I've read somewhere ia_32_sysenter holds the offset which is loaded into EIP when sysenter is executed, is there any kind of stealth,best method of kernelhooking when the purpose is monitoring the value of EAX when sysenter is called?
A forum for reverse engineering, OS internals and malware analysis
well yeh just hook the MSR. There is going to be no 'perfect' or undetectable way. Obviously you will have to do it on a per processor basis provided you are using a multi-core system. Check out KeSetAffinityThread, that's the same way patchguard does integrity checking on msr's last time I checked.
Just a note - Patchguard checks the MSRs
Hope it helps http://www.codeproject.com/Articles/283 ... tchGuard-3
thanks, imho patchguard is almost useless, trying to protect windows kernel with ring0 code is stupid
I don;t think it is useless. It certainly raises the bar. Recently there hasn't been any rootkits which targeted patchguard explicitly, by explicitly I mean circumventing the actual DPCs etc, rather they all try to disabled it even before it has started so I'd say it is effective to a certain extent.
lorddoskias wrote:I don;t think it is useless. It certainly raises the bar. Recently there hasn't been any rootkits which targeted patchguard explicitly, by explicitly I mean circumventing the actual DPCs etc, rather they all try to disabled it even before it has started so I'd say it is effective to a certain extent.Yes, I agree. Patchguard does not make kernel hooking impossible. However, it probably discourages many to do so. People use documented methods to solve their problems, there is much less amount of data and code modifications, so the whole kernel should be more stable.
Vrtule wrote:lorddoskias wrote:I don;t think it is useless. It certainly raises the bar. Recently there hasn't been any rootkits which targeted patchguard explicitly, by explicitly I mean circumventing the actual DPCs etc, rather they all try to disabled it even before it has started so I'd say it is effective to a certain extent.Yes, I agree. Patchguard does not make kernel hooking impossible. However, it probably discourages many to do so. People use documented methods to solve their problems, there is much less amount of data and code modifications, so the whole kernel should be more stable.
I agree, and also in the context of DRM using various types of kernel patching. So in that sense patchguard certainly has it's positive aspects. There are still plenty of things that can be done with DKOM anyway ;)
listito wrote:thanks, imho patchguard is almost useless, trying to protect windows kernel with ring0 code is stupidCan you justify your point?
In my opinion,patchguard is not useless.Indeed it raises the bar,i mean,the rootkits now need to be more cuztomized in order cope with patchguard.More actual skills are needed,as a result,many people get "discouraged",and they give up.