Kaspersky

[0xShkk]

Hi,

wanted to share my observation for Kaspersky.
Seems like Kaspersky does the real hooking in Kernel mode as well like Cortex or Defender MDE.

How can those hooks be identified?

Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
Listing loaded modules
------------------------------------------
C:\Users\user\Desktop\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFF0C150000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFF0BBF0000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFF09A90000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFF0BDE0000.
***Listing Nt* API only

NtQuerySystemTime is hooked
------------------------------------------
Completed

[Mr-Un1k0d3r]

yes there is no user mode hooking

[tamburro92]

I would say the same for ESET

[Mr-Un1k0d3r]

Yep most of the EDRs have moved to the kernel which is good. Some of them have moved to the kernel a long time ago.

…

On Wed, May 17, 2023 at 11:12 AM tamburro92 ***@***.***> wrote: I would say the same for ESET — Reply to this email directly, view it on GitHub <#19 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABAK3LQAYS7DEJC4353XMC3XGTTF5ANCNFSM5O4IJNXA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

-- *Mr.Un1k0d3r** or 1 #*