Hello,
i wonder if there are any legitimate ways to achieve similar functionality to kernel mode hooks. I'm thinking of developing a small software which some function to monitor behavior of processes similar to good anti virus solution eg. avoid WriteProcessMemory to other processes and installation of drivers. Additionally some functions to disable certain functions similar to a child protection software.
(Skip the next part, its just an explanation why i want to do this)
Some of my friends to ask to "fix" their computer have often the same problems with malware/spyware that often comes with free software or from fake "free software"/"free updates" sites. Some of them have good anti virus software - but the software often ask so often/many times that they eventually allow thinks the shouldn't. I have some knowledge about rootkit (usermode & kernelmode) and the techniques the proactive anti virus software used 3-4 years ago. I think it would be a nice hobby to try to develop such software. I read many new posts in this forums and others how to achieve such functionality in current Windows x64 versions. But i only found ways used in game hacks or malware to get into the kernel mode and create such hooks. So even if i would buy a certificate for my driver, there is still the problems to make the hooks because of PatchGuard. I read about ways to disable PatchGuard but none of them seemed "right" because my goal is to make the computer safer. By disabling PatchGuard i would do the opposite. I know their are ways to do this in usermode eg. to laod my dll in every process but its much harder this way to defend my tool against malware who unhooks things or load the api's addresses it self.
So my question is: How can i do something like this the 'legitimate' way without compromising/disabling any security features of windows? And if possible, do it with kernel right to be sure my software has more right than any process they might start. Since their are so many anti virus product, even from microsoft, i hope their must be a way to implement this that isn't "dirty".
I don't look for finished solution just for tips, suggestions or keywords so that i can continue searching ways. I wasn't able to find a good one, yet.
Thanks & Greetings,
Sir Zoidberg
i wonder if there are any legitimate ways to achieve similar functionality to kernel mode hooks. I'm thinking of developing a small software which some function to monitor behavior of processes similar to good anti virus solution eg. avoid WriteProcessMemory to other processes and installation of drivers. Additionally some functions to disable certain functions similar to a child protection software.
(Skip the next part, its just an explanation why i want to do this)
Some of my friends to ask to "fix" their computer have often the same problems with malware/spyware that often comes with free software or from fake "free software"/"free updates" sites. Some of them have good anti virus software - but the software often ask so often/many times that they eventually allow thinks the shouldn't. I have some knowledge about rootkit (usermode & kernelmode) and the techniques the proactive anti virus software used 3-4 years ago. I think it would be a nice hobby to try to develop such software. I read many new posts in this forums and others how to achieve such functionality in current Windows x64 versions. But i only found ways used in game hacks or malware to get into the kernel mode and create such hooks. So even if i would buy a certificate for my driver, there is still the problems to make the hooks because of PatchGuard. I read about ways to disable PatchGuard but none of them seemed "right" because my goal is to make the computer safer. By disabling PatchGuard i would do the opposite. I know their are ways to do this in usermode eg. to laod my dll in every process but its much harder this way to defend my tool against malware who unhooks things or load the api's addresses it self.
So my question is: How can i do something like this the 'legitimate' way without compromising/disabling any security features of windows? And if possible, do it with kernel right to be sure my software has more right than any process they might start. Since their are so many anti virus product, even from microsoft, i hope their must be a way to implement this that isn't "dirty".
I don't look for finished solution just for tips, suggestions or keywords so that i can continue searching ways. I wasn't able to find a good one, yet.
Thanks & Greetings,
Sir Zoidberg
