A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #18018  by gloryo
 Mon Feb 04, 2013 1:54 am
xqrzd wrote:Object type hooks work fine for me on x86 Windows 8. I've not tested x64, but I would assume patch guard still covers it.
I've tested hook open procedure of PsProcessType on windows 8 x64, and it works fine for long time without any bsod.
is there anyone who tested it more?
 #18072  by m5home
 Thu Feb 07, 2013 3:27 am
gloryo wrote:
xqrzd wrote:Object type hooks work fine for me on x86 Windows 8. I've not tested x64, but I would assume patch guard still covers it.
I've tested hook open procedure of PsProcessType on windows 8 x64, and it works fine for long time without any bsod.
is there anyone who tested it more?
Are you sure?
Long long ago I edit a bit (yes, just a bit) of IoFileType on WIN8 x64 to enable file callback of ObRegisterCallbacks.
It bugcheck(0x109) after 5 hours. But it work very well on WIN7 x64.
 #23255  by moda
 Tue Jul 01, 2014 9:35 pm
Dmitry Varshavsky wrote:
m5home wrote:
Vrtule wrote:Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.
I know, kernel hook is not a good way in WIN64.

But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.

ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.

My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.
ObRegisterCallbacks is much more flexible and useful than hooking of single NtTerminateProcess routine. It can restrict suspend/resume, vm operations, setting of context and many other things. You would require a bunch of hooked functions to achieve the whole functionality ObRegisterCallbacks provide you. Especially when we talk about x64 systems..
Think about it.
That entirely depends on what your purpose is. If your intention is to protect a process from being closed, then of course ObRegisterCallbacks is a much more elegant solution than an SSDT hook, particularly on x64. However, what if you want to handle a specific operation? For example, what if you want to protect a particular region of memory from read operations? You would want a hook on NtQueryVirtualMemory / NtReadVirtualMemory and check the parameters to see if it lies in the memory region you want to protect. There are other examples where you need to check particular parameters that don't exist in ObRegisterCallbacks.