Sunday 13 October 2013

Detouring x86 System Call stub - KiFastSystemCall

Hi,

Today, this blog is not much technical\tutorial but a snippet of detouring KiFastSystemCall.

KiFastSystemCall is the lowest level API available in Windows Application Level Layer (Ring3), all application' calls pass from KiFastSystemCall, KiFastSystemCall redirects all those controls onto the Windows Kernel via a instruction called sysenter.
As KiFastSystemCall is lowest level API available in Usermode layer, detouring that means we can subvert objects such as - Processes, Files, Network Connections and everything.
This detour can be used as a Anti-Malware scheme as even the most notable malware such as ZeuS, SpyEye, Citadel do not detour this low, so they become completely visible to us. We can even block some of their functionality such as Web injects and such.

As the code is too big to be in a single screenshot. I put it for download in MediaFire:

Download Link: http://www.mediafire.com/download/wn2x8lw4av627jr/KiFastSystemCall+Hook.cpp

This detour does nothing special, but if you have a idea in mind - Usermode Ring3 AV, System Call Analyser etc. Feel free to incorporate this into your Software\Application. This detour is not global although if you perform Code Injection into other processes this has the abillity to become System-Wide, but as said before this lies in your hands.

Note:
For those who have x64 bit PC's do be aware that this code will not work as KiFastSystemCall is not the System Call Stub for x64. I am going to be posting the System Call Stub detour for x64 bit PC's - X86SwitchTo64BitMode.

Thanks!

1 comment:

  1. Great! I was lokking for something like this for 2weeks i guess - thanks a lot.
    I just needed any clue to make something like "Anti-Malware" :D
    Ideal.

    ReplyDelete