Author: Aidan Khoury

Fun with another PatchGuard-compliant Hook

Overview In this article, we’ll be covering a fun alternative to the treasured InfinityHook from Nick Peterson. This alternative method was discovered by Aidan Khoury following the release and subsequent patch of the EtwpGetCycleCount target by Microsoft without any acknowledgements to the original authors. This method has been tested from early Windows 10 to latest Windows […]

Read More

Patchguard: Detection of Hypervisor Based Introspection [P2]

No Errata For U! If you haven’t already, read Part 1 which outlines three neat tricks used by Patchguard. KiErrata420Present The LSTAR MSR can be intercepted using a hypervisor to trap on reads and writes. It is the most common and efficient way to hook syscalls in most modern x86 operating systems. However contrary to […]

Read More

Syscall Hooking via Extended Feature Enable Register (EFER)

Since the dawn of KVA Shadowing (KVAS), similar to Linux’s KPTI, which was developed by Microsoft to mitigate Meltdown vulnerabilities, hooking syscalls among other potentially malicious things has become increasingly difficult in Windows. Upon updating my virtualization toolset which utilizes syscall hooking strategies to assist in control flow analysis, I had trouble when trying to […]

Read More