Can all antivirus programs detected malware that uses hooks?
- Thread starter Prayag
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Feb 13, 2017
- 1,486
Probably you mean SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.
SSDT hooking is as far as I know, the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malcoders and AV vendors.
But in 2005 Microsoft introduced a Kernel Patching Protection (also known as “PatchGuard”) for 64 bit systems, making this technique uneffective in the worst case or quite harder to perform in the average case.
SSDT hooking is as far as I know, the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malcoders and AV vendors.
But in 2005 Microsoft introduced a Kernel Patching Protection (also known as “PatchGuard”) for 64 bit systems, making this technique uneffective in the worst case or quite harder to perform in the average case.
- Status
Similar threads
