Limitations #121
ByteWhite1x1
started this conversation in
General
Limitations
#121
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi.
I am a hobbyist security researcher. This is a good concept.
I just tested RtlCreateProcessReflection and it works as intended. Is there a way to create a thread in the cloned process? The cloned (reflected) process is suspended and as soon as I resume, the process terminates.
I tried to inject a DLL with my C++ kernel driver to the cloned process using the RtlCreateUserThread kernel API but it did not worked. Is there any way to inject a DLL to the reflected process?
Also I did not found a way to get the process ID of the cloned process from the kernel when using the ZwCreateProcessEx expect my ghetto method.
If you're a malware analyst. You're very likely interested in my research https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask
Ironically many AV/EDR providers were not interested about that I contacted so far...
Beta Was this translation helpful? Give feedback.
All reactions