Comments on: Update: bpmtk with hook-createprocess.dll

By: EnforcePermanentDEP « Didier Stevens

EnforcePermanentDEP « Didier Stevens — Mon, 08 Nov 2010 00:46:36 +0000

[...] load this DLL inside a process, you can add it to the import table of the target process (EnforcePermanentDEP.dll exports function Dummy), use LoadDLLViaAppInit or use your own preferred [...]

By: s0meb0dy

s0meb0dy — Thu, 14 Oct 2010 16:13:12 +0000

Thank you!

You always have very interesting post

By: Didier Stevens

Didier Stevens — Tue, 12 Oct 2010 06:17:32 +0000

@s0meb0dy Entrypoint DllMain is called when the DLL is loaded, and DllMain calls the function to patch the IAT.

By: s0meb0dy

s0meb0dy — Mon, 11 Oct 2010 22:03:28 +0000

I know, quite old post, but I have a little question.

Adding hook-createprocess.dll to the import table loads the dll in the virtualaddress space of the corresponding executable, but how does the main module execute the function in the dll to patch functions of KERNEL32.dll?

By: LowerMyRights « Didier Stevens

LowerMyRights « Didier Stevens — Mon, 11 Oct 2010 08:41:31 +0000

[...] You can load LowerMyRights inside all processes by adding it to the AppInit_DLL registry key, but be careful, this might cripple your system as it is loaded inside every process (even at boot time), so please test first. Or else you use LoadDLLViaAppInit, or add it to the import table like explained here. [...]

By: There is a way to patch Adobe Reader (or… « SecurityGuy.org

There is a way to patch Adobe Reader (or… « SecurityGuy.org — Wed, 31 Mar 2010 16:49:33 +0000

[...] http://blog.didierstevens.com/2009/11/19/update-bpmtk-with-hook-createprocess-dll/ [...]

By: LoadDLLViaAppInit « Didier Stevens

LoadDLLViaAppInit « Didier Stevens — Wed, 23 Dec 2009 12:20:38 +0000

[...] you can’t use this key to load hook-createprocess.dll, because it will load it in every process, and your Windows machine will stop [...]

By: Plaats hier software gerelateerd nieuws! - Page 14

Plaats hier software gerelateerd nieuws! - Page 14 — Mon, 23 Nov 2009 17:41:50 +0000

[...] bestand al aan, maar nu is het voor iedereen via de "basic process manipulation toolkit" beschikbaar. Een nadeel van het bestand is dat Adobe Reader en Acrobat zichzelf niet meer kunnen updaten. [...]