Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting processes from injection via SetWindowsHookEx() ?
Message
<blockquote data-quote="Mecanik" data-source="post: 730806" data-attributes="member: 71056"><p>I took in consideration what you advised, and did some tests all day long - unfortunately the result is the same.</p><p></p><p> It just opens my process without a sweat. I examined my OS to the bone basically, I could not see any driver loaded or any Ring0/Ring3 hooks others than that.</p><p></p><p>This .exe is packed with Themida/WinLicense and any tool I tried to use like Api Monitors where detected.</p><p></p><p>So I decided to try and decompile it, see where it goes. It worked after 2 hours of trying, since it's packed with Themida...</p><p></p><p>I noticed in the resources:</p><p></p><p>[ICODE][VersionInfo] Company Name : UG North</p><p>[VersionInfo] Product Name : DSEFix</p><p>[VersionInfo] Product Version : 1.2.0.1704</p><p>[VersionInfo] File Description : Windows DSE overrider</p><p>[VersionInfo] File Version : 1.2.0.1704</p><p>[VersionInfo] Original FileName : dsefix.exe</p><p>[VersionInfo] Internal Name : dsefix.exe</p><p>[VersionInfo] Legal Copyrights : Copyright (C) 2014 - 2017 EP_X0FF. MP_ART and N.Rin. based on WinNT/Turla exploit[/ICODE]</p><p></p><p>Which kinda makes sense why it's so "stealthy", and plus the .exe gives BSOD if I enable test signing.</p><p></p><p>Anyway, I got the malicious .exe decompiled now ( sort of ) and I need to figure out how to fix it's OEP so I can run it.</p><p></p><p>I believe if I can get it to run now that's decompiled, I can actually run an API Monitor ( like sysinternals ) and see what exactly is this .exe doing to just open and write to my dear protected process.</p><p></p><p>Regarding signatures - I left long time ago those methods, because all it takes the attacker is to recompile the .exe and re-pack it...</p></blockquote><p></p>
[QUOTE="Mecanik, post: 730806, member: 71056"] I took in consideration what you advised, and did some tests all day long - unfortunately the result is the same. It just opens my process without a sweat. I examined my OS to the bone basically, I could not see any driver loaded or any Ring0/Ring3 hooks others than that. This .exe is packed with Themida/WinLicense and any tool I tried to use like Api Monitors where detected. So I decided to try and decompile it, see where it goes. It worked after 2 hours of trying, since it's packed with Themida... I noticed in the resources: [ICODE][VersionInfo] Company Name : UG North [VersionInfo] Product Name : DSEFix [VersionInfo] Product Version : 1.2.0.1704 [VersionInfo] File Description : Windows DSE overrider [VersionInfo] File Version : 1.2.0.1704 [VersionInfo] Original FileName : dsefix.exe [VersionInfo] Internal Name : dsefix.exe [VersionInfo] Legal Copyrights : Copyright (C) 2014 - 2017 EP_X0FF. MP_ART and N.Rin. based on WinNT/Turla exploit[/ICODE] Which kinda makes sense why it's so "stealthy", and plus the .exe gives BSOD if I enable test signing. Anyway, I got the malicious .exe decompiled now ( sort of ) and I need to figure out how to fix it's OEP so I can run it. I believe if I can get it to run now that's decompiled, I can actually run an API Monitor ( like sysinternals ) and see what exactly is this .exe doing to just open and write to my dear protected process. Regarding signatures - I left long time ago those methods, because all it takes the attacker is to recompile the .exe and re-pack it... [/QUOTE]
Insert quotes…
Verification
Post reply
Top