Dmitry Varshavsky wrote:m5home wrote:Vrtule wrote:Yes, ObRegisterCallbacks does the job much much better and the defense is less vulnerable. Personally, I do not see much interesting in this kind of hooking on 64bit systems.
I know, kernel hook is not a good way in WIN64.
But kernel hook(include SSDT HOOK and INLINE HOOK) can do many things.
ObRegisterCallbacks can monitor process/thread handle only, it means that this function can protect process/thread only.
My rule: Try to use standard method, if standard method cannot realize my need, I will use hook to realize it.
ObRegisterCallbacks is much more flexible and useful than hooking of single NtTerminateProcess routine. It can restrict suspend/resume, vm operations, setting of context and many other things. You would require a bunch of hooked functions to achieve the whole functionality ObRegisterCallbacks provide you. Especially when we talk about x64 systems..
Think about it.
That entirely depends on what your purpose is. If your intention is to protect a process from being closed, then of course ObRegisterCallbacks is a much more elegant solution than an SSDT hook, particularly on x64. However, what if you want to handle a specific operation? For example, what if you want to protect a particular region of memory from read operations? You would want a hook on NtQueryVirtualMemory / NtReadVirtualMemory and check the parameters to see if it lies in the memory region you want to protect. There are other examples where you need to check particular parameters that don't exist in ObRegisterCallbacks.