How to hook KiSystemService

May 14, 2009 at 7:25 PM
Edited May 14, 2009 at 7:28 PM


There is no return address if KiSystemService is called from usermode (sysenter)! Thus is easyhook able to hook on a such place or do I need to do some special things in my hook routine? And is it fundamentally necessary to call the original function inside the hook func?



May 14, 2009 at 9:37 PM

KiSystemService is the main entry point for user-kernel-mode switches? Then EasyHook will not be able to hook it properly.

My recommendation is to just place a jumper in the first bytes of this method and redirect it to your own method. Such special hooks have to be done manually.

>And is it fundamentally necessary to call the original function inside the hook func?

Of course not...

May 15, 2009 at 7:23 AM


Yes its one of the main entry point. If I place manually a hook I have no thread barrier. Futher my driver need to work on Vista. So if I place a hook by my self the system bugchecks, thanks to patchguard. How to you solve that in easyhook?



May 15, 2009 at 7:45 AM
Edited May 15, 2009 at 7:47 AM

>I have no thread barrier

You won't need it, since no kernel API will go through KiSystemService again. The thread barrier is only to protect you from loops in the call stack and in the special case of KiSystemService there shouldn't be any loops...

>How to you solve that in easyhook?

Not at all... You will have to look at my patchguard disabling driver

May 15, 2009 at 8:01 AM

Ok thanks. How do you call that mechanisms which waits while easyhook is unloading if pending threads are inside the hook functions? I need a such functionality if I place an own hook.


May 15, 2009 at 8:26 AM

the code is called on driver unloading which is done at PASSIVE_LEVEL. EasyHook just increments a counter if a thread enters the hook and the decrements it if it leaves the hook. Just plain and simple ;-). You will have to use atomic counters of course. On unloading all hooks are disabled in first place. This is done by overwriting the user defined hook callback with NULL. Internally EasyHook won't increment the mentioned thread counter if no user handler is defined (NULL). Since the unloading is done at passive level EasyHook just waits until all thread counters are zero. Now we can be sure that no thread is executing any hook handler...

RECOMMENDATiON: This is not that easy to implement and in your case I would recommend to just redirect the placed jumper to a dynamic code portion in non-paged pool. This code should also contain the absolute address of your drivers hook entry point. On unloading you could just clear the absolute address in the dynamic code portion and don't free the memory. Since we are talking about some orphaned bytes on every driver unloading, you shouldn't worry about! My PatchGuard driver is showing how to hook "unconventional" code. Just read the documentation of the project I posted above and maybe you get some inspiration how to do it ;-).




May 15, 2009 at 9:01 AM

Hm ok, could you please contact me at ICQ 263960082?