I was pointed at a really interesting article this week and thought I'd share.
It turns out in Windows Vista x64 and later you can ask the kernel to invoke a callback on transition out of kernel mode. KPROCESS has a field called InstrumentationCallback that you can set with a call to NtSetInformationProcess with a ProcessInfoClass of 0x28 and a InputBuffer that contains the pointer to your callback.
Advantages:
- User mode only, no driver or kernel debugger required
- Affects the entire process (including injected threads)
- Windows x64 only
- Apparently doesn't work on WOW64 (though maybe some jiggery-pokery could get it done)
- Required Dr7 to be set in most cases so not great at catching malicious actors
The original article: Windows x64 system service hooks and advanced debugging and check out the author's blog http://everdox.blogspot.com/ for other interesting RE posts.
No comments:
Post a Comment