[Depoly]

hi
whats about ZoneAlarm ring0 Hook Driver on x64 systems with PatchGuard? !

is this software uses ssdt hooks on x64 windows? or use any other method to api hooking ?

thx all.

[EP_X0FF]

Hello,

Commercial software should avoid using API hooking.
x64 versions of protection software MUST use documented ways - callbacks and filters.

Regards.

[Depoly]

thx EP_X0FF ;)

do you know what is all filters avalaible in 64bit windows? file filter, reg filter,.... ?

and all callbacks like? CreateProcessNotifyRoutine ,....?

"Commercial software should avoid using API hooking."

but ZoneAlarm in 32bit version uses ssdt hooks !
it can detect many api uses in apps , like OpenProcess api

but how it can detect OpenProcess api in 64bit windows without hooking?
just with callbacks,filters? !

i need all callbacks,filters available in windows x64

thx all.

[a_d_13]

Hello,

Here is a list of callback routines with links to MSDN:

• PsSetCreateProcessNotifyRoutine (Process creation / termination)
• PsSetCreateProcessNotifyRoutineEx (Process creation / termination)
• PsSetCreateThreadNotifyRoutine (Thread creation / termination)
• PsSetLoadImageNotifyRoutine (DLL/SYS/EXE image loading)
• ObRegisterCallbacks (Process/Thread handle creation or duplication)
• CmRegisterCallback (Registry operations)
• CmRegisterCallbackEx (Registry operations)
• FltRegisterFilter (File-system minifilter)

Here's more callbacks that are not useful for filtering like AV, but still callbacks:

• IoWMISetNotificationCallback (WMI callback)
• DbgSetDebugPrintCallback (DbgPrint callback, no MSDN, see here)
• KeRegisterBugCheckCallback (Bugcheck callback)
• KeRegisterBugCheckReasonCallback (Bugcheck reason callback)
• KeRegisterNmiCallback (non-maskable interrupt callback)
• KeRegisterProcessorChangeCallback (processor added to hardware callback)
• SeRegisterLogonSessionTerminatedRoutine (user logged off)
• PoRegisterPowerSettingCallback (power setting change callback)
• IoRegisterPlugPlayNotification (Plug and Play notification callback)

Thanks,
--AD

NOTE: This content originally came from KernelMode.info - Archive.

[EP_X0FF]

but ZoneAlarm in 32bit version uses ssdt hooks !

Because its 32 bit. In user friendly words 32 bit mode is so much hacked, so nobody cares. But on new 64 bit platform you are not allowed to hack operation system architecture even from kernel mode. Like you this or not - in Microsoft nobody cares, they provided a wide list of possible solutions for AV vendors and more will be included in next versions of Windows.

but how it can detect OpenProcess api in 64bit windows without hooking?

With help of ObCallbacks see OB_PRE_OPERATION_INFORMATION -> Operation -> OB_OPERATION_HANDLE_CREATE.

[Depoly]

thx very good info s!

but what is your solutions for Win2003 x64 and Vista x64 without sp1 ?

ObRegisterCallbacks
Available in Windows Vista with Service Pack 1 (SP1), Windows Server 2008, and later versions of the Windows operating system.

[a_d_13]

thx very good info s!

but what is your solutions for Win2003 x64 and Vista x64 without sp1 ?

ObRegisterCallbacks
Available in Windows Vista with Service Pack 1 (SP1), Windows Server 2008, and later versions of the Windows operating system.

Code: Select all

MessageBoxW(0, L"Please install Windows Vista Service Pack 1 or later!", L"Unsupported Windows Version", MB_ICONEXCLAMATION);

Since it's not supported, there is no documented way to do this. However, if you want "undocumented" and probably very dangerous way, then look here, and here (scroll down to "bootkit_fasm.rar" on the second link).

Thanks,
--AD

[Depoly]

but how can i find address of ServiceTable whitout using KeServiceDescriptorTable function
this function is not exported by ntoskrnl.exe in x64 windows

thx :)

[EP_X0FF]

Read this. http://www.microsoft.com/whdc/driver/ke ... ching.mspx

What you want to do is hack of system. If you still interested - then parse ntoskrnl.exe for example and find references.
Even if you successes your drivers will 100% not work with any new version of Windows.

[a_d_13]

There's a good article about finding unexported symbols here.

Thanks,
--AD