A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #25408  by rebuilty
 Sat Mar 07, 2015 8:48 am
I hook some ShadowSSDT functions(e.g NtUserPostMessage) in x86 os to protect my process , but in x64 patchguard protects servicetable so that i can't hook any system functions.


Can I filter window message via ObRegisterCallbacks or any other function?
 #25409  by Vrtule
 Sat Mar 07, 2015 10:11 am
Hello,

you can filter messages issued via SendMessage directed to certain application(s) via hooking their ntdll!KiUserCallbackDispatcher.
 #25410  by rebuilty
 Sat Mar 07, 2015 10:51 am
Vrtule wrote:Hello,

you can filter messages issued via SendMessage directed to certain application(s) via hooking their ntdll!KiUserCallbackDispatcher.
how can filter messages like a HIPS(e.g comodo firewall) does?
 #25411  by Vrtule
 Sat Mar 07, 2015 11:31 am
AFAIK Patchguard starts protecting ShadowSDT in Windows 8, so there is actually no problem (except compatibility with future and newer OS versions) in hooking the table on previous versions of Windows.

Did you test the HIPS on Windows 8 or newer?
 #25418  by rebuilty
 Sun Mar 08, 2015 5:42 am
Vrtule wrote:AFAIK Patchguard starts protecting ShadowSDT in Windows 8, so there is actually no problem (except compatibility with future and newer OS versions) in hooking the table on previous versions of Windows.

Did you test the HIPS on Windows 8 or newer?
I tested in win8.1 x64 and found something interesting.
It seems the HIPS uses a ProcessNotifyCallback to inject its dll when a new process starts and then hook Nt**** in ntdll, Post/SendMessage in user32 in ring3.
It also creates a pipe(\\cmdAuth) to transfer data.

I'm now trying to write similar codes :)