[EP_X0FF]

Hello,

I've noticed in several AV products really interesting way to hook service table entries. Instead of direct replace of handler with their own, these products allocate in NonPaged pool little callgate which contains jump to real handler.

As for now I know two products - Avira and ESET (however I don't remember exactly version, seems to be in 4.2.64.12 there is no such behavior). Please add more if you know.

[nullptr]

With ESET I think it was the v3.xx builds that did this.

[EP_X0FF]

I do believe it was 4.x (I remember GUI), however just installed last version and this perversion is gone :?

[USForce]

Symantec Antivirus corporate was doing it if I recall correctly

[nullptr]

I do believe it was 4.x (I remember GUI), however just installed last version and this perversion is gone :?

Yeah, I had a brief look at v4.0.474 and that seems to have allocated a large chunk of non-paged pool memory for its self defense hooks. It looks like the handling all takes place in the stub and never jumps to any eset module...but then again, maybe I need glasses. :geek:

[EP_X0FF]

Yes, exactly about this version I'm talking. Where I can get it? :)

[nullptr]

Try here: <link removed> :)

[EP_X0FF]

Downloaded, thank you :)

upd:

Code: Select all

sub esp, 0000004Ch
push esi
mov esi, [esp+58h]
cmp esi, 1DEADBEEh
jnz 81BE9CCCh
mov eax, 1BEEDEADh
pop esi
add esp, 0000004Ch
retn 0010h

This helps me solve one primitive bug with some software I'm currently developing.