System call hooking

Hi :slight_smile:
As part of my fun side project of developing a simple EDR
I try to learn more about system call hooking so i could track and block system call attempts .
As i understand it now windows added the patch guard so it is not possible to patch the system call table.
Do some one have any good article about the available method to hook system calls using the driver?

Thanks in advance

Patch guard exist to prevent malware from doing this. What makes you think that your program should be able to do it?

Well, I am not saying there is or should be a direct API to do so
But as an anti-virus driver in kernel space, i though that maybe there is a way to just add some assembly instructions to each native call before calling the system call or something similar to jump to my code , perform some checks and then jump back

Virtualization is one option , e.g. loading a type 2 hypervisor to place EPT level hooks (thus avoiding PG) . From kernel there are ETW bases hooks , like InfinityHook that allow to hook system calls as well as other things.
check this reference out Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass | the-deniss.github.io

If there was, that's what the virus script kiddies would be using, n'est-ce pas?

According to common sense, the various filtering frameworks and callback mechanisms provided by Microsoft are sufficient for implementation