Hi
As part of my fun side project of developing a simple EDR
I try to learn more about system call hooking so i could track and block system call attempts .
As i understand it now windows added the patch guard so it is not possible to patch the system call table.
Do some one have any good article about the available method to hook system calls using the driver?
Well, I am not saying there is or should be a direct API to do so
But as an anti-virus driver in kernel space, i though that maybe there is a way to just add some assembly instructions to each native call before calling the system call or something similar to jump to my code , perform some checks and then jump back