I am currently planning on hooking some ntdll's exported functions to monitor them. I would like this idea to work on every sub-version of Windows 10 and 11.
On every computers I checked, the exported functions that got my interest were defined as:
mov eax, functionID
mov edx, ptr_to_ntdll_wow64Transition
call edx
ret {} ; number of bytes to pop out
; followed by a NOP after the ret
The functions being defined that way all have the same length : 18 bytes (excluding the NOP)
That means I could hook at the beginning, by replacing mov eax, functionID by a jmp, do my stuff and then apply the 18 copied bytes.
But for this, I need ntdll's exported functions to be stable enough across Windows version, does anyone have experience with it?
Thank you by advance