There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas?
Maybe it has an internal list of dangerous processes? Or it just flags all processes that use hooks?
Just FYI... I'm blindly guessing here :lol:
Just FYI... I'm blindly guessing here :lol:
I'd suggest that probably just looks for dubious api functions like CreateRemoteThread....
Yeah, I was gonna say, looking for API calls that could potentially be dangerous, and maybe even lookiing for certain combinations of them (if you see XX and YY together, flag as more dangerous), or maybe even looking to see if it's calling the native functions itself (which is probably only used by either people trying to learn about the native API, or people who have something to hide).
Can you tell us what this tool is?
I want to rule out the possibility of something trivial like using a database of filenames of known spyware tools or the like :)
I want to rule out the possibility of something trivial like using a database of filenames of known spyware tools or the like :)
Can you tell us what this tool is?
I want to rule out the possibility of something trivial like using a database of filenames of known spyware tools or the like
I want to rule out the possibility of something trivial like using a database of filenames of known spyware tools or the like
System Mechanic.
you can hook NtOpenProcess to protect your process, if some thread want try to open process and process handle is you, return false.
that'll only work if your hook is global...
.. and it won't protect the Zw ancestor.