KasperskyHook
Hook system calls on Windows by using Kaspersky's hypervisor
How does it work?
Kaspersky utilizes its hypervisor when hardware virtualization is supported for additional protection. It hooks system calls by changing IA32_LSTAR to point to its own syscall handler (which is basically a copy of KiSystemCall64) so it dispatches system calls to its own handlers (while doing initialization, it builds its own dispatch table).
This project loads klhk.sys (Kaspersky's hypervisor module) and a custom driver which interfaces with it to subvert the system and hook system calls.
Why did you write this?
While researching Kaspersky components, I thought it was an interesting idea to write a custom project that lets me hook system calls by using Kaspersky's hypervisor to take a closer look at what it is doing.
Build steps - how to use it
- Download Visual Studio 2019, WDK, clone this repository and build the solution.
- Make sure
KasperskyHook.sysandKasperskyHookLoader.exeare in the same folder. Copyklhk.systo\Windows\System32\drivers - Execute
KasperskyHookLoader.exeand have fun :D
Troubleshooting
If you followed the Build and Testing steps and set_hvm_event() returns C00000A3 or C000090B, try following these steps:
- Make sure Virtualization (VT-x/AMD-v) is supported and enabled.
- Check if there are any other hypervisors conflicting with klhk (such as other AVs)
- Delete all KasperskyHook-related services, cleanup registry information and reboot
If it still doesn't work, consider using a newer version of klhk.sys. More information: #4
MAKE SURE TO ENABLE TEST MODE TO TEST THIS PROJECT. IF YOU WISH TO USE IT OUTSIDE TEST MODE, USE YOUR CUSTOM DRIVER LOADER OR SIGN THE DRIVER.
NOTE: THIS ISN'T MEANT TO BE AN EASY-TO-PASTE-DETECTION-PROOF PROJECT. I JUST WROTE THIS FOR EDUCATIONAL PURPOSES SO I WON'T BE ADDING ANY HV-HARDENING OR ANTI-DETECTION CODE.
Demo
