Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting processes from injection via SetWindowsHookEx() ?
Message
<blockquote data-quote="Deleted member 65228" data-source="post: 730384"><p>It's not impossible to prevent but there isn't much information online regarding how to stop it.</p><p></p><p>The first thing you will want to try is disabling extension point support via process mitigation policies; there's a documented API to do this in the Win32 API however you can do it manually with NtSetInformationProcess as long as you're executing under the context of the protected process; an alternative to this would be more hacky, unstable and unreliable however it'd evolve around kernel-mode structure patching for the target process (e.g. look at mitigation policies under the _KPROCESS structure).</p><p></p><p>If this does not work, or ends up being half-baked, try creating a new Desktop session on the environment dynamically and then spawn your protected process under the new Desktop environment. However, this Desktop session feature is exclusive to Windows 10 and thus there'd be no backwards compatibility for previous versions of Windows; I'd only focus on Windows 7 - Windows 10 support primarily and more on Windows 8 - Windows 10 since Windows 7 support will be dropped by Microsoft within the next 1-2 years.</p><p></p><p>Alternatively, you can try spawning the process under a new user account. You could try NT AUTHORITY\ANONYMOUS LOGON which is also an addition Sandboxie uses when it spawns a new process in the "sandbox" container.</p><p></p><p>Apart from this, the only other things you can try would be unrecommended, unreliable and hacky... And are still not guaranteed to work how'd you like it to work.</p><p></p><p>[ All of this is speculation and is not guaranteed to be 100% correct, take everything with a grain of salt ].</p></blockquote><p></p>
[QUOTE="Deleted member 65228, post: 730384"] It's not impossible to prevent but there isn't much information online regarding how to stop it. The first thing you will want to try is disabling extension point support via process mitigation policies; there's a documented API to do this in the Win32 API however you can do it manually with NtSetInformationProcess as long as you're executing under the context of the protected process; an alternative to this would be more hacky, unstable and unreliable however it'd evolve around kernel-mode structure patching for the target process (e.g. look at mitigation policies under the _KPROCESS structure). If this does not work, or ends up being half-baked, try creating a new Desktop session on the environment dynamically and then spawn your protected process under the new Desktop environment. However, this Desktop session feature is exclusive to Windows 10 and thus there'd be no backwards compatibility for previous versions of Windows; I'd only focus on Windows 7 - Windows 10 support primarily and more on Windows 8 - Windows 10 since Windows 7 support will be dropped by Microsoft within the next 1-2 years. Alternatively, you can try spawning the process under a new user account. You could try NT AUTHORITY\ANONYMOUS LOGON which is also an addition Sandboxie uses when it spawns a new process in the "sandbox" container. Apart from this, the only other things you can try would be unrecommended, unreliable and hacky... And are still not guaranteed to work how'd you like it to work. [ All of this is speculation and is not guaranteed to be 100% correct, take everything with a grain of salt ]. [/QUOTE]
Insert quotes…
Verification
Post reply
Top