I've lately been digging into how NT user mode API calls, as well as system calls into the kernel, can be patched.  This began as idle curiosity about system integrity checks, but has evolved into full-blown awe about the detailed analyses of these subjects that are available out on the web.

Yes - some of the documentation was written by, and for, bad people such as rootkit writers.  But some of it was clearly not, and reading it has reminded me of few things.

1.  After many years of writing code for the OS, there are still lots of things I don't know about it.  That's nice and humbling.

2.  Picking a technical topic and trying to learn as much about it as possible via the web (can you say google-driven learning) is really fun and beneficial.

3.  As a corollary to #2, there's an amazing amount of 'free' info available online on arcane technical topics.

4.  I almost self-suppressed this post, since I hesitated to commit an act that might be viewed by others as contributing to the propagation of information frequently associated with nefarious purposes.  But then I remembered that, since the bad guys already know way more about this stuff than what I've referenced below, the best thing I can do is help the good guys learn.

So, anyway, here are some interesting links.

http://www.summitsoftconsulting.com/NtSystemCalls.htm

http://www.sysinternals.com/Information/NativeApi.html

http://www.internals.com/articles/apispy/apispy.htm

http://groups.google.com/group/microsoft.public.windbg/msg/dfe809e4eaf122d8

http://www.phrack.org/phrack/55/P55-05