A forum for reverse engineering, OS internals and malware analysis 

Search found 6 matches

 Go to advanced search

Check if process is UWP application.

 by Iradicator ¦  Thu May 02, 2019 7:29 am ¦  Forum: User-Mode Development ¦  Topic: Check if process is UWP application. ¦  Replies: 1 ¦  Views: 171


I'd like to have a script or command line way to check if a process is UWP app.
basically I'm looking for the synonym for C++ API of `GetCurrentPackageId` from windows SDK.

Thanks !

Prevent recursive hooking when using detours

 by Iradicator ¦  Tue Apr 30, 2019 12:57 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Prevent recursive hooking when using detours ¦  Replies: 0 ¦  Views: 150

Hi, I want to build some sort of API monitor by hooking every ntdll function. So each hooked function will call the original implementation, and than add this call to the std based data structure. However, I encountered a scenario of recursive hooking where my hooked function is indirectly calling i...

Restart windows without update.

 by Iradicator ¦  Tue Mar 26, 2019 3:27 pm ¦  Forum: Newbie Questions ¦  Topic: Restart windows without update. ¦  Replies: 1 ¦  Views: 190

Hi, I'd like to run a specific version of windows 10 on my virtual machine. However, the scheduled updater forcefully install a new version every time I restart my machine. is these an option to avoid this procedure ? perhaps via Computer Configuration > Administrative Templates > Windows Components...

Detecting protected processes

 by Iradicator ¦  Wed Mar 20, 2019 2:44 pm ¦  Forum: Newbie Questions ¦  Topic: Detecting protected processes ¦  Replies: 1 ¦  Views: 257

Hi, I've got a driver that tamper user-space processes by sending APC calls upon process start using the call PsSetCreateProcessNotifyRoutine . I wish to avoid tampering with any process that is critical for the OS stability, since my APC also eventually decides to kill the process. So far I've used...

Yes, that was the reason I couldn't load my library. Thanks.

Hi, I'm using driver that inject code to user-space processes using APC. my injection function first call ntdll!ldrLoadDll to load my dll to the target process. the target process is OfficeHubTaskHost.exe, and it seems un-protected, so altering the process memory is allowed. //getting process _EPROC...