What is "process modification"

I did some forum seach but it look like somtething everyone already know or doesnt bother knowing.

First i caugth svchost.exe that was trying to do
[memory protect] on internet explorer

Then when i was playing in the menus of intenet explorer it promted me for MSG GLOBAL HOOK each time i changed of menu (File, Edit, .... )

That anoyed me so i put alwais accept.. after all teh stric minimum i should be able to do is to use the software without interuption on each click.

But then i realised that this would allow iexplore to do more advanced thing like [memory protect] or other thing even worse that i dont know of (since i'm sure that memory protect was innofensive)

Anywais you get the point ... just to be able to browse the menu I give really powerfull rigths to iexplore. And we all know iexplore and explorer are kind of trojan horse ( the are not viruses but every action made by a ie toolbar or a explorer add-on get charged on the ie/explorer process so behind a conforting know figure migth hide a malware )

Rigth now i really feel like process modification is a "everything else" category that migth gain from being split to more better organised categorie. ( ie Global Hooks, Memory management, etc)

Aside from that i have two question. Anyone know what are " all " the actions covered by this "process modification" category, what else is there after hooks? and my second question ... what are the meaning of the different global hooks intercepted by appDefend ? some are obvious like mouse / keyboard ... other are way less

 

You can actually block the INTERNET EXPLORER and OPEN/SAVE AS dialog "global hooks" without any real harm to how they work. A future update will probably remove these "alerts" from occuring in the first place.

 

Thanks... it is alwais usefull that blocking those does no harm

however i'm still curious about the other part of my question
what exatcly is covered by process modification ?
is it all wais a procress can inject a dll in another ... or it actually cover more than that ?

I just looked at what was hooked and my guess is that i cover those
( actually i dont know what they are .. but i'll do some research on my side)

CreateSymbolicLinkObject
ProtectVirtualMemory
SetContextThread
OpenSection

and maybe a part of
NtCreateThread

 

Hi f3x,

If you hover over the "Process Modification:" part of the GUI, it describes some of them, global hooks, suspension (thread and process), virtual memory writing/modification, thread context changing.

 

thank you for you excelent support
actually this description is actually a bit more complete that what really is on the tooltip, maybee you changed it since last beta ?

personnaly i dont like tooltip that much as they take some time to appear and then can dispear before we read them completely. But i'm sure that those are minor disadvantages of still being in beta. A proper helpfile would be greatly apreciated.

 

i finally found what was the memorey protect alert i was receiving
each time i plug / unplug an usb device

svchost is doing like 5/6 memory protect on explorer.exe

( i know i should have edited my last post, but i cant as a guess, maybee i'll register)