PspCidTable address

[oiramario]

PBYTE PspCidTableAddress = FindPatternImage(base, "\x48\x8B\x0D\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x49\x89", "xxx????x????xx");

Disasm could be removed.
hidden.sys size from 400KB reduce to 50KB.

[JKornev]

I thought about a pattern matching vs disasm on a design step and from my point of view a pattern matching has a much bigger chance to miss a signature or receive a wrong object. In case of disasm you scan exact place where the object should appears and it decreases a chance to get a wrong object. That is more important for me than a binary size because I do want to make a stable driver (not a PoC quality) even if it makes a tricky stuff in a kernel.

[oiramario]

Disasm cannot find PspCidTable on my win10 pro 21H1. Pattern matching is such stable in ntoskrnl on win10, okay I dont care about win7/8. Even you dont want that, switch with win ver is an other option like this:
https://github.com/inc-Majdev/Blackbone/blob/master/src/BlackBoneDrv/BlackBoneDrv.c

[JKornev]

I don't think my approach is bad just because it doesn't work on 21H1, I expect it should be easy to fix. A process hiding feature isn't completed right now and it's possible to have issues on the latest NT versions. I'm planning complete a feature soon and pretty sure it will work good enough with CidTable. I'm really don't care about it cuz there are another unsolved challenges for instance looking for a PspActiveProcessLock that is needed to respect an ActiveProcessLink synchronization to avoid list corruptions during a manipulation over it. Disasm can't find it because such object is too small and requires to trace too deep (with sub calls etc) and I even checked an ability to find it via pattern matching but as far as I remember binary pattern wasn't good enough too.

[oiramario]

Thanks for your great work again and again.
I added some code for use kdmapper to load hidden. In this progress, I see these things what your said. Maintain an offsets of these addresses with different windows version is better I think. It avoid pattern searching or disasm.

[JKornev]

@oiramario could you please provide ntoskrnl.exe from the machine where injection doesn't work

[oiramario]

ntoskrnl.zip
as you wish :)

[JKornev]

@oiramario it seems strange, I verified kernels you provided and even checked 21H1 on a VM and an analyzer should find PspCidTable without any issue. Do you have additional components on your systems that might install splicing\EAT hooks to PsLookupProcessByProcessId or PspReferenceCidTableEntry routines?

[oiramario]

log.zip
I compiled latest hidden from github and install them on hyper-V, logs and shot attached.

[JKornev]

@oiramario if you have attached debugger to VM could you please run the following commands:

uf nt!PsLookupProcessByProcessId
uf nt!PspReferenceCidTableEntry

and provide here an output

Thanks!