Hi coinx-security !,
I'am developing process protecting driver / software
i want to try your project on Win 8.1

When driver called : getKernelBase() function, windows giving BDOS with:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

Any fix? Thanks

Hi, thanks for the bug report !

We actually did not test on Win 8.1, regarding the bugcheck code, I think the "pSystemModule = &pSystemModuleInformation->Modules[0]; / imgBaseAddr = pSystemModule->Base;" are involved (access violation, but no idea why). We'll check this ASAP (not sure when, and I'm pretty sure we'll encounter other bugs...) :]

Anyway, for (stable and patchguard-proof) process protection software, maybe you should use ObRegisterCallbacks along with OB_OPERATION_HANDLE_CREATE flag to filter handle opening on processes you want to protect ?

Cheers,
Adrien

Hi 0x0ach,
Thanks for reply, i will use callbacks so i want to try System Service Descriptor Table hook..
Cheers,
Efe

Hi, we don't support windows 8.1 but I have an idea on what causes the bugcheck. In getKernelBase() function we use ZwQuerySystemInformation() and according to the documentation : http://msdn.microsoft.com/en-us/library/windows/desktop/ms725506%28v=vs.85%29.aspx, this function is not avalaible in Windows 8.

A quick fix would be to parse the loaded modules through the PEB, you can write x64 asm in a driver code that way : http://geekswithblogs.net/kernelmode/archive/2008/03/07/120340.aspx

Cheers,
Nicolas

Nicolas, can u give me skype or facebook adress i have some question about
protecting process