A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #33167  by tangptr
 Wed Aug 21, 2019 4:11 pm
sscalzo wrote: Thu Jul 11, 2019 3:10 pm
tangptr wrote:You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V).
Microsoft's Kernel Virtual Address Shadow (KVAS) feature was introduced awhile ago as a mitigation for the Meltdown vulnerability which was affecting various CPUs. As a result of KVAS, you'll need your system call handler to be mapped to the shadow page tables, otherwise it's not going to work - this used to be easy with the MmCreateShadowMapping kernel API but Microsoft changed things late 2018.

https://revers.engineering/syscall-hook ... ster-efer/
I think in some circumstances, this would be unnecessary. For example, if you want to hook NtOpenProcess for process protection, then you just compare eax (index in ssdt), and the [r9] (PID). If PID is protected, then set rdx to zero, (No Access Rights) and continue the original syscall handler.