0

I am currently planning on hooking some ntdll's exported functions to monitor them. I would like this idea to work on every sub-version of Windows 10 and 11.

On every computers I checked, the exported functions that got my interest were defined as:

mov eax, functionID
mov edx, ptr_to_ntdll_wow64Transition
call edx
ret {} ; number of bytes to pop out
; followed by a NOP after the ret

The functions being defined that way all have the same length : 18 bytes (excluding the NOP) That means I could hook at the beginning, by replacing mov eax, functionID by a jmp, do my stuff and then apply the 18 copied bytes. But for this, I need ntdll's exported functions to be stable enough across Windows version, does anyone have experience with it?

Thank you by advance

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Nox
  • 713
  • 7
  • 16
  • https://github.com/microsoft/Detours – Hans Passant Mar 01 '23 at 18:08
  • 4
    There is **no** guarantee that the [implementation details of WOW64](https://wbenny.github.io/2018/11/04/wow64-internals.html#leaving-32-bit-mode) remain stable AFAIK. However, you can check if the function is made of the instructions pattern you posted and back off if not. After all, it's just four instructions. – Margaret Bloom Mar 01 '23 at 18:46

0 Answers0