- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 170
- Reaction score
- 7
Boys, I was digging through some recent research on syscall hooking and finally found a clean approach for Windows 11 kernel-mode communication. We all know how much of a headache win32k.sys data pointer hooks can be lately with the latest OS patches, but this framework actually handles it without getting flagged by basic integrity checks.
Tech Overview:
This is a lightweight UM-KM communication framework leveraging a NtUserGetPointerProprietaryId hook. It is currently a PoC, but it is built to be modular. You can swap out the dummy attach/BugCheck routines for whatever your project needs.
Technical Specs:
The Plan:
The current build is just a skeleton. I am planning to push updates to include raw physical memory R/W capabilities and a dynamic syscall resolver to replace the hardcoded offsets. Once those are integrated, this could serve as a solid base for a private DMA provider or an external driver.
Source & Binaries:
I am holding off on the direct links until the project stabilizes a bit more and the binaries get proper approval. In the meantime, I wanted to see if anyone else here is experimenting with syscall hooking on the latest builds.
Has anyone else successfully implemented dynamic syscall resolution on Windows 11 without triggering PatchGuard? If you have, drop your thoughts on how you are handling the transition between the UM and KM layers—I am curious if anyone has found a more efficient way to avoid handle-stripping.
If anyone manages to port their own R/W functions into this framework, post your results below. Looking for feedback on stability during heavy load.
Tech Overview:
This is a lightweight UM-KM communication framework leveraging a NtUserGetPointerProprietaryId hook. It is currently a PoC, but it is built to be modular. You can swap out the dummy attach/BugCheck routines for whatever your project needs.
Technical Specs:
- Kernel Architecture: Relies on KernelCloak (credits to Helzsky) for dynamic routine imports from ntoskrnl and win32k. This is way cleaner than dealing with static address resolution that breaks every time Windows pushes a minor update.
- Hook Method: win32k.sys .data ptr hook.
- Usermode Interface: Clean C/C++ implementation for the communication layer.
The Plan:
The current build is just a skeleton. I am planning to push updates to include raw physical memory R/W capabilities and a dynamic syscall resolver to replace the hardcoded offsets. Once those are integrated, this could serve as a solid base for a private DMA provider or an external driver.
The use of NtUserGetPointerProprietaryId is a clever way to mask the communication channel. If you are trying to port your own features into this, make sure you are handling the synchronization correctly between your usermode loop and the kernel routine, especially if you plan on adding more complex logic like injection or stealth memory reading.
Source & Binaries:
I am holding off on the direct links until the project stabilizes a bit more and the binaries get proper approval. In the meantime, I wanted to see if anyone else here is experimenting with syscall hooking on the latest builds.
Has anyone else successfully implemented dynamic syscall resolution on Windows 11 without triggering PatchGuard? If you have, drop your thoughts on how you are handling the transition between the UM and KM layers—I am curious if anyone has found a more efficient way to avoid handle-stripping.
If anyone manages to port their own R/W functions into this framework, post your results below. Looking for feedback on stability during heavy load.
