Shady shenanigans collection
nefarius last edited by nefarius
This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.
SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.
Sometimes, we run into a situation when we badly need to hook some kernel function, but are unable to do it via conventional PE-based hooking. This article explains how kernel functions can be directly hooked. As a sample project, we are going to present a removable USB storage device as a basic disk to the system, so that we can create and manage multiple partitions on it (for this or that reason, Windows does not either allow or recognize multiple partitions on removable storage devices, so we are going to cheat the system). On this particular occasion, we will hook only one function, but the approach described in this article can be extended to handle multiple functions (for example, one of my projects required direct hooking of quite a few functions from the NDIS library). You should clearly realize that this article is about direct hooking and not about dealing with USB storage, so please don't tell me that the sample problem may have been solved differently.
List ow Windows kernel exploits.
ctftool, an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security.
TitanHide is a driver intended to hide debuggers from certain processes. The driver hooks various Nt* kernel functions (using SSDT table hooks) and modifies the return values of the original functions. To hide a process, you must pass a simple structure with a ProcessID and the hiding option(s) to enable, to the driver. The internal API is designed to add hooks with little effort, which means adding features is really easy.
ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). If you need kernel mode (ring 0) Anti-Anti-Debug, please see TitanHide.
EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager, boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).
Universal PatchGuard and Driver Signature Enforcement Disable
Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).
Windows memory hacking library
API to work with Win32 process memory and hardware breakpoints
Memory reading and Writing for C# / VB / .Net Applications.
x64 PE injector with kernel handle elevation and thread hijacking capabilities
A lightweight native DLL mapping library that supports mapping directly from memory
ASI Loader is the tool that loads custom libraries with the file extension .asi into any game process.
MemoryModuleis a library that can be used to load a DLL completely from memory - without storing on the disk first.
This is a pseudo-driver module that intends to improve compatibility and stability in games using Direct3D 8 for rendering by converting all API calls and lowlevel shaders to equivalent Direct3D 9 ones. By that it also opens those games to the new possibilities from proven tools and wrappers written for Direct3D 9.
d912pxy is a way to make games that use DirectX 9 use DirectX 12 instead, without changing any game code.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.