A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #27628  by rebuilty
 Tue Jan 12, 2016 2:49 pm
Hello,
Since I noticed Kaspersky 2016 hooked KiSystemCall64 in klhk.sys, I wrote similar codes to do the same thing, but failed. :cry:

I tried it by these parts:
1. write a small function with big size in driver(in .asm)
Code: Select all
_syscall64 proc
db 5000h dup(90h)
db 5000h dup(90h)
db 5000h dup(90h)
_syscall64 endp
2.copy original KiSystemCall64 codes from kernel memory to _syscall64 in my driver
3.fix offset in new code(ssdt, shadow ssdt, all calls)
4.write _syscall64's address to msr 0xc0000082

After part 3, my codes looks almost the same as in klhk.sys. The only difference is that Kaspersky 2016 builds its own SSDT and Shadow SSDT Table, while I just redirect them to system's original table.

However, after part 4, the os freezed and in WinDbg I found this:
Code: Select all
kd> wrmsr 0xc0000082 hipsdriver!_syscall64
kd> g
Illegal instruction - code c000001d (!!! second chance !!!)
nt!KiExceptionDispatch+0x6e:
fffff801`af1d562e 0e              ???
If I wrote Kaspersky's FakeKiSystemCall64 to MSR 0xC0000082, it works fine.

klhk.sys is version 10.0.0.1503, FakeKiSystemCall64 is in klhk+0x43200(in IDA it is KLHVM_SE:0000000180043200)