Dr. Dobb's Journal January 1997: Windows NT System-Call Hooking

Windows NT System-Call Hooking

By Mark Russinovich and Bryce Cogswell

Dr. Dobb's Journal January 1997

ZwCreateFile:
  mov eax, 17h     ; system call number
  lea edx, [esp+4] ; pointer to params
  int 2Eh          ; NT x86 syscall trap
  ret 2Ch          ; pop params

Example 1: ZwCreateFile disassembly.

Back to Article