Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
How do Antivirus know which program called which API from the kernel space?
Message
<blockquote data-quote="436880927" data-source="post: 824127"><p>PatchGuard's Kernel Patch Protection isn't an issue for several vendors on Windows 64-bit systems because of hardware-assisted virtualization technology. As time goes on, more AV vendors will begin to adapt to the concept and start implementing support for it.</p><p></p><p>Avast currently has support for hardware-assisted virtualization. ESET uses it for code emulation features. Kaspersky uses it and I assume it's for their banking protection. Comodo use it. I'm sure there will be others.</p><p></p><p>Bear in mind, if you want to use a hyper-visor for MSR hooking on the IA32_LSTAR nowadays, you have to deal with Microsoft's Kernel Virtual Address Shadow (KVAS) feature which was implemented to mitigate the Meltdown CPU vulnerabilities. Originally, there was a simple work-around, but Microsoft changed things again starting with Windows 10 1809.</p><p></p><p></p><p>In general, you can use kernel-mode callbacks instead of patching the Windows kernel but only if there's an appropriate kernel-mode callback available for you.</p><p></p><p>Mini-filter drivers are an official mechanism for interacting with the Filter Manager - named fltMgr.sys - and as such, intercept file system events in real-time. However, the other kernel-mode callbacks can be used within a mini-filter driver as well.</p><p></p><p>KeServiceDescriptorTable/Shadow hooking is completely different to using a mini-filter driver and mini-filter drivers in themselves are not an alternate to SSDT hooking.</p><p></p><p></p><p>That is a terrible idea.</p><p></p><p>Hooking in general is a terrible idea when you do not know what you are doing, but hooking Win32 APIs like OpenProcess (KERNEL32/KERNELBASE) is definitely a terrible idea when there's NtOpenProcess (NTDLL).</p><p></p><p>Instead of hooking NtOpenProcess - which is called by OpenProcess - you can use ObRegisterCallbacks (kernel-mode callback).</p><p></p><p>One kernel-mode callback and it relieves the need to hook NtOpenProcess, NtOpenThread, NtDuplicateObject and some others if used correctly.</p></blockquote><p></p>
[QUOTE="436880927, post: 824127"] PatchGuard's Kernel Patch Protection isn't an issue for several vendors on Windows 64-bit systems because of hardware-assisted virtualization technology. As time goes on, more AV vendors will begin to adapt to the concept and start implementing support for it. Avast currently has support for hardware-assisted virtualization. ESET uses it for code emulation features. Kaspersky uses it and I assume it's for their banking protection. Comodo use it. I'm sure there will be others. Bear in mind, if you want to use a hyper-visor for MSR hooking on the IA32_LSTAR nowadays, you have to deal with Microsoft's Kernel Virtual Address Shadow (KVAS) feature which was implemented to mitigate the Meltdown CPU vulnerabilities. Originally, there was a simple work-around, but Microsoft changed things again starting with Windows 10 1809. In general, you can use kernel-mode callbacks instead of patching the Windows kernel but only if there's an appropriate kernel-mode callback available for you. Mini-filter drivers are an official mechanism for interacting with the Filter Manager - named fltMgr.sys - and as such, intercept file system events in real-time. However, the other kernel-mode callbacks can be used within a mini-filter driver as well. KeServiceDescriptorTable/Shadow hooking is completely different to using a mini-filter driver and mini-filter drivers in themselves are not an alternate to SSDT hooking. That is a terrible idea. Hooking in general is a terrible idea when you do not know what you are doing, but hooking Win32 APIs like OpenProcess (KERNEL32/KERNELBASE) is definitely a terrible idea when there's NtOpenProcess (NTDLL). Instead of hooking NtOpenProcess - which is called by OpenProcess - you can use ObRegisterCallbacks (kernel-mode callback). One kernel-mode callback and it relieves the need to hook NtOpenProcess, NtOpenThread, NtDuplicateObject and some others if used correctly. [/QUOTE]
Insert quotes…
Verification
Post reply
Top