Hello,
Since I noticed Kaspersky 2016 hooked KiSystemCall64 in klhk.sys, I wrote similar codes to do the same thing, but failed. :cry:
I tried it by these parts:
1. write a small function with big size in driver(in .asm)
3.fix offset in new code(ssdt, shadow ssdt, all calls)
4.write _syscall64's address to msr 0xc0000082
After part 3, my codes looks almost the same as in klhk.sys. The only difference is that Kaspersky 2016 builds its own SSDT and Shadow SSDT Table, while I just redirect them to system's original table.
However, after part 4, the os freezed and in WinDbg I found this:
klhk.sys is version 10.0.0.1503, FakeKiSystemCall64 is in klhk+0x43200(in IDA it is KLHVM_SE:0000000180043200)
Since I noticed Kaspersky 2016 hooked KiSystemCall64 in klhk.sys, I wrote similar codes to do the same thing, but failed. :cry:
I tried it by these parts:
1. write a small function with big size in driver(in .asm)
Code: Select all
2.copy original KiSystemCall64 codes from kernel memory to _syscall64 in my driver_syscall64 proc
db 5000h dup(90h)
db 5000h dup(90h)
db 5000h dup(90h)
_syscall64 endp
3.fix offset in new code(ssdt, shadow ssdt, all calls)
4.write _syscall64's address to msr 0xc0000082
After part 3, my codes looks almost the same as in klhk.sys. The only difference is that Kaspersky 2016 builds its own SSDT and Shadow SSDT Table, while I just redirect them to system's original table.
However, after part 4, the os freezed and in WinDbg I found this:
Code: Select all
If I wrote Kaspersky's FakeKiSystemCall64 to MSR 0xC0000082, it works fine.kd> wrmsr 0xc0000082 hipsdriver!_syscall64
kd> g
Illegal instruction - code c000001d (!!! second chance !!!)
nt!KiExceptionDispatch+0x6e:
fffff801`af1d562e 0e ???
klhk.sys is version 10.0.0.1503, FakeKiSystemCall64 is in klhk+0x43200(in IDA it is KLHVM_SE:0000000180043200)
