How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Forum for discussion about kernel-mode development.
Post Reply
pointer
Posts: 6
Joined: Fri Jun 15, 2018 4:45 pm

How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Post by pointer » Fri Jan 25, 2019 4:23 pm

I already saw in several Questions/Answers in some foruns that says that not is possible write to any SSDT tables no Windows x64 here, are some:

* Hook ZwTerminateProcess in x64 Driver (Without SSDT)

* Is there a kernel-mode callback for LdrLoadDll?

* Kernel Patch Protection

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Already in others places i saw that is used a "bypasser" on KPP, here are one:

* What is PatchGuard?

Then based in these diferents versions of facts, what is really what antivirus software developers make to write on SSDT tables on Win x64 with success without any lock by KPP? How they are able to this really?

I think that this is a question that many kernel developers want know, how this happens truly. :)

Thx :D

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Post by EP_X0FF » Sat Jan 26, 2019 3:40 am

Ring0 - the source of inspiration

pointer
Posts: 6
Joined: Fri Jun 15, 2018 4:45 pm

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Post by pointer » Sat Jan 26, 2019 5:39 am

Today i saw that Kaspersky Antivirus still hooks SSSDT (Shadow Table) on Windows x64.

Tested: Kaspersky Total Security 2018
Enviroment: Windows 7 Ultimate x64

How this is possible? Is a special bypass? or simply Microsoft created a exception to make this (they)?

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Post by EP_X0FF » Sun Jan 27, 2019 2:40 pm

Patchguard in win7 doesn't check some areas. As far as I remember inline hooking of win32k table was used by sandboxie before. Microsoft closed this in Win8. http://www.kernelmode.info/forum/viewto ... =14&t=2416

As for your links:

1) https://stackoverflow.com/questions/205 ... thout-ssdt
Answer is ObRegisterCallbacks.

2) https://stackoverflow.com/questions/256 ... ldrloaddll
Answer posted in that thread.

Everything else is useless spam.
Ring0 - the source of inspiration

pointer
Posts: 6
Joined: Fri Jun 15, 2018 4:45 pm

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Post by pointer » Sun Jan 27, 2019 6:33 pm

EP_X0FF wrote:
Sun Jan 27, 2019 2:40 pm
Patchguard in win7 doesn't check some areas. As far as I remember inline hooking of win32k table was used by sandboxie before. Microsoft closed this in Win8. http://www.kernelmode.info/forum/viewto ... =14&t=2416

As for your links:

1) https://stackoverflow.com/questions/205 ... thout-ssdt
Answer is ObRegisterCallbacks.

2) https://stackoverflow.com/questions/256 ... ldrloaddll
Answer posted in that thread.

Everything else is useless spam.
@EP_X0FF, thank you by point me a direction logical and truly. Doubt solved! :D

Post Reply