Comments (8)
I thought they were already hooked?
from titanhide.
Hm, In SSDT hooks in titanhide i see only:
int Hooks::Initialize()
{
ExInitializeFastMutex(&gDebugPortMutex);
int hook_count = 0;
hNtQueryInformationProcess = SSDT::Hook("NtQueryInformationProcess", (void*)HookNtQueryInformationProcess);
if(hNtQueryInformationProcess)
hook_count++;
hNtQueryObject = SSDT::Hook("NtQueryObject", (void*)HookNtQueryObject);
if(hNtQueryObject)
hook_count++;
hNtQuerySystemInformation = SSDT::Hook("NtQuerySystemInformation", (void*)HookNtQuerySystemInformation);
if(hNtQuerySystemInformation)
hook_count++;
hNtSetInformationThread = SSDT::Hook("NtSetInformationThread", (void*)HookNtSetInformationThread);
if(hNtSetInformationThread)
hook_count++;
hNtClose = SSDT::Hook("NtClose", (void*)HookNtClose);
if(hNtClose)
hook_count++;
hNtSetContextThread = SSDT::Hook("NtSetContextThread", (void*)HookNtSetContextThread);
if(hNtSetContextThread)
hook_count++;
hNtSystemDebugControl = SSDT::Hook("NtSystemDebugControl", (void*)HookNtSystemDebugControl);
if(hNtSystemDebugControl)
hook_count++;
return hook_count;
}
from titanhide.
Yeah so? As far as I know SSDT::Hook
also hooks the function in the shadow ssdt...
from titanhide.
Oh nevermind it doesn't. Feel free to add this functionality (and make sure to provide a proof of concept)
from titanhide.
Correct me, if its mistake, but as i know - shadow SSDT - its GUI functions, places not in ntoskrn, but in the win32k.sys.
Also ShadowSSDT hooks require KeStackAttachProcess to gui process, without it you haven't access in kernel to ShadowSSDT Service Table memory
from titanhide.
Ok, Thanks. I will do more investigations and tests, and if will be success in adding that - i will prepare changes in code for it
from titanhide.
See https://github.com/conix-security/zer0m0n/blob/master/src/driver/x64/hook.c#L89 and https://github.com/mrexodia/TitanHide/blob/master/TitanHide/ssdt.cpp#L21 it should be easy to extend that function to the shadow ssdt (and no need for KeStackAttachProcess I think, the same hook method should work for the shadow ssdt)
from titanhide.
KeStackAttachProcess
is needed because a process does not have win32k.sys mapped into its address space by default. This is only true for processes that have been converted to a GUI process. The best target for this is csrss.exe
since it is always running and will be the first process to have win32k mapped.
Beware that hooking the shadow SSDT this way is not possible with a boot start driver (start = 0 or start = 1), and if start = 2, you will have to hope that at least session 0 CSRSS is already running by the time your driver is loaded. In those cases the best option is to set a PsSetLoadImageNotifyRoutine
and wait for win32k.sys
to load (it's loaded by smss). You will not be in a GUI process context during the notification, but win32k.sys will be mapped into system space and you can access the entire image including the shadow SSDT from within the callback. You can even write to win32k this way, but don't tell the Patchguard people that they missed this
Here's a DIY snippet. The first function does exactly what TitanHide's SSDTfind()
does, except it also finds the shadow SSDT (only on x64). This will work from any process context if win32k.sys has been loaded.
The second function should be called after doing some bookkeeping like retrieving function names and allocating space for the entries. This is the only part where a KeStackAttachProcess
is required since it touches the actual service table which is in session space.
from titanhide.
Related Issues (20)
- Achilles' heel of SSDT Hook ThreadFromDebugger HOT 2
- The variable is assigned to itself
- Windows 10 x64 (1607) A device attached to the system is not functioning.
- PAGE_FAULT_IN_NONPAGED_AREA on Windows 10 x64(19042) HOT 5
- This driver has been blocked from loading HOT 5
- Failed to compile HOT 3
- "sc start TitanHide " return "Failed 2" HOT 1
- Name : Error starting service (577) HOT 1
- Green screen on win11 x64
- Latest build has been deleted
- SystemKernelDebuggerInformationEx is not hided HOT 1
- VMProtect 3.6 (Build 1406) Anti-debug ——TitanHide HOT 1
- titanhide with ida pro HOT 1
- TitanHideGui does not work HOT 1
- Detect Trojan:Script/Phonzy.A!ml inside (TitanHideGUI.exe) x32
- Fail to Start TitanHide Service HOT 2
- FindCaveAddress bug HOT 2
- NtSystemDebugControl Incomplete HOT 1
- navicat16.2.2 for win 无法激活了,可否帮看看
- [request] Provide builds for x86dbg plugin HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from titanhide.