[x2v]

Hello,

Actually i'm trying to hook the ssdt on win8 64bit, i know 64bit systems does uses patchguard, anyway, normally patch guard should be disabled if you boot with debug on and so it shouldn't bsod ur system, anyway it doesn't appear to work with win 8 ( it bug check 0x109 = patch guard ), but it does work for every other system while debug on is active, any ideea why?

[x2v]

Anyone?

Maybe they keep running patchguard even with debug /on, now?

Thanks.

[Vrtule]

Hello,

did you attached a debugger to that system? Or did you just set the debug mode on?

Vrtule

[x2v]

Hello,

I just tried /debug on with the setting /start autoenable

normally it works for every windows prior to windows 8, do you have any ideea? It just bug check 0x109 everytime i try to to some stuff # SSDT

there is any 'windows' debugger that attachs to the system automatically to the boot or i must change some \debug settings to do so?

Thanks for the reply.

Regards.

[Vrtule]

Hello,

install Debugging Tools for Windows (it is a part of WDK, so you probably have it already installed). You can then attach the WinDbg debugger to booting virtual machine (it is possible to do it also after the boot, however, it did not work reliably for me). There are two possiblities how to do it:
1) Manually create virtual serial port as a virtual machine hardware. Configure the system in VM to listen on that serival port. During VM boot phase, connect the WinDbg to that serial port. The serial port usually looks as a named pipe in host OS environment. It is probably possible to connect the debugger to the virtual machine in some other ways, however, virtual serial ports worked perfectly for me, although they are quite slow.
2) Use VirtualKD to do this job more or less automatically. VirtualKD also patches the virtual machine software a little bit (VMWare nad VirtualBox are supported), so the virtual serial ports created by VirtualKD are much faster.

Vrtule

[EP_X0FF]

Hello,

Actually i'm trying to hook the ssdt on win8 64bit, i know 64bit systems does uses patchguard, anyway, normally patch guard should be disabled if you boot with debug on and so it shouldn't bsod ur system, anyway it doesn't appear to work with win 8 ( it bug check 0x109 = patch guard ), but it does work for every other system while debug on is active, any ideea why?

Just out of curiosity. Why do you need this ancient and blacklisted technology?

[x2v]

just to filter and log out a few api's that a program uses without modifying the memory of the program, less invasive and i don't have a 32bit partition to do so, so i'm tyring to filter them with my own system which is x64 and that PG just makes more problems than what it would make with it disabled :&.

And if you wondering if i use x64 ssdt hookin, no, it is useless there, but if you want to filter a few api's without attaching to the process, it is a good alternative just to check what the process does or checks, and no virtual machines doesn't work well for games ;)

[EP_X0FF]

http://msdn.microsoft.com/en-us/library ... s.85).aspx
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Application invasive however.

[Vrtule]

Which APIs do you want to filter/monitor?