[sn0w]

hi.
need to call some of win32k apis in kernel. lets talk about NtUserGetForegroundWindow.
getting index from user32 GetForegroundWindow stub.

what is the right choice? pFn = shadowtable[fIdx] / int / syscall?
if i'm understanding right - there is no way to call it through syscall, but int should be possible. am i right?

[EP_X0FF]

Hello,

let first make some things clear:

1) You want to use some of win32k user/gdi routines in your driver?
2) Your are running your driver in ...? XP, Vista+, x86 or x64 Windows?
3) Why do you want to use additional instructions in driver to call function by pointer?
4) Are you aware that system may perform several checks for several conditions inside NtGdi/NtUser routines (such as previous mode checking, GUI process checking etc)?
5) Why do you need this approach?

Kind Regards.

[sn0w]

1) yep
2) lets assume i'm running it under win xp x86 where no kernel memory protection and ssdt pointers is absolute
3) i'm just interested in different approaches
4) sure, moreover i can disassemble this routine to determine whether it does or not
5) you can consider it as my academic interest

[EP_X0FF]

Attach to GUI process in your driver and call win32k routine.
Kaspersky 6 source is full of examples.

Note that starting from Windows 8 there is special restriction, see EPROCESS->Flags2.DisallowWin32kSystemCalls. Also note this.

[sn0w]

thanks.

[rinn]

Hello,

OP must be dealing with case when there is no pointer to routine and OP is tried to call it through syscall just like in UM. Whole idea sounds doesn't good for me and as for drivers usage if you really want to call win32k, better locate shadow table and retrieve routine pointer from it, then cast it as pointer to function and call within gui process context.

Best Regards,
-rin