Need some help with undocumented Windows system calls

I'm starting on a project to write a very simple user-space execution blocker, kind of like a stripped down version of SRP. I'm mostly doing this for learning/personal use/comedic value. The idea is to block system calls that could be used to launch a foreign process, or to modify another existing process, e.g. CreateRemoteThread().

(This being EXE blocking, and from userspace at that, the usual warnings about advanced malware obviously apply.)

Anyway, the problem I've run into is that there are a ton of undocumented functions that are exported to userspace - NtCreateProcess() and its friends, and probably many more. For my blocker to be remotely useful in practice, these will have to be covered.

Does there exist any unofficial guide to the undocumented side of Windows?

Failing that, where can I find the relevant header files, and where in them should I look for the relevant functions?

 

Welcome to the wonderful world of Windows. No clue if something like that exists, unfortunately. Haven't touched it myself.

If you find out, let me know.

 

Ah darn, I figured you might know.

Off to do more research then...

Edit: one way to do this apparently (that doesn't involve assembly language) is to use Dependency Walker on ntdll.dll. No documentation that way though, hope the names are obvious... I'll set up Vista and see what's what I guess.

 

Thank you Ronjor. Also, in case anyone is interested, here is a link I just found to Mark Russinovich's guide to the Native API:

http://netcode.cz/img/83/nativeapi.html

Not sure if that's complete but it looks pretty good!

Edit: wow, nowhere near complete. Dependency Walker lists 1902 functions.

BTW is there a way to search functions by name in Dependency Walker?

 

Hmm. Just realized that the "don't let the browser execute anything" wouldn't work too well against current ITW malware droppers, which typically use Java. Browser loads Java plugin DLL, JVM executes the nasty -> EXE blocking measures are bypassed (unless you disallow JVM from executing binaries).

I will probably keep working on this anyway, but keep in mind that the finished product will be more a toy than a tool. Meanwhile I will also look into better methods.

Edit: the more I look into this, the more it looks flat-out irresponsible to use user-mode hooking for security purposes, disclaimer or no disclaimer. Not sure I should continue with this project.