search

can1357 / ByePg

Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI.
828 stars 179 forks source link

supports WOW64 syscall hook? #12

Closed CRC32EX closed 4 years ago

CRC32EX commented 4 years ago

ExHook project is successfully working when target is 64 bit application.

But, 32 bit (WOW64) application is weird. syscall number looks like invalid.

So, ByePg and ExHook does not supports WOW64 application?

Do you have same bug? Do you have any solutions?

My environment
OS Windows 10 Pro 1903 18362.30 64bit
can1357 commented 4 years ago

1703944 and 393268 are 0x60034 and 0x1A0008 respectively.

The value of TrapFrame->Rax is interpreted like the following in KiSystemCall64:

union SyscallIndex
{
    uint64_t Rax;
    struct
    {
        uint64_t RoutineId  : 12;
        uint64_t IsWin32    : 1;
        uint64_t Reserved   : 51;
    };
};

So to me it looks like they are in fact valid indices into the SSDT at +0x34 and +0x8. Give it another try after masking it bits and let me know if it works all good.

can1357 commented 4 years ago

Feel free to re-open if it really is invalid.