[rrr_rrr_111]

Hi guys, I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process.

I've tried using the user-defined/system-defined callbacks but there are apparently only like 4 functions you can "hook" on (GetSystemTime, etc)...

I want an official Microsoft provided way to see WinAPI functions called in a process in a 64bit machine running Win 10...

[Brock]

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.

[rrr_rrr_111]

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.

What about methods from kernel mode? I've read about ssdt hooking but apparently it results in a BSOD. I'm trying to find a way to hook those functions from kernel mode.

[Brock]

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours

[vivid]

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours

Wow that's nice to hear! I have a repo for my own version of Detours I made when the license was still restrictive. Releasing it under MIT license puts a smile on my face.

FWIW Detours [hotpatching] is the preferred method because it doesn't require updating other modules, so it can do on-the-fly OS updates. You also need to know the parameters/convention. Using your own hook/naked function only requires you to know what you want to manipulate.

[rrr_rrr_111]

I don't understand how detours is related to hooking in kernel mode? I posted this inside "kernel mode development" section...

[Vrtule]

What about methods from kernel mode? I've read about ssdt hooking but apparently it results in a BSOD. I'm trying to find a way to hook those functions from kernel mode.

Well, hooking based on code modification is not possible (in most cases) because 64-bit Windows employs Kernel Patch Protection (KPP) that BSODs the system when it detect code/data (and other) changes. Sometimes, you can still do some hooking in places where pointers to routines are used rather than calling the routines directly. However, it may be quite tricky to find such places and since they are quite deep in the kernel, they may exist only on some versions of Windows (or be different on others).

What you can do is to trick KPP into thinking that none of the protected code and data changed by employing a hardware virtualizacion. For example, see DDiMon
https://github.com/tandasat/DdiMon

Unfortunately (or fortunately, it depends), none of these approaches is as simple as the "good" old SSDT hooking, so popular (ineffective and BSOD generating) during the XP era.

[Brock]

Originally you posted this regardless of the Kernel Mode Development section of the forum

I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process

Your question, I assumed after your mentioning of a usermode API, wasn't in fact kernel related but I see now that's what you meant all along.

VrTule has already provided you the answer. If you want to try a 3rd party hooking library that can (from what I've read) hook kernel functions you can read about EasyHook. Keep in mind however that it still will not disable Patch Guard (KPP) for you so you're back to square one on x64.

https://easyhook.github.io

[tangptr]

You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V).
This can be accomplished by rdmsr interception. It requires the least virtualization feature - no address-translation (Intel EPT or AMD NPT) required.
HyperBone written by DarthTon can be a significant example of doing MSR hook filtering using hardware-accelerated virtualization - which is, writing assembly code to redo KiSystemCall64 and interception of rdmsr. However, its way of hooking is not perfect - which is, using wrmsr instruction to change MSR value.

[sscalzo]

You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V).

Microsoft's Kernel Virtual Address Shadow (KVAS) feature was introduced awhile ago as a mitigation for the Meltdown vulnerability which was affecting various CPUs. As a result of KVAS, you'll need your system call handler to be mapped to the shadow page tables, otherwise it's not going to work - this used to be easy with the MmCreateShadowMapping kernel API but Microsoft changed things late 2018.

References:
https://revers.engineering/syscall-hook ... ster-efer/