none
Is there any method or code examples to access ssdt in windows7 x64? RRS feed

  • Question

  • Hello guys i am trying to develop kernel rootkits on win7 x64arc by hooking ssdt.

    Even i know it is not recommended on win7 x64 and prohibited by kernel patchguard, i just try this for POC of rootkit detection.

    I tried to export symbols from dll using dllimport function, like what i did in 32bit architecture environment, but couldn't do it and encounter error messages when i try to compile driver using WDK.

    So my question is.... Is there any other method to import keServiceDescriptorTable symbol or directly locate SSDT address?

    Thanks for reading.

    Friday, January 16, 2015 3:08 PM

Answers

  • No the OS does a lot of work to ensure you don't hook the SSDT.  Now even if you have the best of intentions, using a hook of any kind is a really stupid idea.  Most of the kernel calls are undocumented (and be aware that the descriptions of the undocumented calls that appear on the web were already inaccurate when Windows XP came out, let alone now), and even for a simple call there are some times rules beyond the general call that have to be observed. 

    Tell us what you are trying to do (and no develop rootkit is not an explanation) and we may be able to suggest an approved way of doing it.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, January 16, 2015 6:00 PM

All replies

  • No the OS does a lot of work to ensure you don't hook the SSDT.  Now even if you have the best of intentions, using a hook of any kind is a really stupid idea.  Most of the kernel calls are undocumented (and be aware that the descriptions of the undocumented calls that appear on the web were already inaccurate when Windows XP came out, let alone now), and even for a simple call there are some times rules beyond the general call that have to be observed. 

    Tell us what you are trying to do (and no develop rootkit is not an explanation) and we may be able to suggest an approved way of doing it.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, January 16, 2015 6:00 PM
  • Thanks for your reply. 

    Actually, i am developing Virtual Machine Introspection (VMI) toos for rootkit detection on the hypervisor.

    One of its functionality is monitoring specific memory region is re-written maliciously by attackers.  for example i just want to show when malicious driver tries to prevent deletion of some files named hack-me.txt by hooking ssdt's function nt!deletefile STH, it should be detected by my VMI tools.   .

    To prove its functionality, i need to hook some memory region which usually hooked by attackers like ssdt, idt got whatever. 

    I know it's not recommended on windows after xp x64, but i could find many articles that bypass patchGuard. 

    Even if it is not unstable to hook and not recommended, i want to try hook specific function address to test whether patchguard works well, but couldn't try it because of the non-exported symbols.

    I just want to try it for fun. Actually i am focused on Linux kernel and dummy for windows so i am confused what region should i look, and i've heard that there are some other methods to hook important function (may be using call back function in windows?) without hooking ssdt. if you know it please let me know !!

    Thanks. Hyuk.  



    • Edited by Ruach88 Saturday, January 17, 2015 2:08 AM
    Saturday, January 17, 2015 2:04 AM
  • Actually posting or providing code for these purposes could be considered aiding in the development of malicious code.

    Perhaps you want to do this for fun. Perhaps others would want to do this to learn how to figure out methods for creating malicious programs that can not be detected.

    If you do not want certain files deleted there's code available to set files permissions not to allow deletion. I suppose a virus could delete the files anyhow if it was written with the capability to do so.

    Apparently both rootkits and anti virus softwares hook the SSDT. So providing information for that here I can guess how many would want to use that for anti virus compared to rootkitting. Considering how many people create viruses compared to how many create anti virus software.

    My guess is %5/%95. %5 anti virus, %95 rootkitting.


    La vida loca

    Saturday, January 17, 2015 2:33 AM
  • Hmm.. i see. thanks for your comments.

    but my intended question was just can i find symbol on the memory.

    Please ignore other things and could let me know is it possible or not ?

    i think i could search the signature of it but couldn't do it well.


    Saturday, January 17, 2015 6:11 AM
  • Once the earth was flat until somebody said it was not flat and everybody else said that is impossible. Like so many things it is possible that there is nothing which is impossible. I suppose making something possible depends on somebodies abilities and the technology available.


    La vida loca

    Saturday, January 17, 2015 6:32 AM
  • Okay, i see. May be i couldn't get more information from here right?

    Thanks for your all comments. and as you told it may be asking this question on here is not proper i think.

    I also hope script-kiddies doesn't use this hooking code.

    Thanks for all your kind message. ;p 

    Sunday, January 18, 2015 3:34 AM