Results 1 to 2 of 2

Thread: SSDT Hooks

  1. #1
    azfk
    Guest

    SSDT Hooks

    I'm trying to avoid ssdt hooks (I can't manually overwrite them, or restore the original because that'll set off alarms) I was wondering how I could find the base of the kernel, the size and load into my own allocated memory.

    I know half (lol), but not the first half, the latter would be to allocated memory filled with zeros, dono the exact api, then memcpy into it, then get proc address to functions I need, and add or subtract to the base of my allocated memory? since I can't remember whether the function address is relative to the base of the kernel.

    Thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by azfk View Post
    I was wondering how I could find the base of the kernel
    On a 32-bit non-PAE system, it's at 0x80000000.

Similar Threads

  1. windbg and SSDT
    By WaxfordSqueers in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: July 7th, 2013, 01:32
  2. Hiding Processes - Tried SSDT not able to perform
    By ronnie291983 in forum The Newbie Forum
    Replies: 7
    Last Post: June 17th, 2010, 15:29
  3. Vmware snapshot and SSDT
    By ZaiRoN in forum Blogs Forum
    Replies: 1
    Last Post: June 4th, 2008, 17:53
  4. SSDT Hooking + AV
    By bruno in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: December 6th, 2007, 12:31
  5. "Systemwide Windows Hooks without external DLL"
    By disavowed in forum Off Topic
    Replies: 5
    Last Post: April 10th, 2004, 12:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •