How to locate original SSDT
PostPosted:Mon Nov 07, 2011 2:22 pm
Hi,
Assuming that SDT has been hooked e.g for ZwClose.
Is it possible from kernelland to locate original NtClose syscall?
I understand that MmGetSystemRoutineAddress () is not enough here since not all Nt* api calls are exported - is it right?
Thank you
Assuming that SDT has been hooked e.g for ZwClose.
Is it possible from kernelland to locate original NtClose syscall?
I understand that MmGetSystemRoutineAddress () is not enough here since not all Nt* api calls are exported - is it right?
Thank you