iPower / KasperskyHook

Hook system calls on Windows by using Kaspersky's hypervisor
MIT License
1.11k stars 267 forks source link

using kaspersky hypervisor for detour hook #2

Closed m0rethan3 closed 4 years ago

m0rethan3 commented 4 years ago

is it possible to hide kernel memory modifications with kaspersky hypervisor? if its possible can you give me hints where to dig in their driver?

iPower commented 4 years ago

Unfortunately Kaspersky doesn't make use of SLAT for that. All their hypervisor does is swapping IA32_LSTAR for system call hooks.