Search found 7 matches

by pointer
Wed Apr 10, 2019 11:21 pm
Forum: User-Mode Development
Topic: How hook EnumWindows() to prevent target application enumerate any window of my software?
Replies: 2
Views: 180

How hook EnumWindows() to prevent target application enumerate any window of my software?

I have the following code able to hook EnumWindows () function and works fine. But target application (3rd's application) crash when the dll is injected. Then this could be solved, for example, making this code prevent the target application enumerate only all windows of my software and then call or...
by pointer
Fri Feb 08, 2019 1:26 pm
Forum: User-Mode Development
Topic: [DELPHI] How to execute a batch file via ShellExecute from an app launched by a service?
Replies: 2
Views: 993

Re: [DELPHI] How to execute a batch file via ShellExecute from an app launched by a service?

What does the code look like which spawns the VCL app from the service? The VCL app might have issues with the user environment. Post your code for executing the VCL app from the service, I assume in the service you're using CreateProcessAsUser() or similar? * Basically, ShellExecute() isn't an API...
by pointer
Sat Feb 02, 2019 12:44 pm
Forum: User-Mode Development
Topic: [DELPHI] How to execute a batch file via ShellExecute from an app launched by a service?
Replies: 2
Views: 993

[DELPHI] How to execute a batch file via ShellExecute from an app launched by a service?

I have a simple Delphi VCL form app that is executed in the NT AUTHORITY\SYSTEM account via a service app . I have a batch file that will finalize the service and VCL processes and then delete the EXE files.. To execute the batch file, I'm using ShellExecute() : procedure TForm1.Button1Click(Sender:...
by pointer
Sun Jan 27, 2019 6:33 pm
Forum: Kernel-Mode Development
Topic: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?
Replies: 4
Views: 1485

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Patchguard in win7 doesn't check some areas. As far as I remember inline hooking of win32k table was used by sandboxie before. Microsoft closed this in Win8. http://www.kernelmode.info/forum/viewtopic.php?f=14&t=2416 As for your links: 1) https://stackoverflow.com/questions/20552300/hook-zwterminat...
by pointer
Sat Jan 26, 2019 5:39 am
Forum: Kernel-Mode Development
Topic: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?
Replies: 4
Views: 1485

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Today i saw that Kaspersky Antivirus still hooks SSSDT (Shadow Table) on Windows x64.

Tested: Kaspersky Total Security 2018
Enviroment: Windows 7 Ultimate x64

How this is possible? Is a special bypass? or simply Microsoft created a exception to make this (they)?
by pointer
Fri Jan 25, 2019 4:23 pm
Forum: Kernel-Mode Development
Topic: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?
Replies: 4
Views: 1485

How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

I already saw in several Questions/Answers in some foruns that says that not is possible write to any SSDT tables no Windows x64 here, are some: * Hook ZwTerminateProcess in x64 Driver (Without SSDT) * Is there a kernel-mode callback for LdrLoadDll? * Kernel Patch Protection ------------------------...
by pointer
Wed Nov 28, 2018 12:29 pm
Forum: User-Mode Development
Topic: Tls callback (Ring 3) executes first that a callback configured in PsSetCreateProcessNotifyRoutineEx (Ring 0)?
Replies: 0
Views: 1308

Tls callback (Ring 3) executes first that a callback configured in PsSetCreateProcessNotifyRoutineEx (Ring 0)?

Exists rootkit's that call a routine of dll injection inside of callback configured in PsSetCreateProcessNotifyRoutineEx when they detect process creation, then if I (in ring 3) use a Tls callback where is executed a inline hook in LdrLoadDll function for example, this will be able to prevent the dl...