Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting processes from injection via SetWindowsHookEx() ?
Message
<blockquote data-quote="Mecanik" data-source="post: 731162" data-attributes="member: 71056"><p>Thank for you for the many solutions/ideas and the in-depth explanation. However, because I am looking to prevent this from happening in the future as well and because this malware can be in any form ( renamed, repacked, etc ) it is quite hard to identify it by PID or anything else.</p><p></p><p>Hard coding fixed names for the malware is not an options, neither signatures.</p><p></p><p>The only true solution I see here is injecting all the running processes, and do your "thing" there. This will prevent current version, future versions, and any other similar programs.</p><p></p><p>Because this program is "self-protecting", the only way I could inject it to perform a test of this idea was manual mapping. And I believe that would be an excellent solution to make "sure" you always injected the processes running so you can get a result.</p><p></p><p>The test resulted better than I expected, it is super easy to detect the functions called by the malware. Once you are inside it, you can see and do anything.</p><p></p><p>I would like go to on this "path" as a result. Considering my above questions if this is legal, well who doesn't do it really... almost all AV companies do it, even some VPN clients like CyberGhost, so why can't I <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite132" alt=":unsure:" title="Unsure :unsure:" loading="lazy" data-shortname=":unsure:" /></p><p></p><p>There are some form of terms and conditions that can be created/included to avoid legal problems for sure.</p><p></p><p>In order for me to obtain a stable and final result I need some help I'm afraid. Even though I know quite some stuff, there are more experienced people here I believe like you [USER=65228]@Opcode[/USER].</p><p></p><p>I need some reliable examples of manual mapping injection, x32 and x64 ( XP => 10 ). I know it's not easy to provide an answer considering XP... but my software is running on XP as well.</p><p></p><p>I believe if I can get this part done, I have a strong solution against this problem and other people can learn/benefit how to protect their applications like so.</p></blockquote><p></p>
[QUOTE="Mecanik, post: 731162, member: 71056"] Thank for you for the many solutions/ideas and the in-depth explanation. However, because I am looking to prevent this from happening in the future as well and because this malware can be in any form ( renamed, repacked, etc ) it is quite hard to identify it by PID or anything else. Hard coding fixed names for the malware is not an options, neither signatures. The only true solution I see here is injecting all the running processes, and do your "thing" there. This will prevent current version, future versions, and any other similar programs. Because this program is "self-protecting", the only way I could inject it to perform a test of this idea was manual mapping. And I believe that would be an excellent solution to make "sure" you always injected the processes running so you can get a result. The test resulted better than I expected, it is super easy to detect the functions called by the malware. Once you are inside it, you can see and do anything. I would like go to on this "path" as a result. Considering my above questions if this is legal, well who doesn't do it really... almost all AV companies do it, even some VPN clients like CyberGhost, so why can't I :unsure: There are some form of terms and conditions that can be created/included to avoid legal problems for sure. In order for me to obtain a stable and final result I need some help I'm afraid. Even though I know quite some stuff, there are more experienced people here I believe like you [USER=65228]@Opcode[/USER]. I need some reliable examples of manual mapping injection, x32 and x64 ( XP => 10 ). I know it's not easy to provide an answer considering XP... but my software is running on XP as well. I believe if I can get this part done, I have a strong solution against this problem and other people can learn/benefit how to protect their applications like so. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
