1

I was looking in my spartime at the ntdll.dll with IDA.

I used to use NtAccessCheckAndAuditAlarm/NtDisplayString to code egghunters in order to parse memory and check if i can read memory or not of a PE.

But it works in older version of windows, not anymore on win 10.

At this time, i use a Win 10 and i figured out that the NtAccessCheckAndAuditAlarm and NtDisplayString don't exist anymore, but are replaced with ZwAccessCheckAndAuditAlarm and ZwDisplayString (which are kernel functions)

So i was wondering when the change take place.

And so, if there are other functions in user mode to replace those 2, because i don't want to write kernel code.

Thanks

ginko
  • 47
  • 5
  • your question is unclear – RbMm Feb 11 '20 at 11:51
  • Ok, i will modify my post to make it clearer – ginko Feb 11 '20 at 11:52
  • *At this time, i use a Win 10 and i figured out that the NtAccessCheckAndAuditAlarm and NtDisplayString don't exist anymore, but are replaced with ZwAccessCheckAndAuditAlarm and ZwDisplayString (which are kernel functions)* - ??? all this is wrong – RbMm Feb 11 '20 at 12:02
  • Ok thank you for this relevant comment ^^ and teach me something. But indeed, i read wrong the documentation : https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines So i guess i answered myself to my question. – ginko Feb 11 '20 at 12:06
  • in user mode no difference between Zw and Nt functions. this 2 names point to the same. and then unclear what you try todo – RbMm Feb 11 '20 at 12:10

0 Answers0