ShadowSSDT win10

Ask your beginner questions here.
Post Reply
Out
Posts: 3
Joined: Mon Nov 27, 2017 8:30 am

ShadowSSDT win10

Post by Out » Mon Nov 27, 2017 8:36 am

Hello. Can someone give me tips, what can be wrong.
Win10 x64, PG disabled.
I want to hook ShadowSSDT.
So, i`m obtain ShadowSSDT table address (its ok)
Then, attaching to csrss (gui process), i`m place cave hook to function, that i need (seems to be ok also, no bsods, and new bytes exists).
My problem - after hook placed - seems like it is not work, i cant catch any calls to this function (with ssdt its ok, i have problem only with shadowssdt).

Hook installed not properly? Or something else happens there?

User avatar
Vrtule
Posts: 455
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: ShadowSSDT win10

Post by Vrtule » Mon Nov 27, 2017 9:22 am

On what SSDT entry did you install the hook? How do you test whether it is invoked or not?

Out
Posts: 3
Joined: Mon Nov 27, 2017 8:30 am

Re: ShadowSSDT win10

Post by Out » Mon Nov 27, 2017 10:50 am

I`m test it with NtUserBuildHwndList and NtUserFindWindowEx (indexes from http://j00ru.vexillium.org/syscalls/win32k/64/)
Testing with usermode app that call EnumWindows, FindWindowA.

Out
Posts: 3
Joined: Mon Nov 27, 2017 8:30 am

Re: ShadowSSDT win10

Post by Out » Mon Nov 27, 2017 11:03 am

Nvm, seems i find a fix.
Istead of using csrss as a "gui" process i`m try to use another process (that i launch itself). And in this case - hooks works globally.
But its strange, why it doesnt work with csrss.

Seems like it will work only if username of gui process - not system, but current logged user.
Or each user in system have its own shadowssdt table

Post Reply