* routines are present in the address space of NTOSKRNL, you cannot simply just call the ones listed because they are not exported - the exception for the routines listed above is MmCreateSection which does happen to be exported by NTOSKRNL.
If you need to call non-exported kernel-only routines then you would have to locate the address somehow. You’ll need to use memory scanning techniques which will require you to make a signature - if the target address is exposed due to a reference then you can extract it from there as well.