Some Hooks

Discussion in 'Ghost Security Suite (GSS)' started by controler, Nov 20, 2005.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    This screen shot should show the difference in hooks between PG & AD

    Mind you I have Ghostwall installed also.
     

    Attached Files:

  2. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
  3. xmen

    xmen Guest

    Controller, it's unclear to me if your screenshot shows all the difference.

    It is highly likely that there is a great overlap between kernel hooks for both PG and Appdefend , which isn't reflected in your screenshot.

    I would venture a guess that install order, or load order would affect what is being shown.
     
  4. controler

    controler Guest

    xmen

    yes you are correct. if the two are installed together, you see overlap.
    next two screens taken with only AD installed, not PG.

    Notice how everything in the log after the yes dissapears with PG enabled and comes back with Pg Disabled.
     

    Attached Files:

  5. controler

    controler Guest

    Disabled PG
     

    Attached Files:

  6. controler

    controler Guest

    Then installing PG and looking at the Log with PG enabled or disabled,
    I see Pg occupies the same 6 spaces, AD gets the rest.

    Sorry for all the screen shots people. Don't worry I won't flood the site with alot of JPGs.

    controler
     
  7. xmen

    xmen Guest

    I did seperate installs of PG and Appdefend (actually Regdefend+appdefend),
    in terms of total number of hooks it's almost the same.

    Quite surprising given that Appdefend includes Regdefend.

    Of the 6 hooks that Appdefend has they include
    ZwDeleteKey,
    ZwDeleteValueKey
    ZwEnumerateKey
    ZwEnumerateValueKey
    ZwQueryKey
    ZwQueryValueKey

    Which are related to control over registry, which PG doesn't do. So this is actually due to Regdefend.

    What's surprising to me is that there are hooks in PG not in the appdefend+regdefend combo.
     
  8. xmen

    xmen Guest

    To be clear, those hooks listed above, are in the GSS combo (RD+Appdefend), but not in PG.

    But overall the number of hooks in PG is roughly the same as the GSS combo because , there are roughly the same number of hooks used by PG not in GSS combo. You can see those in controller's first screenshot of GSS and PG installed together.
     
  9. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    ProcessGuard covers some areas which AppDefend doesn't (reading process memory) or differently than AppDefend (RegDefend handles normal driver installation through registry, where PG doesnt) , so there is bound to be differences in what they cover.

    The next beta(s) will cover more items which need to be protected which I talked about it the beta release thread.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.