SSDT hooking alternative in x64 systems

Asked 22/7, 2012 at 5:6 Answered 26/6, 2022 at 15:24

I read a little bit and I find out that SSDT hooks using drivers in Windows 7 x64 systems are harder, on purpose because of Patch Guard/Driver Signing while in x32 systems that doesn't happen.

So, is there any other alternative for x64 systems? I mean, is there any other way that I could go to achieve the same result? (global hook a ntdll api)

Generality answered 22/7, 2012 at 5:6 Comment(4)

The whole point of disabling SSDT in x64 was so that people couldn't install global hooks. – Trommel 23/7, 2012 at 4:20

so @Harry, you're saying it's impossible to install global hooks in x64 systems? I mean, without forcing the user to disable PG. – Generality 23/7, 2012 at 19:7

Technically, no, it's not impossible - malware writers have figured out various ways of doing this. But going down that path would be a very bad idea: en.wikipedia.org/wiki/Sony_rootkit – Trommel 23/7, 2012 at 21:49

@HarryJohnston can you share more about this subject? ways of doing it for example? – Generality 24/7, 2012 at 1:53

You could implement User Mode hooks using the DLL Injection method as this works on both x86 and x64. If you want to make the hook global you will need to inject the DLL into every process including newly created ones.

Saville answered 12/11, 2012 at 16:28 Comment(0)

SSDT is not allowed in x64. File system or mini-filter driver is a way to alter any default system behavior. What do you want to achieve?

Barbitone answered 22/7, 2012 at 5:41 Comment(5)

I want to hook NtOpenProcess in a level that it "works" for every application running in my PC. – Generality 22/7, 2012 at 5:50

Disable PG and use SSDT hook. :) – Alisa 22/7, 2012 at 7:19

Not very good for normal users. I didn't want to force them to install any other stuffs – Generality 22/7, 2012 at 17:3

If your target audience understand the issues involved with installing global hooks, and assuming your application is valuable enough to them, they won't mind disabling PG in order to use it. If they don't understand the issues, then they aren't able to give informed consent, and it would be unethical of you to install a global hook on their system even if you found a way to do so. – Trommel 23/7, 2012 at 4:23

It is an anti-cheater program, they arent supposed to know how it works, but I cant force them to disable PG, since it is for "advanced" users and the audience of my exe is normal users, you know? Probably most of them wouldnt know how to disable it. – Generality 23/7, 2012 at 5:50

It's up to what your target is. If you need to prevent malicious operation on process or thread, you can Use NotifyRoutine or ObRegisterCallbacks instead. Or you are able to use minifilter to monitor file operation.

Tulle answered 26/6, 2022 at 15:24 Comment(0)

Recommended topics

Hot tags