I'm currently porting FreeFixer for the Windows 7 platform. Luckily the different flavors of Windows does not differ that much from one release to another, so most of the unit tests worked without any changes to the existing code.
There's one piece of code
that needed an update though, and it's the rootkit detection
plugin, which in its current state detects hidden processes.
This plugin uses the
Windows Native API.
The Native API is incompletely documented and used internally by the
Windows NT operating systems (NT, XP, 2000, Vista, Win7, etc).
FreeFixer calls the Native API by putting the system calls index in the eax register,
and then using sysenter or int 2Eh depending on the platform.
By using this procedure, FreeFixer can bypass some of the rootkit hooking
techniques that hide running processes.
There is one problem though, the system call index numbers have changed from release to release, and Windows 7 was not exception, so the code needed an update. The following lists some of the index numbers for the Windows 7 platform:
NtQuerySystemInformation = 0x106 NtQueryInformationProcess = 0xe4 NtReadVirtualMemory = 0x105 NtOpenProcess = 0xbf
Hope this helps if you are porting your Native API calls to Windows 7.
List of Win7 beta syscall indexes: http://www.openrce.org/blog/view/1342/Windows_7_syscall_list
However, RC added some APIs, so we have to wait for a new list ;). Or you can use this tool: http://www.codeproject.com/KB/system/lookup.aspx
# 8 May 2009, 3:34
i just want 2 tell u thanks 4 freefixer it sure has helped me get viruses out an fast.happy user ray
# 12 Apr 2010, 22:38
xpk7 writes