iPower / KasperskyHook

Hook system calls on Windows by using Kaspersky's hypervisor
MIT License
1.11k stars 267 forks source link

win 11 and last Driver test failed. #9

Closed ashyerv closed 2 years ago

ashyerv commented 2 years ago

VM: Install Kaspersky (get new driver) code: fix ssdt_service_count (change sig) (old sig boken, i fixed。 got 3 version klhk.sys , only here no change .)

presult = utils::find_pattern_km(L"klhk.sys", ".text", "\x83\xE1\x01\x75\x27", "xxxxx"); if (!presult) return false; presult = presult + 0xE;

test , and again return C000090B (include VM return C000090B) ...emmmm any update or etc?

klhk.zip

hooktems commented 2 years ago

hi, new sig in this source - https://github.com/alexcard144803/KasperskyHook_NewKSDriver/blob/main/KasperskyHookDrv/kaspersky.cpp and if u know can u help me with problem PAGE_FAULT_IN_NON_PAGED_AREA?

ashyerv commented 2 years ago

sry ,.i can't help you.. i haven't met only the sig changed. fixit but set_hvm_event() return C000090B, can't work. even though use last klhk.sys again....

iPower commented 2 years ago

That might be because this klhk.sys version doesn't support your Windows 11 build. Kaspersky has a hardcoded table for Shadow SSDT so that might be the issue.

ashyerv commented 2 years ago

That might be because this klhk.sys version doesn't support your Windows 11 build. Kaspersky has a hardcoded table for Shadow SSDT so that might be the issue.

maybe ...no ? hooking NtCreateFile , if start driver . will give me`set_hvm_event() return C000090B, like ckeck some no started. i use auto get ssdt index (not shadow ssdt).. (Vmare tested Get SSDT index)

last driver no support win 11? (Kaspersky)

iPower commented 2 years ago

If you take a look at klhk.sys initialization it fails if your Windows build isn't present in their Shadow SSDT hardcoded table.

ashyerv commented 2 years ago

If you take a look at klhk.sys initialization it fails if your Windows build isn't present in their Shadow SSDT hardcoded table.

oh,.ok ,thanks you help , have nice day :)

iPower commented 2 years ago

Btw thanks for letting me know that the sig is outdated! I'm updating it right now