ipower / kasperskyhook Goto Github PK
View Code? Open in Web Editor NEWHook system calls on Windows by using Kaspersky's hypervisor
License: MIT License
Hook system calls on Windows by using Kaspersky's hypervisor
License: MIT License
hi,if I map KasperskyDriver.sys then I get a BSOD with an error: PAGE_FAULT_IN_NON_PAGED_AREA.How can i fix it
RU:
Привет,если я смаплю KasperskyHookDriver.sys тогда у меня появляется BSOD с ошибкой: PAGE_FAULT_IN_NON_PAGED_AREA.Как это можно пофиксить?
im trying to use kaspersky's cpu handler for code injection by hooking it and as i know this handler called in context of process that made execution of cpuid instruction but when im calling ZwAllocateVirtualMemory im getting HYPERVISOR_ERROR bsod
is it even possible to work with process memory in cpuid handler?
thats what im hooking in their driver: https://i.imgur.com/4NfM8kZ.png
ida sig to both handlers: 48 89 5C 24 ? 57 48 83 EC 20 4C 8B 81
VM: Install Kaspersky (get new driver)
code:
fix ssdt_service_count (change sig) (old sig boken, i fixed。 got 3 version klhk.sys , only here no change .)
presult = utils::find_pattern_km(L"klhk.sys", ".text", "\x83\xE1\x01\x75\x27", "xxxxx"); if (!presult) return false; presult = presult + 0xE;
test , and again return C000090B (include VM return C000090B)
...emmmm any update or etc?
When i reading hvm_thread_object value is null
In screenshot it:
"[+] klhk.sys!HVMThreadObject @ 0x0000000000000000"
DbgPrintEx( 0, 0, e( "[+] klhk.sys!HVMThreadObject @ 0x%p\n" ), -* ( uint64_t -* )impl::g_hvm_thread_object ); ( - just because github hide *
I'm on VMWare, Windows 10 22H2, other hypervisors off, HVCI off, antivirus fully unistalled
VMP EXEfile BOOM~~~
need set CPUID callback
i tried using the project with virtualization enabled on my vm / main pc
the kaspersky hypervisor is loaded i checked the service.
but when calling return NT_SUCCESS( set_hvm_event() );
this returns false because set_hvm_event() doesnt return STATUS SUCCESS it returns: C00000A3 (STATUS_DEVICE_NOT_READY) sometimes returns C000090B.
bool kaspersky::hvm_init()
{
if ( !provider || !set_hvm_event )
return false;
*provider = 4;
auto ret = set_hvm_event();
log("%p\n", ret);
return NT_SUCCESS(ret);
}
[ KasperskyHook ] 00000000C00000A3
edit: driver is also signed i am using a cert.
https://guidedhacking.com/threads/kasperskyhook-hook-windows-system-calls.16030/post-98821
same error as this guy ^
except i have virtualization enabled
It seems that this method does not support the latest klhk.sys
The January 19, 2024 version will have a blue screen
An attempt was made to locate the corresponding address
fixed
Hello,
I would like to ask about how I should add another function to be hooked.
And also, I want to know the process that made this system call. Is it possible?
I want to use that project to hook API calls done by a process and then send those called APIs to an engine running in user mode to analyze them and decide whether the process is malicious or not. (it's a part that I'm going to use in my graduation project).
Thanks.
is it possible to hide kernel memory modifications with kaspersky hypervisor? if its possible can you give me hints where to dig in their driver?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.