Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Deleted member 65228" data-source="post: 730069"><p>Theoretically, yes.</p><p></p><p></p><p>To cut it really short, Excubits MemProtect doesn't actually intercept the Remote Code Execution (RCE) operation. It prevents process/thread handles being dished out with specific access rights for those processes which are protected via ObRegisterCallbacks, one of the self-defense techniques which is common for an AV product to use. This in turn has an effect that makes you *think* it can intercept RCE operations since it cuts off the legs so the attackers using traditional RCE techniques never make it to the RCE operation deployment. It will not behave like an anti-exploit product regarding memory access/modification interception, like EMET/HitmanPro.Alert/Malwarebytes Anti-Exploit.</p><p></p><p><span style="font-size: 9px"><span style="color: rgb(255, 255, 255)">However, ObRegisterCallbacks is far from perfect on its own and thus this explains why it is usually only *one* of the self-defense techniques used in security solution packages from resourceful vendors. Don't forget about Extra Window Memory (EWM) injection with GUI programs as well.</span></span></p><p></p><p>I would presume that the injection prevention feature you're referring to in the quoted post will actually prevent the RCE operation; there are ways you could try to test/check it through checking if you can still open a handle to a process with specific access rights or through reverse engineering.</p></blockquote><p></p>
[QUOTE="Deleted member 65228, post: 730069"] Theoretically, yes. To cut it really short, Excubits MemProtect doesn't actually intercept the Remote Code Execution (RCE) operation. It prevents process/thread handles being dished out with specific access rights for those processes which are protected via ObRegisterCallbacks, one of the self-defense techniques which is common for an AV product to use. This in turn has an effect that makes you *think* it can intercept RCE operations since it cuts off the legs so the attackers using traditional RCE techniques never make it to the RCE operation deployment. It will not behave like an anti-exploit product regarding memory access/modification interception, like EMET/HitmanPro.Alert/Malwarebytes Anti-Exploit. [SIZE=1][COLOR=rgb(255, 255, 255)]However, ObRegisterCallbacks is far from perfect on its own and thus this explains why it is usually only *one* of the self-defense techniques used in security solution packages from resourceful vendors. Don't forget about Extra Window Memory (EWM) injection with GUI programs as well.[/COLOR][/SIZE] I would presume that the injection prevention feature you're referring to in the quoted post will actually prevent the RCE operation; there are ways you could try to test/check it through checking if you can still open a handle to a process with specific access rights or through reverse engineering. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
