Author: Aidan Khoury

Patchguard: Detection of Hypervisor Based Introspection [P2]

No Errata For U! If you haven’t already, read Part 1 which outlines three neat tricks used by Patchguard. KiErrata420Present The LSTAR MSR can be intercepted using a hypervisor to trap on reads and writes. It is the most common and efficient way to hook syscalls in most modern x86 operating systems. However contrary to […]

Read More

Syscall Hooking via Extended Feature Enable Register (EFER)

Since the dawn of KVA Shadowing (KVAS), similar to Linux’s KPTI, which was developed by Microsoft to mitigate Meltdown vulnerabilities, hooking syscalls among other potentially malicious things has become increasingly difficult in Windows. Upon updating my virtualization toolset which utilizes syscall hooking strategies to assist in control flow analysis, I had trouble when trying to […]

Read More