iPower / KasperskyHook

Hook system calls on Windows by using Kaspersky's hypervisor
MIT License
1.11k stars 267 forks source link

Suggestion #15

Closed OmarShehata11 closed 3 months ago

OmarShehata11 commented 4 months ago

Hello, I would like to ask about how I should add another function to be hooked. And also, I want to know the process that made this system call. Is it possible? 

I want to use that project to hook API calls done by a process and then send those called APIs to an engine running in user mode to analyze them and decide whether the process is malicious or not. (it's a part that I'm going to use in my graduation project).

Thanks.

iPower commented 4 months ago

Hi! You can follow the example here: https://github.com/iPower/KasperskyHook/blob/238c1b8f376b91b63fbac260d7c6b5fefa76f375/KasperskyHookDrv/driver.cpp#L62

There are some things to keep in mind about this project as well: 1- It doesn't support getting SSDT indexes dynamically (well I should probably add this, but it is out of scope), so you'll need to write code for that or hardcode them. If you want to get the indexes dynamically you can map ntdll.dll, parse its exports and find the stubs by looking for Nt routines with syscall instructions. 2- klhk.sys only hooks system calls, not generic APIs. Therefore, this project only supports system call hooks.

Regarding this question: I want to know the process that made this system call. Is it possible?, yes, it's possible. You can call PsGetCurrentThread and PsGetCurrentProcess to get more information about the calling thread and its process. You might also want to read the thread's trap frame to record useful information such as the instruction pointer. I also suggest reading about kernel driver development before doing anything else (tip: Windows Kernel Programming by Pavel Yosifovich is an excellent book for beginners).

I hope this answers all of your questions!

OmarShehata11 commented 3 months ago

Great, thanks a lot. I can say that I have a little knowledge of kernel driver development. I made a simple hypervisor that virtualize my own system, and I was aiming to use it to hook APIs, but after asking Sina, he said that I'm going to put in a lot of effort to handle so many situations to not cause BSODs. So I suggested using an already-working driver that can help me do so for my final project. 

Thanks! I'm going to add the utility of getting SSDT indexes dynamically.