A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #31053  by Out
 Mon Nov 27, 2017 8:36 am
Hello. Can someone give me tips, what can be wrong.
Win10 x64, PG disabled.
I want to hook ShadowSSDT.
So, i`m obtain ShadowSSDT table address (its ok)
Then, attaching to csrss (gui process), i`m place cave hook to function, that i need (seems to be ok also, no bsods, and new bytes exists).
My problem - after hook placed - seems like it is not work, i cant catch any calls to this function (with ssdt its ok, i have problem only with shadowssdt).

Hook installed not properly? Or something else happens there?
 #31059  by Vrtule
 Mon Nov 27, 2017 9:22 am
On what SSDT entry did you install the hook? How do you test whether it is invoked or not?
 #31062  by Out
 Mon Nov 27, 2017 11:03 am
Nvm, seems i find a fix.
Istead of using csrss as a "gui" process i`m try to use another process (that i launch itself). And in this case - hooks works globally.
But its strange, why it doesnt work with csrss.

Seems like it will work only if username of gui process - not system, but current logged user.
Or each user in system have its own shadowssdt table