SSDT Hooking help! x64 Systems?

Hi,
I understood about hooking the SSDT in x86 systems,
now how will I do that on x64
Plz help!
Last edited on
So whats an alternative?
You may need to actually use functions to protect your process. A very powerful function to use to protect you process has to be ObRegisterCallbacks.

The real problem here, is loading the Kernel Driver on x64, as I expect this project to be non-commercial, it is not likely that the driver nor the application will have a Digital Certificate. Therefore it is safe to say there is sometime until you can find a trick to bypass PatchGuard to load a rogue driver. There is no standard method to do perform these sort of bypasses even with administrative elevation.

Few malwares such as TDL4 and Carberp bypassed PatchGuard and managed to load their driver onto the Windows NT kernel. These tricks always involved some level of MBR\VBR level interaction to "switch off" the kernel protection module.

Now, that in mind Microsoft was reluctant to fix (change) the PatchGuard to protect against the similar variants of the Malware. It would be highly unlikely you can exploit PatchGuard again even with high optimization on MBR and Kernel Land by AVs (ex. McAfee). It is pretty straightforward that without having multiple years or 1 centuries of exploit development, there is < 1% chance of you managing to find a bypass methodology in near future.

Anti-Virus softwares such as Avast do not even load Kernel drivers, infact they stick with Userland with x64 libraries to safeguard against malwares.

Hope this helped
Last edited on
Okay,
thanx a lot!
Now Im done with protecting processes,
what Im doing now is how to block websites by hooking
HttpSendRequestW
Now, the problem is how do I create a global hook?
Hooking HttpSendRequestW for the purpopse of blocking websites is useless, unless the user uses Internet Explorer.
The best "technique" to do here is to use NDIS filter drivers. As for Usermode techniques not much is left I suppose; I guess LSP detours should do it.
@Modoran:
What API does Google Chrome/
Opera/Firefox use?
@OrionMaster: I love user mode!
I think you should rather worry about how to get your code into the process space rather than thinking about detouring.
I can inject using DLL injection,
GL
Are you sure, you injected into Google Chrome Yet? Google Chrome last time I checked could block almost 100% of all injection methods.
Okay,
TRUE.
but how will I inject then?
How do AV's do that?
GL
For this kind of task (intercept network traffic) either use a driver like Winpcap or detour sockets APIs like send().

http://www.winpcap.org/
@OrionMaster:
Look at this hooking code:
Will this work on x64 systems:
http://spth.virii.lu/rrlf7/sources/Panzuriel/Panzuriel.cpp
GL
I know you didn't ask me but I'm a bit suspicious about the byte alignment on the "HookGeneralFunction()" function. You can find out the real value for things like this at runtime so the fact that the author chose to hardcode these values brings their actual understanding of this code into question. That just MHO though.
No, I am not helping anymore keeping in mind you are going all over virus code websites I am sorry. I need justification.
@OrionMaster:
To assure you Im not making anything malware, you can accept/reject this statement,
As I told earlier, Im not mad/
a bad guy to write viruses,
I will never do that,
and if I made you angry
with my question /waste your time Im sorry,

Regards My Friend,
WinPgmer777
GL
Topic archived. No new replies allowed.