首页
社区
课程
招聘
[转帖]PROCESS HERPADERPING – WINDOWS DEFENDER EVASION
发表于: 2021-1-19 05:31 2250

[转帖]PROCESS HERPADERPING – WINDOWS DEFENDER EVASION

2021-1-19 05:31
2250

PROCESS HERPADERPING – WINDOWS DEFENDER EVASION

Windows Defender has improved significantly the security posture of Windows environments since it has better detection capabilities compare to other security products. When a process is created Windows Defender receives a notification since it has a register callback on the kernel. However the actual inspection of the file occurs when the thread is inserted and before the process initiates on the system and not when the process object is created.


Johnny Shaw released publicly a technique called Process Herpaderping which could be used to evade security products including Windows Defender. The evasion works because the contents of the file that created the process object on the system are modified before the insertion of the thread. Therefore when the process initiates Windows Defender cannot determine if should allow execution or flag the process as malicious since the initial binary which started the process doesn’t match to what is actually executed.

https://pentestlaboratories.com/2021/01/18/process-herpaderping-windows-defender-evasion/



[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (2)
雪    币: 2394
活跃值: (8795)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
2

网页本地存档

上传的附件:
2021-1-19 06:12
0
雪    币: 98729
活跃值: (201034)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
3
FleTime 网页本地存档
2021-1-19 06:15
0
游客
登录 | 注册 方可回帖
返回
//