I'm currently porting FreeFixer for the Windows 7 platform. Luckily the different flavors of Windows does not differ that much from one release to another, so most of the unit tests worked without any changes to the existing code.
There's one piece of code
that needed an update though, and it's the rootkit detection
plugin, which in its current state detects hidden processes.
This plugin uses the
Windows Native API.
The Native API is incompletely documented and used internally by the
Windows NT operating systems (NT, XP, 2000, Vista, Win7, etc).
FreeFixer calls the Native API by putting the system calls index in the
and then using
int 2Eh depending on the platform.
By using this procedure, FreeFixer can bypass some of the rootkit hooking
techniques that hide running processes.
There is one problem though, the system call index numbers have changed from release to release, and Windows 7 was not exception, so the code needed an update. The following lists some of the index numbers for the Windows 7 platform:
NtQuerySystemInformation = 0x106 NtQueryInformationProcess = 0xe4 NtReadVirtualMemory = 0x105 NtOpenProcess = 0xbf
Hope this helps if you are porting your Native API calls to Windows 7.