Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Must have features in your Antivirus
Message
<blockquote data-quote="tim one" data-source="post: 729981" data-attributes="member: 25920"><p>Let's say that I am quite surprised that in 2018 still there are AVs that don't detect DLL injection on Windows 64bit using well documented APIs.</p><p></p><p>We know that MS in the last years, starting from Windows Vista, has developed a system protection at kernel level, which provides, to the running processes an integrity level (WIC).</p><p>The primary goal of WIC is to ensure that only objects with an integrity level equal or greater than the target object can interact with it.</p><p>Even when a process has administrative privileges, if this has a lower WIC level of the process target, it can't interact because the permissions of the NTFS files are ignored and are considered the ones of WIC.</p><p></p><p>But many malware use the injection technique by using an injector which has a level of execution equal or greater than the target process.</p><p>Simply they use some APIs to execute code in the context of another process. This code will modify, into the same process in which it is injected, the structure of some portions of memory by installing, for example, a monitor that intercepts the call to some APIs (hooking).</p><p>Thus, it is possible to intercept a series of activities. (for example network activity, disk activity, activity with peripheral devices, data used etc....). This depends on what the malware wants to monitor.</p></blockquote><p></p>
[QUOTE="tim one, post: 729981, member: 25920"] Let's say that I am quite surprised that in 2018 still there are AVs that don't detect DLL injection on Windows 64bit using well documented APIs. We know that MS in the last years, starting from Windows Vista, has developed a system protection at kernel level, which provides, to the running processes an integrity level (WIC). The primary goal of WIC is to ensure that only objects with an integrity level equal or greater than the target object can interact with it. Even when a process has administrative privileges, if this has a lower WIC level of the process target, it can't interact because the permissions of the NTFS files are ignored and are considered the ones of WIC. But many malware use the injection technique by using an injector which has a level of execution equal or greater than the target process. Simply they use some APIs to execute code in the context of another process. This code will modify, into the same process in which it is injected, the structure of some portions of memory by installing, for example, a monitor that intercepts the call to some APIs (hooking). Thus, it is possible to intercept a series of activities. (for example network activity, disk activity, activity with peripheral devices, data used etc....). This depends on what the malware wants to monitor. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
