Skip to content

ck0i/InfinityHook-Updated

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
hde
hde
 
 
README.md
README.md
 
 
defines.h
defines.h
 
 
headers.hpp
headers.hpp
 
 
hook.cpp
hook.cpp
 
 
hook.hpp
hook.hpp
 
 
imports.hpp
imports.hpp
 
 
utils.hpp
utils.hpp
 
 

Repository files navigation

InfinityHook

Updated kernel-mode syscall hooking library that leverages ETW infrastructure to intercept system calls without direct SSDT modification.

How It Works

The hook exploits the Circular Kernel Context Logger (CKCL), an always-available ETW session in the Windows kernel. When syscall tracing is enabled on CKCL, the kernel invokes a GetCpuClock callback on every system call - InfinityHook replaces this callback to gain execution in the syscall path, then walks the kernel stack to locate and optionally redirect the target syscall function pointer.

Two hooking paths are used depending on OS build:

Build Range Method
<= 18363 (Win10 1909) Direct GetCpuClock pointer replacement in WMI_LOGGER_CONTEXT
> 18363 (Win10 2004+) HvlGetQpcBias hook via HalpTimerQueryHostPerformanceCounter path (forces GetCpuClock = 2)

The newer path also handles HalpPerformanceCounter type spoofing for physical-counter machines and maps KUSER_SHARED_DATA.QpcBias as writable for clean restore on unhook.

Compatibility

  • Windows 7 SP1 (build 7601) through Windows 11 (build 22000+)
  • x64 only
  • Kernel-mode driver context (WDM/WDF)

Usage

#include "hook.hpp"

void __fastcall SyscallCallback(unsigned long call_index, PVOID *call_address)
{
    // call_index  — syscall number from the current thread
    // call_address — pointer to the function pointer on the kernel stack
    //                write to *call_address to redirect the syscall
}

// in DriverEntry or similar:
if (KHook::Initialize(SyscallCallback))
    KHook::Start();

// on unload:
KHook::Stop();

Structure

├── hook.hpp / hook.cpp    — core hooking logic (ETW control, stack walk, hook install/restore)
├── defines.h              — CKCL / ETW structs, type definitions
├── imports.hpp            — undocumented NT API imports (NtTraceControl, ZwQuerySystemInformation)
├── utils.hpp              — pattern scanning, module enumeration, KVAS-aware syscall entry resolution
└── hde/                   — HDE64 disassembler (used for KiSystemCall64Shadow traversal)

Key Internals

  • Stack walk magic: Locates syscall dispatch frames using sentinel values (0x501802 / 0x601802 and tag 0xF33) placed by the kernel's syscall handler.
  • KVAS handling: When Kernel Virtual Address Shadow is active, KiSystemCall64Shadow sits in KVASCODE. The library disassembles forward to follow the first jmp out of the section to reach KiSystemServiceUser.
  • Watchdog thread: A background system thread periodically checks hook integrity and re-installs if the GetCpuClock pointer is restored externally (builds <= 18363).
  • Pattern scanning: All internal kernel pointers (EtwpDebuggerData, HvlpReferenceTscPage, HalpPerformanceCounter, etc.) are resolved via signature scans against ntoskrnl.exe at runtime.

Credits

Based on the original InfinityHook by everdox. Updated with support for modern Windows builds, the HvlGetQpcBias hooking path, physical performance counter handling, and improved hook persistence.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

7 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages