The code at 7FFE0300to which this function calls is essentially a call to the
NTDLL API KiFastSystemCall, which is just a generic interface for calling
into the kernel. Notice that you have this function’s name because even
though Defender copied the entire code section, the code explicitly referenced
this function by address. Here is the code for KiFastSystemCall—it’s just
two lines.7C90EB8B MOV EDX,ESP
7C90EB8D SYSENTEREffectively, all KiFastSystemCalldoes is invoke the SYSENTERinstruc-
tion. The SYSENTERinstruction performs a kernel-mode switch, which means
that the program executes a system call. It should be noted that this would all
be slightly different under Windows 2000 or older systems, because Microsoft
has changed its system calling mechanism after Windows 2000 (in Windows
2000 and older system calls using an INT 2Einstruction). Windows XP, Win-
dows Server 2003, and certainly newer operating systems such as the system
currently code-named Longhorn all employ the new system call mechanism. If
you’re debugging under an older OS and you’re seeing something slightly dif-
ferent at this point, that’s to be expected.
You’re now running into somewhat of a problem. You obviously can’t step
into SYSENTERbecause you’re using a user-mode debugger. This means that
it would be very difficult to determine which system call the program is trying
to make! You have several options.
■■ Switch to a kernel debugger, if one is available, and step into the system
call to find out what Defender is doing.
■■ Go back to the checksum/RVA table from before and pick up the RVA
for the current system call—this would hopefully be the same RVA as in
the NTDLL.DLLexport directory. You can then do a DUMPBIN on
NTDLL and determine which API it is you’re looking at.
■■ Find which system call this is by its order in the exports list. The check-
sum/RVA table has apparently maintained the same order for the
exports as in the original NTDLL export directory. Knowing the index
of the call being made, you could look at the NTDLL export directory
and try to determine which system call this is.In this case, I think it would be best to go for the kernel debugger option,
and I will be using NuMega SoftICE because it is the easiest to install and
doesn’t require two computers. If you don’t have a copy of SoftICE and are
unable to install WinDbg due to hardware constraints, I’d recommend that
you go through one of the other options I’ve suggested. It would probably be
easiest to use the function’s RVA. In any case, I’d recommend that you get set394 Chapter 11