A forum for reverse engineering, OS internals and malware analysis 

 #32282  by pointer
 Wed Nov 28, 2018 12:29 pm
Exists rootkit's that call a routine of dll injection inside of callback configured in PsSetCreateProcessNotifyRoutineEx when they detect process creation, then if I (in ring 3) use a Tls callback where is executed a inline hook in LdrLoadDll function for example, this will be able to prevent the dll injection of rootkit (since that he used LdrLoadDll function to inject)?

For example, see in this article PsCreateProcessNotifyEx_CB routine. Several rootkit's executes a dll injection code inside this callback.

Here is a code that a rootkit could use to inject dll in kernel mode and call the routine inside PsCreateProcessNotifyEx_CB. This linked code uses LdrLoadDll.

Thank you in advance.