Hooked function is called again and again #1
Comments
|
Hi, (2) Windows enables a kernel security mechanism named "PatchGuard", PatchGuard will check the kernel's integrity periodically, so the hooked (modified) SSDT will crash the windows. So,, for 64 bit windows, hooking SSDT is not a good way , how to bypass the PatchGuard is a challenge . |
|
Hi, I was new to hooking 5 months ago, so didn't know much about it. But now I am, and I reviewed the code. This is valid only for hooking a single API, But if I want to hook multiple APIs through it, How it can be done? |
|
Hi, the basic idea for hooking is to replace the original function's address with your new function's address, so if you want to hook multiple APIs, maybe you can firstly find the original function address (e.g., the target function index in the SSDT) then replace its address with new function. |
|
Basically here you map the address on KeBugCheckEx, which is inside ntoskrnl.exe and place the offset on SSDT index so the call is being redirected towards it, But if I place an offset of my API directly in SSDT index, the call does not come in my API. |
|
Is there is any solution for that problem? |
|
@abdullahtoqeer523 ,hi,I am so sorry, I have not studied on hooking SSDT for a long time. Generally, for windows 64 bit OS, it is not a good way to hook the SSDT due to the PatchGuard protection. |
When we load the driver in VM, the hooked function is called recursively and don't stop untill we stop driver service. if we don't stop it then it may crash the windows. Also the driver is only working in debugging mode and not in release mode. I am using VS 2019. Kindly help.
The text was updated successfully, but these errors were encountered: