Hook system calls on Windows by using Kaspersky's hypervisor
Kaspersky utilizes its hypervisor when hardware virtualization is supported for additional protection. It hooks system calls by changing IA32_LSTAR to point to its own syscall handler (which is basically a copy of KiSystemCall64) so it dispatches system calls to its own handlers (while doing initialization, it builds its own dispatch table).
This project loads klhk.sys (Kaspersky's hypervisor module) and a custom driver which interfaces with it to subvert the system and hook system calls.
While researching Kaspersky components, I thought it was an interesting idea to write a custom project that lets me hook system calls by using Kaspersky's hypervisor to take a closer look at what it is doing.
- Download Visual Studio 2019, WDK, clone this repository and build the solution.
- Make sure
KasperskyHook.sysandKasperskyHookLoader.exeare in the same folder. Copyklhk.systo\Windows\System32\drivers - Execute
KasperskyHookLoader.exeand have fun :D
If you followed the Build and Testing steps and set_hvm_event() returns C00000A3 or C000090B, try following these steps:
- Make sure Virtualization (VT-x/AMD-v) is supported and enabled.
- Check if there are any other hypervisors conflicting with klhk (such as other AVs)
- Delete all KasperskyHook-related services, cleanup registry information and reboot
If it still doesn't work, consider using a newer version of klhk.sys. More information: iPower#4
MAKE SURE TO ENABLE TEST MODE TO TEST THIS PROJECT. IF YOU WISH TO USE IT OUTSIDE TEST MODE, USE YOUR CUSTOM DRIVER LOADER OR SIGN THE DRIVER.
NOTE: THIS ISN'T MEANT TO BE AN EASY-TO-PASTE-DETECTION-PROOF PROJECT. I JUST WROTE THIS FOR EDUCATIONAL PURPOSES SO I WON'T BE ADDING ANY HV-HARDENING OR ANTI-DETECTION CODE.
