sscalzo wrote: ↑Thu Jul 11, 2019 3:10 pmI think in some circumstances, this would be unnecessary. For example, if you want to hook NtOpenProcess for process protection, then you just compare eax (index in ssdt), and the [r9] (PID). If PID is protected, then set rdx to zero, (No Access Rights) and continue the original syscall handler.tangptr wrote:You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V).Microsoft's Kernel Virtual Address Shadow (KVAS) feature was introduced awhile ago as a mitigation for the Meltdown vulnerability which was affecting various CPUs. As a result of KVAS, you'll need your system call handler to be mapped to the shadow page tables, otherwise it's not going to work - this used to be easy with the MmCreateShadowMapping kernel API but Microsoft changed things late 2018.
References:
https://revers.engineering/syscall-hook ... ster-efer/
At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.
