[Out]

Hello. Can someone give me tips, what can be wrong.
Win10 x64, PG disabled.
I want to hook ShadowSSDT.
So, i`m obtain ShadowSSDT table address (its ok)
Then, attaching to csrss (gui process), i`m place cave hook to function, that i need (seems to be ok also, no bsods, and new bytes exists).
My problem - after hook placed - seems like it is not work, i cant catch any calls to this function (with ssdt its ok, i have problem only with shadowssdt).

Hook installed not properly? Or something else happens there?

[Vrtule]

On what SSDT entry did you install the hook? How do you test whether it is invoked or not?

[Out]

I`m test it with NtUserBuildHwndList and NtUserFindWindowEx (indexes from http://j00ru.vexillium.org/syscalls/win32k/64/)
Testing with usermode app that call EnumWindows, FindWindowA.

[Out]

Nvm, seems i find a fix.
Istead of using csrss as a "gui" process i`m try to use another process (that i launch itself). And in this case - hooks works globally.
But its strange, why it doesnt work with csrss.

Seems like it will work only if username of gui process - not system, but current logged user.
Or each user in system have its own shadowssdt table