@kram7750 please help out here.
How exactly does hardware virtualization enable a security soft to "hook" the kernel on W8\8.1 and 10 system?
I'm sorry, this time I cannot actually answer your question properly to what you would expect from me - I do not know a lot about Comodo products and how they work.
Although, I can tell that kernel patching can occur on 64-bit systems, just it's not something the average device driver developer would know how to do. Kernel patching with e.g. SSDT hooking (System Service Discriptor Table - although you may hear it known as the "System Service Dispatch Table", as well) is blocked from occuring on x64 systems. In the past, there have been ways to bypass PatchGuard to set SSDT hooks.
Microsoft do try to patch things up, especially in the cases of PatchGuard being bypassed. However, I am not convinced that Comodo make use of SSDT hooking on x64 systems. I'm not sure they would even allow an AV vendor to make use of bypassing PatchGuard to set SSDT hooks, since on x64 systems, kernel patching is prevented via PatchGuard.
For example, in the past when PatchGuard was bypassed (unsigned driver loaded on x64 systems) via the use of the Master Boot Record, it was patched as soon as Microsoft could patch it.
Although, kernel patching does not just mean the use of SSDT hooking (sorry if this post made it sound like this already). On an x86 system, kernel patching is referred to as SSDT hooking. On x64 there are other methods for kernel patching. Malicious software (as examples, for example, Carberp) may use techniques to patch up the kernel on an x64 system.
You can create callbacks on the system to get a notification of a certain event and then take action. For example, on a x64 driver, you can work with a callback to monitor process execution and termination. The callback for this would be PsSetCreateProcessNotifyRoutine/Ex suffix can be at the end depending on the Windows version on the system. This is an effective technique, although some people wouldn't consider it as "kernel patching", although it's still useful and good, and it occurs in ring0 (drivers) which is where the kernel runs. You can take advantage of callbacks to protect processes running on ring3, for example with the callback ObRegisterCallback.
Usage of "mini-filter drivers" are also used in products to do specific things.
In case you were wondering why "Ex" is at the end of Windows API functions, it represents a newly updated version of the function in the Windows API. I'll explain this now since I introduced this note... So, let's say we have a function (this is a non-existing function by the way, I'm making it up as an example) called PrintHello which took in a few parameters (one for the text to be displayed, one for the caption of the alert and the other for the buttons displayed), which when called with correct parameters would display the alert on e.g. the Desktop. However, what in older versions of Windows, this function needed to be updated (maybe a change in parameters or big changes)? Well, what would happen is in the new versions, the function would be changed to PrintHelloEx. The "Ex" suffix at the end would represent that the function has been updated, and that there is a function which is older for older Operating System versions.
Now for the example fo the above theory with a real existing function. In kernel-mode, as I mentioned earlier, you can work with callbacks. Well, there is a callback which can be used called CmRegisterCallback. This is a callback used to monitor the registry. However, on newer versions of Windows Operating System, since it was updated, it would be CmRegisterCallbackEx... So if we used this on e.g. Windows 8, we use the newer version (CmRegisterCallbackEx). And if it needs to be updated again, either Microsoft will change the function name and then re-document it with the new function name and the changes on e.g. MSDN, or they will add another "Ex" suffix to the end, so there would be 2 Ex's at the end.
There are also functions which are very useful on user-mode, although not a lot of people know about them I do not think. I say this because even I did not know of them until recently (I am still learning all the time), although the function KiFastSystemCall could be very useful. When you call a function from user-mode, in the end, KiFastSystemCall is called. It will move the API call onto kernel-mode via use of SYSENTER. Via SYSENTER, it allows an entry to the kernel (ring0), meaning the API call is pushed onto kernel-mode, where the function you called happens in ring0. Or at least, this is my understanding of it so far, since I am still studying the function (along with other functions). While only very high-end malicious software would hook it, simply because it's so deep that not many people would know if it, certainly not inexperienced people, it can be very powerful. So if a security product used it, it could do all sorts such as filter out certain API function calls. This can be used for something like a Behaviour Blocker, Host Intrusion Prevention System, process protection.. Of course if a rootkit used it, then that would be quite deadly in my opinion. Since only a few out of a large amount of people in a estimated ratio would know of it, it could be either difficult to discover/unhook, etc. While this may not be related to your question, I thought it'd be useful for the information.
As far as I am aware, there are only 2 people on this forum who know of this API function, and that is before I mentioned it here... Me, and
@Cowpipe. (I also tagged
@Cowpipe here, not just because of this KiFastSystemCall information, but because he is more experienced than me with things regarding kernel-mode (and a lot of other things), and he is actually one of the people I would go to if I was stuck with something, maybe when he returns to MT and see's this post he might be able to help improve it and correct things). (KiFastSystemCall is or x86 systems though - on x64 there are functions like Wow64SystemServicesEx, I highly doubt you'll find information about it online, or much information. It's undocumented, a friend told me about it recently).
Although, there is much undocumented stuff out in the sea.. Which takes lots of experience to analyze the functions enough to understand how they work, how to use them, etc. Comodo clearly have experts working for them, people far more experienced than I am. You could try contacting them, although I doubt they'd release such special information regarding the inner-workings and development of their product. They could probably explain things better than I currently can as well.
It's possible Comodo don't even use kernel-patching. I mean, they could use other techniques like even IAT hooking through remote detouring/inline hooking - so instead of injecting DLLs, they could inject code to make it harder to detect and more "advanced" in a way. I am actually not sure myself, since as I said, I don't know a lot about Comodo products since I don't really have an interest in them too much.
Since "virtualization" is metioned here, at the end of the post here, I will mention just some little information about blocking off processes from making changes to the system, but still allowing execution. I won't actually go into proper "virtualization", or at least as we think of how Antivirus software does it... I do not know too much information about it myself as I am not that experienced myself, I am still learning. Anyway, without further adue:
You do not actually have to use techniques such as "real virtualization" or, "code emululation", with making code execute on a "virtual processor". Something like this could happen:
1). A process is executed. The Antivirus software gives this process specific permissions, to prevent if from doing things like accessing/deleting system files, personal documents, etc... As well as preventing it from escaping, so it is executed, pretty much "isolated" in a way of phrase.
2). It maps the target program (let's say malicious software for this example), into the process with the "permissions" to restrict it from doing specific things, etc.
3). It then analyzes what the malicious software tries to do (and due to permissions, it's restricted).
As for injection into processes, I've seen security software (recently when I did some tests), use DLL injection into them. This could be for things like hooking functions to alert the user of suspicious activity (for example, Behaviour Blocking, they might alert the user when specific functions are used to see if the user allows such activity or not and can allow/block), although I think Code Injection is more secure. But the security software can use both techniques, I guess.
As for blocking things like DLL injection, you could hook a function like LdrLoadDll. This is a native API function, it's undocumented also. For more information about the native API, read these:
www.osronline.com/article.cfm?article=91 https://en.wikipedia.org/wiki/Native_API http://undocumented.ntinternals.net/ (good information here, really, I use it all the time!)
I hope this was informative and helped, although if it didn't really answer your question, then I do apologize. I did note at the beginning I cannot answer your question properly, but if I did, let me know! I'm pretty sure I put in way to much information in this post, a lot not even necessary. Regardless, enjoy!!
Cheers.