I was wondering if anybody has any example code in the userland of course on how to prevent a process or thread from reading the memory of another thread or process.
Any ideas?
Any ideas?
A forum for reverse engineering, OS internals and malware analysis
With only UM and on the same execution level, presumably - nohow. Of course you can try hooks, this will require however mapping your code into potential intruder address space and this easily can be bypassed.
Ring0 - the source of inspiration
like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :D
everdox wrote:like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :DSince vista EPROCESS has flag ProtectedProcess for DRM related processes like audiodg.exe
This flag can be setted in UM
Check Wincheck
redp wrote:I do not think the article says that the ProtectedProcess flag can be changed from usermode. It only says that you can create protected processes when you own a special crtificate. And Microsoft writes about the certificate the following:everdox wrote:like he said, if you in user-mode you don't have many options.. besides maybe a global hook. maybe even remote handle closing on process_all_access or process_vm :DSince vista EPROCESS has flag ProtectedProcess for DRM related processes like audiodg.exe
This flag can be setted in UM
To activate a protected process, the binary must have a special signature. This signature is provided by Microsoft but not currently available for non-Microsoft binaries. There are currently four protected processes: media foundation, audio engine, Windows error reporting, and system. Components that load into these binaries must also be signed. Multimedia companies can leverage the first two protected processes. For more information, see Overview of the Protected Media Path.hence it seems taht normal guys are unable to create processes of that kind. However, I might be wrong. If so, please correct me.
Modification of ProtectedProcess flag in EPROCESS structure works perfectly. However, keep in mind that protected processes are not allowed to create chikd processes.
Vrtule wrote: hence it seems taht normal guys are unable to create processes of that kind.In original post man asked for any example code in the userland
My answer fall on this category :lol:
Check Wincheck
