Win x64 ring0 protection

#5396 by listito
Thu Mar 10, 2011 9:50 am

Hello, i'd like to ask you guyz about something, if it's not allowed to ssdt hook in win x64, how do av's manage to detect and forbid certain types of access?

Is there any way to forbid OpenProcess() without ssdt hooking?

Username

listito

Posts

48

Joined

Fri Jan 07, 2011 6:59 pm

Re: Win x64 ring0 protection

#5397 by EP_X0FF
Thu Mar 10, 2011 9:54 am

listito wrote:Hello, i'd like to ask you guyz about something, if it's not allowed to ssdt hook in win x64, how do av's manage to detect and forbid certain types of access?

Is there any way to forbid OpenProcess() without ssdt hooking?

Use search next time.

http://www.kernelmode.info/forum/viewto ... 3378#p3378

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win x64 ring0 protection

#5398 by listito
Thu Mar 10, 2011 10:43 am

hey thanks, but i'm just thinking, how secure are these callbacks?

Username

listito

Posts

48

Joined

Fri Jan 07, 2011 6:59 pm

Re: Win x64 ring0 protection

#5399 by EP_X0FF
Thu Mar 10, 2011 10:44 am

They work at object level.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Win x64 ring0 protection

#5442 by Vrtule
Fri Mar 11, 2011 7:53 pm

listito: I think they are more secure than SSDT hooks. They do not work with handles and important buffers are already copied to the kernel memory . So, certain attacks/bypasses are not possible.

Personally, I think that hooking should be avoied whenever possible.

Username

Vrtule

Posts

468

Joined

Sat Mar 13, 2010 9:14 pm

Location

Czech Republic

Contact