Cheat Engine

NoMercy · Posted: Wed Sep 07, 2011 8:35 am Post subject: Hooking in the kernel

Hello,

I'm new, not really true but now I wanna dive into it, in kernel coding. I know how to make a simple driver which reads memory and do a few things. I'm just doing this as learning, so there is no real goal I want to reach. But I've got a few questions.

1) I can do everything in x64, like hooking Nt (Zw are higher and call Nt eventually right), and/or patching stuff like in 32-bit. I can load my driver in 64-bit win7 now, f8->startup.

2) Hooking function, for example NtOpenProcess, all examples are this, has to be with the KeServiceDescriptorTable->ServiceTable? It seems SSTD hooking is very wide spread and easy detected, not that I care about that. But I would like to learn a good begin.

3) There seems a lot which is undocumented, are there sites which help me with this? Or I've to write a lot in ASM to?

4) a Variable as KdDebuggerEnabled is false, but it changes to true when a debugger is found? Let's say I wanna debug everything without getting detected, I should create a trhead which will be looping it to false? Sounds silly to me, so finding the function from Microsoft which change it to true, and hook there a bit?

5) What's a good and not to hard for a beginner (still I'm willing to spend lot of time) but also fun, perhaps even with a usefull result (undetected debugger or something, or is this impossible for a beginner)?

6) Do I've to read a lot about windows working? Or more about the processor (intel i5 in my case)?

Think that's all I've to ask now, I hope you can help me learning to code in kernel.

Thanks for reading, grz

NM

Dark Byte · Posted: Wed Sep 07, 2011 9:19 am Post subject:

1:
Nt will call Zw eventually, not the other way around
Also, in 64-bit you need a "Real" cracked version of windows where the integrity check is disabled

2: It's one method yes(not usable in 64-bit). Alternatively you can change the kethread's address of the servicedescriptortable instead

3: Asm isn't really needed, as long as you're able to change bits in system registers and memory addresses it's not needed to go low level asm.
Just google for stuff you want to know or ask at places

4: KdDebuggerEnabled is only true if a kernelmode debugger is attached. E.g booting up with debug mode and using windbg (don't ask)

5: No idea, if you're on 32-bit try hooking the pagefault and interrupt handler interrupt. Pretty useful information you get with those. Will be difficult but I don't know anything better.
If you're on 64-bit this is too difficult for a beginner (disabling patchguard or writing a virtual machine, then offload the running os into that virtual machine and capture the interrupts before windows gets them)

6: Yes, and yes

NoMercy · Posted: Wed Sep 07, 2011 10:52 am Post subject:

So it's impossible to hook a zw function global in the kernel in 64 bit? Is it possible to place some kind of HWBP on the function and "modify" it like that?

It's quite frustating to debug in win 7 64 bit, nothing works fine etc.

Is it worth downloading VmWare and then use win7 32 bit if I want to learn better hacking? Or should I stick to 64 bit? Does 32 bit have a feature?

Edit: Function as ObRegisterCallback or Kb.... Ps.. can I hook them in 64 bit?