MSR_LSTAR syscall hook issue with parameters

[ingame1128]

So I mentioned this already in private but when you try hooking for example ZwQueryVirtualMemory which has more than 4 parameters (after RCX, RDX, R8, R9) aka some on the stack like the 5th and 6th for example, those parameters will be invalid in the hook and therefore the original call of the syscall will usually fail and screw the whole operating system up.

Testing done on windows 8.1, compiled with Visual Studio 2013 using MSR_LSTAR hooking method.

[ingame1128]

Alright so I managed to fix the issue. The problem was that the KiSystemCall64 emulator was missing some crucial code from KiSystemServiceCopyStart which will copy all the arguments from the stack. Furthermore the way this is done is obvious when looking at the code in ntoskrnl.exe or when debugging the current broken one step by step. Another thing to note is that the ArgTble[ssdt_index] should be the number of parameters passed to the stack and not the whole number of parameters of the function.

Thats that!

[DarthTon]

Maybe you can make a pull request then?

[ingame1128]

I will see what I can do I am 2 lazy at the moment and am just messing with this.

[Maffelz]

Kolo, what about stop copy and pasting for your iwebz cheat?

Edit: that's what you get ;)

[rohaaan]

Hi,

Any further updates??

[rohaaan]

Lets work it out and resolve the issue...

[rohaaan]

where should the code of KiSystemServiceCopyStart be added in the KiSystemCall64_emulate function??

[RangeMachine]

@DarthTon, your jmp actually points to
https://hastebin.com/ezijuqunaz.css

To fix this you need instead jump to
https://hastebin.com/uhegubamiq.css
Screenshot
\x48\x89\x45\xB0\x48\x89\x4D\xB8\x48\x89\x55\xC0\x49

It will parse arguments currectly.

Also too pass arguements counter into function you can use that:
LONG argumentsCount = (LONG)(((PLONG)g_pSSDT->ServiceTableBase)[index]) & 0xF; InterlockedExchange8(&g_arguments[index], (CHAR)argumentsCount);