Page 1 of 1

Patching SSDT using Sign Driver

PostPosted:Tue Oct 28, 2014 5:37 pm
by Ta!0n
Hey Guys,

just finish reading the Kaspersky Hooking Engine Analysis documentation: https://quequero.org/2014/10/kaspersky- ... -analysis/
i have quick Question, the Article refers to SSDT hooking in Windows 32bit. how can they achieve the SSDT hooking on X86_64 ? Patch Guard will prevent any SSDT modification even if your driver is signed, is this correct ?
if so, how the AV engines achieve the same operation ?

Cheers,

ta10n

Re: Patching SSDT using Sign Driver

PostPosted:Tue Oct 28, 2014 7:50 pm
by R136a1
SSDT hooking is not performed on 64-bits systems because the Kernel Patch Protection (KPP), also known as Patchguard, protects this structure.
It is anyway possible to use a mini-filter driver as a workaround.

Re: Patching SSDT using Sign Driver

PostPosted:Wed Oct 29, 2014 2:39 am
by t4L
It is anyway possible to use a mini-filter driver as a workaround.
I find this quite funny, as in fact it is totally reversed the other way. You MUST use minifilter while hooking SSDT is just a workaround.

Re: Patching SSDT using Sign Driver

PostPosted:Wed Oct 29, 2014 6:22 pm
by rnd.usr
AV engines can just look at the driver filters list. Each device will have a .sys-file linked to it.

This is correct, right?

Re: Patching SSDT using Sign Driver

PostPosted:Fri Nov 14, 2014 12:56 am
by Microwave89
You can also have a device object if you previously created a fake driver object. So there might be no (valid) .sys file associated with a particular device.

Best Regards

Microwave89