by default depending on configuration on the Windows OS, if you start moving the window of a program around quickly, all the others will be minimized) it uses this function to operate this functionality.The interactive mode, to be practical, should have a set of general rules and the user should answer only to a limited number of pop ups. You'll need a HIPS product which supports blocking the usage of these 2 functions properly, or at least monitor it's usage, however you should know that normal Win32 programs will call this function because for features like the auto-minimize on the window drag (e.g. for injection attacks), however its used for logging the typed keystrokes on the system, more often than not. A function like SetWindowsHookExA/W can definitely be abused (e.g. The SetWinEventHook and SetWindowsHookEx ones are a bit tricky because you'd need to hook those functions to block them dynamically, or modify win32k.sys device driver (critical to the Windows OS - contains the GDI functions such as those ones) to patch up the exported functions to block it from affecting specific programs. As an example, make sure you only allow programs to run with administrative privileges if you are certain that they are safe and trusted do the research prior to downloading it in the first place, actually. keeping User Account Control enabled and using it as it's intended to be used) then you'll be fine. Regarding the #8 for the System32 file drop, this is a protected directory by default and this means that any programs which are not running with administrative privileges will simply fail the operation of dropping to this folder - therefore, as long as you continue to apply basic and safe security practices (e.g. I've never even found a sample which does this sort of stuff, I've only learnt about it from personal tests with my own code. If I were you I really wouldn't worry about the first one especially, almost all software which utilizes device drivers these days will register and start it via usage of a Windows Service the normal way this would be done via using the service manager - more advanced rootkits may attempt to perform a registry modification and then call NtLoadDriver, or just use NtSetSystemInformation, however it'd be rare to see this these days since advanced rootkits which really utilize those methods aren't in the wild as much as they used to be about 5 years ago.
0 kommentar(er)
