pwn3d_align is a x64 Windows Driver created to monitor/hide or block access from processes, objects, files using SSDT/Shadow SSDT hooks with abusing aligment.

This techniques modifies klhk.sys aka "Kaspersky Lab service driver". This driver is the antivirus legitimate driver, more information can be found on the original repo.

The original intetion was to monitor malware behavior on the system and the main goal is not to bypass antivirus or anticheats solutions, but, that can be done anyway.

When the definition USE_KASPERSKY is set the project will use Kaspersky hooks that is compatible on Windows 7/8/8.1 and 10, Intel and AMD supported but Virtualization should be enabled on the BIOS.

When USE_KASPERSKY is not set the project will use SSDT and Shadow SSDT, that is hardcoded to Windows 7 7601 SP1 (x64 of course) only, it can also be said that PatchGuard NEEDS TO BE TURNED OFF HERE as there's checks for those.

• NtQuerySystemInformation
• NtOpenProcess
• NtAllocateVirtualMemory
• NtFreeVirtualMemory
• NtWriteVirtualMemory
• NtLoadDriver
• NtDeviceIoControlFile
• NtUserFindWindowEx
• NtUserWindowFromPoint
• NtUserBuildHwndList
• NtGetForegroundWindow
• NtUserQueryWindow

Visual Studio 2019 required with SDK/WDK 1903 Compilation is simple, just open the project and build it using the IDE.

No driver certificate is given here, either load the driver with test signing mode enabled or sign it yourself using a valid certificate.

A debug log is generated by default, you can use a tool like DebugViewer to see those logs. Use TestHide.exe to check if things are actually working.

KasperskyHook can be used without triggering the PatchGuard, no actually hooks can be found or checked in a normal way.

Important note: KasperskyHookLoader.exe should be used to load the Driver if USE_KASPERSKY flag enabled, otherwise you can just load the driver using a ordinary way.