SysNOP System Call Modifier

SysNOP is a Windows system driver that filters calls from user mode to kernel mode. It hooks the Sysenter/Syscall and Int 2E addresses to temporarily reroute all user to kernel mode access through it's filter function. This allows SysNOP to use a filter rule set to allow or deny system calls based on stack content and caller's process state. What does this mean exactly? SysNOP can check the arguments on the stack that is passed to the system call, the thread or process ID, the Kernel Process name and even pointers on the stack to user mode data. It can filter any system call passed to it, including anything in the SSDT or Shadow SSDT, although I have not entered a name list for the shadow table.

I wrote this a little while ago, primarily for my own use to protect my systems from different things that there were no good solutions for. I have used it to effectively stop several things, including PDF file exploits in a reader application, the meterpreter loading itself, some viruses that use dll injection and some browser exploits, either through routine activity or intentional testing. There are many ways to use it in personal and server situations. From kernel mode, no application in user mode can outright kill it, nor can it be disabled, or interrupted - limiting a malicious application's ability to disable it. It does not scan for specific programs, it just runs rules similar to how iptables does. It is simple, and was designed so it would not cause significant slowdown of a system. Global rules are very easy to implement. It's essentially a simple kernel firewall.

It is not designed for 64 bit versions of windows, maybe I will port it at some point. It was written totally in assembly, since I usually write in C I decided to write something completely in assembly for fun. It should work without problem for SMP machines, up to 32 processors - although I have not had opportunity to test it on machines with more than a few processors.


©2010 NOP Security