[Pancake]

Hello. Im developing a bot to some game, and tryin to be as stealthy as possible i planned to do some stuff in kernel. On x32 it was pretty easy to hook ssdt, and it was basically it, but on x64 things are different. I know the patchguard limitations, and i cant find way to intercept the syscalls. The only "legal" way to get notified was ObRegisterCallbacks but it works only for process creation and some other operations with handle, i digged the entire internet and couldnt find answer how to get notified when selected process calls Zw APIs (i need several ones) or interrupts are hit? And by the way, is it possible to handle selected processes exceptions in my driver (or make my driver attach to process a debugger?) so i dont have to register a handler and do other detectable stuff in usermode process? I want to hide and preserve debug registers because im using HWBPs to intercept game loops and dont want the usermode process to be able to read Dr0-7. I dont want to hook anything in usermode, all in driver, is it possible on x64?

Greetz

[Vrtule]

Hello,

if you really wish to hooks system calls, look at the following topic:
http://www.kernelmode.info/forum/viewto ... 69&p=25428
Kaspersky seems to utilize hardware virtualization to hide their MSR-based SYSTENTER/SYSCALL hook from Patchguard. I really don't know how expensive (in terms of time and... difficulty) would be to implement such thing.

As for debugging and similar things – what about modifying exception port and/or debug port of the target processes? I am not sure if it can help in any way, I just think it might be worth of a try.

[Pancake]

Thanks for reply. I digged entire internet and didnt find how can i make my driver to be a debugger for usermode processes? Whats that debug port?

[cziter15]

You can "hack" ObCallbacks to be notified for other objects than Process or Thread.

Anyway if you are playing with 32-bit game, you can use Heaven's Gate hook bypassing known detection mechanisms. It works very similar SYSENTER hook and is done from ring-3.

If you plan to emulate your input in-game, if you are in a context of game, you can easily emulate keyboard / mouse by injecting your actions to WndProc or input subsystem like DINPUT.

Moreover, you can setup Vectored Exception Handler (AddVectoredExceptionHandler) from a context of game application to handle int 3 or other types of breakpoints (HWBP too)

If you want to be like Kaspersky and use VT, it will take some time to develop working and stable solution. Remember, that a lot of users have VTx disabled by default.

[Pancake]

" You can "hack" ObCallbacks to be notified for other objects than Process or Thread. "

How?

"Anyway if you are playing with 32-bit game, you can use Heaven's Gate hook bypassing known detection mechanisms. It works very similar SYSENTER hook and is done from ring-3."

I know a lot about bypassing gameguard and writin botsin general. One new anticheat detects HWBPs and usermode hooks on ZwAPIs, fs:[c0], and i decided to make the bot (mainly for practise) in kernel mode. I dont want to modify gameguard's code, just be stealthy and let him run

"Moreover, you can setup Vectored Exception Handler (AddVectoredExceptionHandler) from a context of game application to handle int 3 or other types of breakpoints (HWBP too)"

Thats how i do it right now

"If you want to be like Kaspersky and use VT, it will take some time to develop working and stable solution. Remember, that a lot of users have VTx disabled by default.

Whats VT?

[Vrtule]

Whats VT?

Hardware-based virtualization provided by CPUs to increase performance of virtual machines (VMWare, VirtualBox etc.).