iPower / KasperskyHook

Hook system calls on Windows by using Kaspersky's hypervisor
MIT License
1.11k stars 267 forks source link

It seems that this method does not support the latest klhk.sys #11

Closed ZRR666 closed 7 months ago

ZRR666 commented 8 months ago

It seems that this method does not support the latest klhk.sys The January 19, 2024 version will have a blue screen An attempt was made to locate the corresponding address

ZRR666 commented 8 months ago

image set_hvm_event is no longer a function but a piece of code

recoil23 commented 8 months ago

image set_hvm_event is no longer a function but a piece of code

Do you have a fix for that please?

recoil23 commented 8 months ago

Alright I've just looked myself into it. Listen cuz we are in a big trouble. They changed their driver code starting from the versions when installer puts it in separate folder named KV. New hypervisor code and some of funcs are inlined now. I was only able to find some new sigs ill share here but the hypervisor got ripped :(

// Find number of services (SSDT) presult = utils::find_pattern_km( L"klhk.sys", ".text", "\x89\x05\xCC\xCC\xCC\xCC\x85\xC0", "xx????xx" ); // Find number of services (Shadow SSDT) presult = utils::find_pattern_km( L"klhk.sys", ".text", "\x89\x05\xCC\xCC\xCC\xCC\x85\xC0", "xx????xx" ); // Find provider data presult = utils::find_pattern_km(L"klhk.sys", ".text", "\x89\x1D\xCC\xCC\xCC\xCC\x75\x07", "xx????xx");

iPower commented 7 months ago

Well then just replicate what the function does. It's not like it's hard to do lol.

iPower commented 7 months ago

Solved: https://github.com/iPower/KasperskyHook/commit/0a86dd9bb58f1d24e1936f51d34f85ace3e30045