[segark]

Hello,

I am looking for a way to receive a callback on calls to NtReadVirtualMemory from UM.
I am currently using a hook on the SSDT function pointer but am looking for a way to do that using something more documented and supported.

Is there any way to do that besides SSDT hooking?
Maybe using the HAL some way or using a hyper-v?

Thanks.

[Vrtule]

Hello,

as far as I know, no such magic callback exists. You can use ObRegisterCallbacks to get notified when someone attempts to get handle to your processes with the PROCESS_VM_READ permission, however, you cannot block such attempts. On Windows 7 and older, it was possible to restrict access to a given process by marking it as protected process (by settings a flag in its EPROCESS structure). I am not sure whether the field is protected by KPP on newer systems.

Actually, reading memory of another process is legal in some (many?) cases, for example, Tool Help Library uses it to gather information about process modules.

Vrtule

[Dmitry Varshavsky]

hyper-v?

Yes, that will work.

[segark]

hyper-v?

Yes, that will work.

Could you elaborate?

[Dmitry Varshavsky]

hyper-v?

Yes, that will work.

Could you elaborate?

You might be interested in identity hypervisor, there are few open-source projects available on the net. Alex Ionescu published one not so far ago, I didn't have a chance to take a look yet, but think that it will work :D Peter Hlavaty did a good job https://github.com/zer0mem?tab=repositories also.
Using HV you can achieve your goal in multiple ways ( EPT, virtual tlb, #PF handling , etc. ), but the easiest would be syscall hooking. That will be very similar to SSDT hooking that you currently use, you just need to mask your intrusion for PG in case of x64 platform, but that is quite trivial.

[segark]

Thanks :D