alternatives to x64 hooking

#10496 by madaboo
Wed Dec 21, 2011 3:28 pm

Hi,

When M$ has introduced Kernel Patch Guard and said "making hooks on kernel is bad" - did they actually provided any other solution for this?
e.g filtering files can as I understand be hadnled with minifilter drivers, but what if I need to scan registries, or I want to scan any ZwVirtualAlloc or any other thigs.. has micorsoft told also "go this way" ??

thank you.

Username

madaboo

Posts

41

Joined

Sun Aug 21, 2011 8:32 am

Re: alternatives to x64 hooking

#10497 by EP_X0FF
Wed Dec 21, 2011 4:21 pm

madaboo wrote: but what if I need to scan registries,

CmRegisterCallback

or I want to scan any ZwVirtualAlloc or any other thigs.. has micorsoft told also "go this way" ??thank you.

Do not know purpose of NtAllocateVirtualMemory interception and what are hidden under "other things".

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: alternatives to x64 hooking

#10498 by rkhunter
Wed Dec 21, 2011 4:53 pm

What task you want decide in x64? I think you should start from this issue.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: alternatives to x64 hooking

#10499 by Vrtule
Wed Dec 21, 2011 5:56 pm

Look at Kernel Data and Filtering Support For Vista SP1 document from Microsoft.

If your task is GUI-based, you can still hook in win32k.sys driver.

Why do you want to hook NtAllocateVirtualMemory?

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: alternatives to x64 hooking

#10500 by rkhunter
Wed Dec 21, 2011 6:06 pm

Seems this is bad idea - hooking in ring0 at x64, especially win32k. Moreover, even if not guarded today it will be tomorrow.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: alternatives to x64 hooking

#10505 by Vrtule
Wed Dec 21, 2011 9:13 pm

rkhunter wrote:Seems this is bad idea - hooking in ring0 at x64, especially win32k. Moreover, even if not guarded today it will be tomorrow.

I think that before win32k.sys starts to be guarded, Microsoft will provide some interfaces to allow HIPS systems to protect against various kinds of GUI attacks and other techniques. Some AVs/HIPS systems hook in win32k nowadys (Kaspersky, Avast, Outpost).

However, I agree that this kind of hooking is not good idea.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact

Re: alternatives to x64 hooking

#10516 by madaboo
Thu Dec 22, 2011 12:29 pm

Guys thank you for joining.

Hm.. I'm lookin' on CrRegisterCallback doc and see "Modifying output parameters is supported in Windows Vista and later." here: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
My question now is: what with Windows Xp x64?

Username

madaboo

Posts

41

Joined

Sun Aug 21, 2011 8:32 am

Re: alternatives to x64 hooking

#10517 by EP_X0FF
Thu Dec 22, 2011 12:32 pm

You can and should forget about it.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: alternatives to x64 hooking

#10519 by madaboo
Thu Dec 22, 2011 12:47 pm

EP_X0FF
Thanks for joining..

forget about it in context of x64 windows xp OR x64 at all??

Username

madaboo

Posts

41

Joined

Sun Aug 21, 2011 8:32 am

Re: alternatives to x64 hooking

#10521 by EP_X0FF
Thu Dec 22, 2011 12:55 pm

madaboo wrote:EP_X0FF
Thanks for joining..

forget about it in context of x64 windows xp OR x64 at all??

x64 Windows XP.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact