Skip to content
23 April 2009

Porting Native API calls to Windows 7

I'm currently porting FreeFixer for the Windows 7 platform. Luckily the different flavors of Windows does not differ that much from one release to another, so most of the unit tests worked without any changes to the existing code.

There's one piece of code that needed an update though, and it's the rootkit detection plugin, which in its current state detects hidden processes. This plugin uses the Windows Native API. The Native API is incompletely documented and used internally by the Windows NT operating systems (NT, XP, 2000, Vista, Win7, etc). FreeFixer calls the Native API by putting the system calls index in the eax register, and then using sysenter or int 2Eh depending on the platform. By using this procedure, FreeFixer can bypass some of the rootkit hooking techniques that hide running processes.

There is one problem though, the system call index numbers have changed from release to release, and Windows 7 was not exception, so the code needed an update. The following lists some of the index numbers for the Windows 7 platform:

NtQuerySystemInformation  = 0x106
NtQueryInformationProcess = 0xe4
NtReadVirtualMemory       = 0x105
NtOpenProcess             = 0xbf

Hope this helps if you are porting your Native API calls to Windows 7.


xpk7 writes

4 thumbs

List of Win7 beta syscall indexes:
However, RC added some APIs, so we have to wait for a new list ;). Or you can use this tool:

# 8 May 2009, 3:34

Emre TINAZTEPE writes

2 thumbs

That will really help me Roger:) Thanks

# 26 Jan 2010, 2:11

ray writes

1 thumb

i just want 2 tell u thanks 4 freefixer it sure has helped me get viruses out an fast.happy user ray

# 12 Apr 2010, 22:38

Roger Karlsson writes

0 thumbs


In case anyone is looking for the syscall indexes for Windows 8:

NtQuerySystemInformation = 0x94
NtQueryInformationProcess = 0xaf
NtReadVirtualMemory = 0x82
NtOpenProcess = 0xdc

These are valid for the current Windows 8 Developer Preview, but may change in future releases.

# 3 Oct 2011, 1:27

Leave a reply