Processes from RAM drive are not displayed in Running Processes
I have few processes running from Z: drive that is made from RAM drive. None of them are displayed in Running Processes section in API Monitor. I can't start monitoring them while they are running.
View ArticleC++ stub scantime FUD but not runtime
Hi, I have written a C++ crypter stub it is FUD if I crypt putty it will run fine but if I FUD dark comet runtime will detect it AVG 2015 in this case. I'm not asking to be spoon fed or given source...
View ArticleCyber world and where you come from...
This topic is not to be racist but to help understand why some countries are better than others when it comes to computer. of late i have noticed that Russian,Chinese,Indians rule the cyber...
View ArticleHow to find - which part of executable is flagged by virus
My C program is flagged by antivirus. I have hosted it on web and chrome takes it as virus. Is there any way to find out which particular API or part of code is targeted by antivirus. i want to...
View ArticleClik here to view.
Monitoring non-exported functions
Hi all. First, thanks for making API Monitor. It helped me so much for so many different problems! My latest researches were focusing on monitoring API calls for non-exported functions. I was...
View ArticleClik here to view.
Firefox linux PR_Write dll injection
Injecting dll in linux is quite easy unlike windows ...anyway this is a simple dll injection to get firefox POST data. below code is a dll(lib .so) for firefox using the lengendary LD_PRELOAD env...
View ArticleClik here to view.
Hook Injection (RemoteEHook)
Hi everybody, i've been developing something cool for x32 hooking, a function that will create a hook in a target app with a trampoline. (it is based on the Extended Code Overwriting) The new function...
View ArticleClik here to view.
Switching into session 0
Starting from Windows Vista, service processes runs in session, while applications runs in other sessions, so applications can't interact with service processes. Normally, you can't interact with the...
View ArticleHe is back
Im so glad that he decided to make a comeback and take a shot at the title! It is not easy to make such a decision when you thought your carreer was over... God bless you Lucian Bute! Im sure that...
View ArticlePointer to functions
okay i am confusing myself ....i think.... am guessing that datacode is being converted to a pointer to a function which takes no params then assigned to another pointer to a function ret.....then ret...
View ArticleGoogle Chrome SSL_Write Hook (OpenSSL)
I've been trying to do this for the past 3 days and I can't figure out how to get the address of the SSL_Write function at all. I've googled and read almost every page I could find on the subject but...
View ArticleHow to monitor process execution in windows?
I am trying to create an application which will terminate any process that is not in its white-list, some thing like antivirus programs. I need to terminate the process before it is run, Just like for...
View ArticleWindows process termination
When a process terminates itself by calling ExitProcess, it first calls NtTerminateProcess with NULL handle. This will terminate all threads of current process except the calling thread. The...
View ArticleSome useful Native API functions
Here is a list of some useful Native API functions. RtlAdjustPrivilege NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege,BOOLEAN Enable,BOOLEAN CurrentThread,PBOOLEAN OldValue); This function enable...
View Article[Que]Process/Service protection
Hello ppl, what are working alternatives for RtlSetProcessIsCritical on Win7/Win8. I have tried token ACL and some public methods but even TaskMngr (elevated) can kill the process. My process is...
View ArticleClik here to view.
ObRegisterCallbacks alternatives for XP
Hi guys, I've (succesfully) developed a driver to protect a configurable list of processes from being terminated and/or code-injected using ObRegisterCallbacks API. I'm wondering if there's a way of...
View ArticleNtTerminateThread hook crash?
typedef NTSTATUS(NTAPI *NtTerminateThreadNext) (HANDLE,UINT); NtTerminateThreadNext Realfnc = (NtTerminateThreadNext)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTerminateThread");...
View ArticleHOOK SendMessage for background processes
Hello I'm trying to capture the message from a process, the same way antiviruses do. I successfully tested SetWindowsHookEx WH_CALLWNDPROC to hook any WM_SETTEXT in the system, it works perfect but...
View ArticleClik here to view.
Deleting files with NtDeleteFile
The NtDeleteFile Native API function deletes a file. Unlike the Win32 DeleteFile function, which calls NtSetInformationFile with the FileDispositionInformation information class to delete the file,...
View ArticleWhat do you think about Native API?
I think Native API functions are very powerful, because they can perform operations that can't be done by Win32 functions. For example, the RtlAdjustPrivilege function allows you to enable or disable...
View Article
