Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-12-2013, 01:49
mad
 
Posts: n/a
64 bit drivers / process mangement

Hi there

i have a question about driver development on windows x64 systems.
i am pretty new in this topic (drivers generally) so please have patience with me
atm im playin a bit around with hooks and ofc i noticed that most stuff like ssdt and idt hooks or modifying the eprocess structure is forbidden
by the kpp on 64bit ;X
my question is: is there any kind of "legit" way of "hooking" functions (specialy process management)
and if not how do modern antivirus programms handle this.
Reply With Quote
  #2  
Old 07-31-2013, 05:59
TheSwash
 
Posts: n/a
Hi,
For hook functions in kernel-mode under Windows x64 systems, u will need bypass the Kernel Patch Protection (PatchGuard), since Windows XP x64 u need bypass this protection, but the most hard is Windows 7 -8 fully updated.

Wikipedia information about this.

Information to bypass PatchGuard old versions.

Regards!
Reply With Quote
  #3  
Old 08-01-2013, 16:32
mm10121991 mm10121991 is offline
VIP
 
Join Date: Feb 2011
Posts: 136
Rept. Given: 29
Rept. Rcvd 56 Times in 34 Posts
Thanks Given: 7
Thanks Rcvd at 22 Times in 13 Posts
mm10121991 Reputation: 58
Does the PatchGuard protect the IA32_SYSENTER_EIP msr ?
Reply With Quote
  #4  
Old 08-01-2013, 23:33
TheSwash
 
Posts: n/a
Quote:
Covertness: Changing the value of the IA32_SYSENTER_EIP MSR can be detected. For example, PatchGuard currently checks to see if the equivalent AMD64 MSR has been modified as a part of its polling checks.
Source

Regards!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Developing Drivers for 64-bit Git x64 OS 16 01-05-2013 12:13
How to debug kernel Drivers?? loman General Discussion 14 06-18-2004 21:31


All times are GMT +8. The time now is 14:27.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )