64 bit drivers / process mangement

#1 07-12-2013, 01:49

Hi there

i have a question about driver development on windows x64 systems.
i am pretty new in this topic (drivers generally) so please have patience with me

atm im playin a bit around with hooks and ofc i noticed that most stuff like ssdt and idt hooks or modifying the eprocess structure is forbidden
by the kpp on 64bit ;X
my question is: is there any kind of "legit" way of "hooking" functions (specialy process management)
and if not how do modern antivirus programms handle this.

#2 07-31-2013, 05:59

Hi,
For hook functions in kernel-mode under Windows x64 systems, u will need bypass the Kernel Patch Protection (PatchGuard), since Windows XP x64 u need bypass this protection, but the most hard is Windows 7 -8 fully updated.

Wikipedia information about this.

Information to bypass PatchGuard old versions.

Regards!

mm10121991 · #3 08-01-2013, 16:32

Does the PatchGuard protect the IA32_SYSENTER_EIP msr ?

#4 08-01-2013, 23:33

Quote:

Covertness: Changing the value of the IA32_SYSENTER_EIP MSR can be detected. For example, PatchGuard currently checks to see if the equivalent AMD64 MSR has been modified as a part of its polling checks.

Source

Regards!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
FSFilter drivers in Windows 10	biorpg	x64 OS	8	06-25-2020 18:33
Developing Drivers for 64-bit	Git	x64 OS	16	01-05-2013 12:13