Hook system calls on Windows by using Kaspersky's hypervisor
MIT License
Hook system calls on Windows by using Kaspersky's hypervisor
Kaspersky utilizes its hypervisor when hardware virtualization is supported for additional protection. It hooks system calls by changing IA32_LSTAR
to point to its own syscall handler (which is basically a copy of KiSystemCall64
) so it dispatches system calls to its own handlers (while doing initialization, it builds its own dispatch table).
This project loads klhk.sys (Kaspersky's hypervisor module) and a custom driver which interfaces with it to subvert the system and hook system calls.
While researching Kaspersky components, I thought it was an interesting idea to write a custom project that lets me hook system calls by using Kaspersky's hypervisor to take a closer look at what it is doing.
KasperskyHook.sys
and KasperskyHookLoader.exe
are in the same folder. Copy klhk.sys
to \Windows\System32\drivers
KasperskyHookLoader.exe
and have fun :DIf you followed the Build and Testing steps and kaspersky::hvm_init()
returns C00000A3
or C000090B
, try following these steps:
If it still doesn't work, consider using a newer version of klhk.sys. More information: https://github.com/iPower/KasperskyHook/issues/4
MAKE SURE TO ENABLE TEST MODE TO TEST THIS PROJECT. IF YOU WISH TO USE IT OUTSIDE TEST MODE, USE YOUR CUSTOM DRIVER LOADER OR SIGN THE DRIVER.
NOTE: THIS ISN'T MEANT TO BE AN EASY-TO-PASTE-DETECTION-PROOF PROJECT. I JUST WROTE THIS FOR EDUCATIONAL PURPOSES SO I WON'T BE ADDING ANY HV-HARDENING OR ANTI-DETECTION CODE.