Exetools

Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   64 bit drivers / process mangement (https://forum.exetools.com/showthread.php?t=15122)

mad 07-12-2013 01:49
64 bit drivers / process mangement
 
Hi there :)

i have a question about driver development on windows x64 systems.
i am pretty new in this topic (drivers generally) so please have patience with me :p
atm im playin a bit around with hooks and ofc i noticed that most stuff like ssdt and idt hooks or modifying the eprocess structure is forbidden
by the kpp on 64bit ;X
my question is: is there any kind of "legit" way of "hooking" functions (specialy process management)
and if not how do modern antivirus programms handle this.

TheSwash 07-31-2013 05:59
Hi,
For hook functions in kernel-mode under Windows x64 systems, u will need bypass the Kernel Patch Protection (PatchGuard), since Windows XP x64 u need bypass this protection, but the most hard is Windows 7 -8 fully updated.

Wikipedia information about this.

Information to bypass PatchGuard old versions.

Regards!

mm10121991 08-01-2013 16:32
Does the PatchGuard protect the IA32_SYSENTER_EIP msr ?

TheSwash 08-01-2013 23:33
Quote:
Covertness: Changing the value of the IA32_SYSENTER_EIP MSR can be detected. For example, PatchGuard currently checks to see if the equivalent AMD64 MSR has been modified as a part of its polling checks.
Source

Regards!


All times are GMT +8. The time now is 01:29.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX