[Ta!0n]

Hey Guys,

just finish reading the Kaspersky Hooking Engine Analysis documentation: https://quequero.org/2014/10/kaspersky- ... -analysis/
i have quick Question, the Article refers to SSDT hooking in Windows 32bit. how can they achieve the SSDT hooking on X86_64 ? Patch Guard will prevent any SSDT modification even if your driver is signed, is this correct ?
if so, how the AV engines achieve the same operation ?

Cheers,

ta10n

[R136a1]

SSDT hooking is not performed on 64-bits systems because the Kernel Patch Protection (KPP), also known as Patchguard, protects this structure.
It is anyway possible to use a mini-filter driver as a workaround.

[t4L]

It is anyway possible to use a mini-filter driver as a workaround.

I find this quite funny, as in fact it is totally reversed the other way. You MUST use minifilter while hooking SSDT is just a workaround.

[rnd.usr]

AV engines can just look at the driver filters list. Each device will have a .sys-file linked to it.

This is correct, right?

[Microwave89]

You can also have a device object if you previously created a fake driver object. So there might be no (valid) .sys file associated with a particular device.

Best Regards

Microwave89