0

I am creating a sandboxing program and trying to hook every single system call a process makes. So far in my program I am using inline hooking & win32 functions and the scope of my hooks is win32 c++ functions and c# functions (such as CreateFileA, socket.send, etc). However I am trying to increase the scope of my project by intercepting every system call a process makes.

When I first started researching it I encountered the KiFastSystemCall function in ntdll.dll for example this article explaining how to hook it. But as you might have noticed written in the article -

KiFastSystemCall hooking only works on x86 systems and doesn’t work on Windows 8 or above

So if anyone is aware of a new method of hooking every system call a process makes, I'll appreciate it a lot.

wovano
  • 4,543
  • 5
  • 22
  • 49
Omer Cohen
  • 1
  • 1
  • There's a **lot** of Windows system calls. Why would you want to do this? Search the internet for "Windows API Charles Petzold" for a good book about the Windows API. – Thomas Matthews Oct 25 '22 at 19:34
  • @ThomasMatthews The Win32 API is two layers above the system call interface. I wonder how learning about the Win32 API helps in solving the problem of hooking system calls into the kernel. Mind to expand on that? – IInspectable Oct 25 '22 at 21:04
  • @IInspectable: The Win32 API will give an idea of the multitude of APIs available and perhaps which ones to hook into. I don't know of any source that lists only the system and kernel calls. – Thomas Matthews Oct 25 '22 at 22:16
  • That doesn't make sense. Clearly the OP is trying to get as close to the kernel boundary as possible, and ideally have a *single* function hooked that dispatches **all** calls into the kernel. Knowing how many Win32 APIs there are isn't part of the solution to that problem. – IInspectable Oct 26 '22 at 07:30
  • @IInspectable you are correct, there are thousands of functions and i want to be able to hook the entry point to the kernel (where the system call is being made) and by that hook every function that opens a file, sends a packet, etc. – Omer Cohen Oct 27 '22 at 13:50

0 Answers0