PI-Tracker

A tracker DLL that enables 'NTAPI->Syscall' tracking whenever it is loaded. It calls 'NtSetInformationProcess' API call with a callback hook and 'ProcessInstrumentationCallback' class. Once this is executed, everytime an NTAPI->Syscall is called, before returning from the kernel to the return address of the syscall, the kernel makes a jump to the userland callback hook ('hookedCallback'). One thing I noticed when this hook was executed, was that the 'R10' register contains the original return address of the syscall. And since every syscall return address (in windows 10) is 0x14 bytes away from the actual NTAPI instruction, I can just subtract and find the NTAPI pointer. Once I have this, I can walk through the Export Address Table (EAT) of the 'ntdll.dll' to find which API was called by doing an ordinal comparison.

A detailed blog on this can be found on bruteratel.com

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
hook.asm		hook.asm
pi_tracker.c		pi_tracker.c

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

PI-Tracker

About

Uh oh!

Releases

Packages

Languages

License

paranoidninja/PI-Tracker

Folders and files

Latest commit

History

Repository files navigation

PI-Tracker

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages