A forum for reverse engineering, OS internals and malware analysis
xqrzd wrote:Object type hooks work fine for me on x86 Windows 8. I've not tested x64, but I would assume patch guard still covers it.I've tested hook open procedure of PsProcessType on windows 8 x64, and it works fine for long time without any bsod.
gloryo wrote:Are you sure?xqrzd wrote:Object type hooks work fine for me on x86 Windows 8. I've not tested x64, but I would assume patch guard still covers it.I've tested hook open procedure of PsProcessType on windows 8 x64, and it works fine for long time without any bsod.
is there anyone who tested it more?
Dmitry Varshavsky wrote:That entirely depends on what your purpose is. If your intention is to protect a process from being closed, then of course ObRegisterCallbacks is a much more elegant solution than an SSDT hook, particularly on x64. However, what if you want to handle a specific operation? For example, what if you want to protect a particular region of memory from read operations? You would want a hook on NtQueryVirtualMemory / NtReadVirtualMemory and check the parameters to see if it lies in the memory region you want to protect. There are other examples where you need to check particular parameters that don't exist in ObRegisterCallbacks.m5home wrote:ObRegisterCallbacks is much more flexible and useful than hooking of single NtTerminateProcess routine. It can restrict suspend/resume, vm operations, setting of context and many other things. You would require a bunch of hooked functions to achieve the whole functionality ObRegisterCallbacks provide you. Especially when we talk about x64 systems..Vrtule wrote:Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.I know, kernel hook is not a good way in WIN64.
But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.
ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.
My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.
Think about it.
