[rebuilty]

I hook some ShadowSSDT functions(e.g NtUserPostMessage) in x86 os to protect my process , but in x64 patchguard protects servicetable so that i can't hook any system functions.


Can I filter window message via ObRegisterCallbacks or any other function?

[Vrtule]

Hello,

you can filter messages issued via SendMessage directed to certain application(s) via hooking their ntdll!KiUserCallbackDispatcher.

[rebuilty]

Hello,

you can filter messages issued via SendMessage directed to certain application(s) via hooking their ntdll!KiUserCallbackDispatcher.

how can filter messages like a HIPS(e.g comodo firewall) does?

[Vrtule]

AFAIK Patchguard starts protecting ShadowSDT in Windows 8, so there is actually no problem (except compatibility with future and newer OS versions) in hooking the table on previous versions of Windows.

Did you test the HIPS on Windows 8 or newer?

[rebuilty]

AFAIK Patchguard starts protecting ShadowSDT in Windows 8, so there is actually no problem (except compatibility with future and newer OS versions) in hooking the table on previous versions of Windows.

Did you test the HIPS on Windows 8 or newer?

I tested in win8.1 x64 and found something interesting.
It seems the HIPS uses a ProcessNotifyCallback to inject its dll when a new process starts and then hook Nt**** in ntdll, Post/SendMessage in user32 in ring3.
It also creates a pipe(\\cmdAuth) to transfer data.

I'm now trying to write similar codes :)