Utility to hook SSDT of specific process and transfer control to a service (usermode app) for handling to determine action allow/deny API call etc. currenly only NTAPI/WIN32K logging is supposeted no handlers were implemented. Ideally this should use virtualization to hook LSTAR CSTAR MSRs and don't implement own KiSystemCall.
Requirements:
- Win 7 SP1 x64
- PatchGuard Bypass ( http://fyyre.l2-fashion.de/ )
- Digital signing bypass ( use https://github.com/int0/ltmdm64_poc to exploit your system and clear g_CiEnabled or use testsiging )
- Compile
- Install driver and run svc in VM
- Drop target EXE binary in SystemDrive:\PISO
- Enjoy logged APIs
- You might want to use this to sandbox malware and collect behavioural info easy to implement because all handlers are in user-mode.
- Study code and learn kernel programming on Windows
Process Explorer is running under Process Isolator
