While disassembling some code in Windows XP, I found the following:

mov eax, 0x00001225
mov edx, 0x7FFE0300
call edx

in 0x7FFE0300:

mov edx, esp

EAX is the Service ID, right ??
But I don?t know the service ID # 1225 !

I appreciate any help.
Posted on 2003-12-01 06:16:58 by Opcode
I found the answer by myself.

The eax = 0x1225 is the function NtUserUnhookWindowsHookEx.

For ( 0x1000 <= eax <= 0x2000), the Service ID is mapped in Win32k.sys.

The SetWindowsHookExA function in user32.dll call the NtUserSetWindowsHookEx in
the KeServiceDescriptorTableShadow by the SYSENTER instruction.

I hope someone find this useful someday. :alright:
Posted on 2003-12-01 13:26:55 by Opcode