Buster_BSA wrote:Sometimes Buster Sandbox Analyzer stops analyzing because, as I commented, RegHive file gets locked. SYSTEM (PID 4) process has the lock and I have been unable to find any tool which unlocks the file.As far as I remember there is BSA.sys in your bundle. Maybe you can just extend it functionality? No other way do this trick without driver. This means it wont also work on x64, without signing of course. Also closing kernel handle may lead to uncertain consequences because we do not know the reasons why this handle is not closed by owner (sandboxie driver?).
Could someone write a command line tool which accepts as arguments a PID and a handle and tries to close the handle as myid´s code, please?
I want to check if that code can unlock RegHive so Buster Sandbox Analyzer can continue analysis.
Thanks in advance!
R00tKit wrote:@EP_X0FFIt is based on 2 minutes looking in IDA. I never needed hacks like closing kernel handle forcibly in driver by request from user mode. Every new version of Windows always brings a lot of innovations and brainfcuks for cheaters.
this info is not Document so your info about this "new check" is based on your coding Experience for win7?( like wj32 when he develop PH for win7 )
Ring0 - the source of inspiration
