Of course you can get them from a website such as this one.
You can find them by disassembling the module where the function is located.
Notice 30 is the call number of NtCreateProcessEx. It’s moved into EAX
But you can code a program that will do that for you!
Let’s do that. In my example, only the functions that are exported by “ntdll.dll” are going to work. But that can be changed really easily…
mov eax, 30h ; NtCreateProcessEx
mov edx, 7FFE0300h
call dword ptr [edx]
retn 24h
Since we know that the call number is loaded into EAX, we have to check for a “mov eax”. “mov eax” = 0xB8
if ( *Function != 0xB8 )
{
return FALSE;
}
Then we want to check for “mov edx”, its 0xBA.
if ( *(Function + 5) != 0xBA )
{
return FALSE;
}
Now you can do additional checks, but this is enough. If you’re wondering why we did function + 5, thats because ZwCreateProcessEx is located at 7C90D769 and the mov edx instruction is on 7C90D76E. So we did function address + 5.
Well the rest is simple, and doesn’t require any explanation. You can download the source code here. If you find any errors or bugs, please leave a comment. Thanks for visiting and reading.
Later.
August 16, 2007 at 9:08 pm
“thats because NtCreateProcess is located at 7C90D769 ”
Mistake, 7C90D769 is ZwCreateProcessEx, not NtCreateProcessEx
Also, that table is incredibly useful! I’ve used that for a long time.
One thing to note, if you want to do a system call directly using the SYSENTER operation, the stack has to be structured in kind of a weird way. The handler expects the first TWO dwords on the usermode stack to be return addresses, so you may need to push a bullshit dword as padding.
~nog_lorp
August 16, 2007 at 11:45 pm
I’ll correct it, thanks