What is "process modification"

Discussion in 'Ghost Security Suite (GSS)' started by f3x, Dec 10, 2005.

Thread Status:
Not open for further replies.
  1. f3x

    f3x Guest

    I did some forum seach but it look like somtething everyone already know or doesnt bother knowing.

    First i caugth svchost.exe that was trying to do
    [memory protect] on internet explorer

    Then when i was playing in the menus of intenet explorer it promted me for MSG GLOBAL HOOK each time i changed of menu (File, Edit, .... )

    That anoyed me so i put alwais accept.. after all teh stric minimum i should be able to do is to use the software without interuption on each click.

    But then i realised that this would allow iexplore to do more advanced thing like [memory protect] or other thing even worse that i dont know of (since i'm sure that memory protect was innofensive)

    Anywais you get the point ... just to be able to browse the menu I give really powerfull rigths to iexplore. And we all know iexplore and explorer are kind of trojan horse ( the are not viruses but every action made by a ie toolbar or a explorer add-on get charged on the ie/explorer process so behind a conforting know figure migth hide a malware )

    Rigth now i really feel like process modification is a "everything else" category that migth gain from being split to more better organised categorie. ( ie Global Hooks, Memory management, etc)

    Aside from that i have two question. Anyone know what are " all " the actions covered by this "process modification" category, what else is there after hooks? and my second question ... what are the meaning of the different global hooks intercepted by appDefend ? some are obvious like mouse / keyboard ... other are way less
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    You can actually block the INTERNET EXPLORER and OPEN/SAVE AS dialog "global hooks" without any real harm to how they work. A future update will probably remove these "alerts" from occuring in the first place.
     
  3. f3x

    f3x Guest

    Thanks... it is alwais usefull that blocking those does no harm

    however i'm still curious about the other part of my question
    what exatcly is covered by process modification ?
    is it all wais a procress can inject a dll in another ... or it actually cover more than that ?

    I just looked at what was hooked and my guess is that i cover those
    ( actually i dont know what they are .. but i'll do some research on my side)

    CreateSymbolicLinkObject
    ProtectVirtualMemory
    SetContextThread
    OpenSection

    and maybe a part of
    NtCreateThread
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi f3x,

    If you hover over the "Process Modification:" part of the GUI, it describes some of them, global hooks, suspension (thread and process), virtual memory writing/modification, thread context changing.
     
  5. f3x

    f3x Guest

    thank you for you excelent support ;)
    actually this description is actually a bit more complete that what really is on the tooltip, maybee you changed it since last beta ?

    personnaly i dont like tooltip that much as they take some time to appear and then can dispear before we read them completely. But i'm sure that those are minor disadvantages of still being in beta. A proper helpfile would be greatly apreciated.
     
  6. f3x

    f3x Guest

    i finally found what was the memorey protect alert i was receiving
    each time i plug / unplug an usb device

    svchost is doing like 5/6 memory protect on explorer.exe

    ( i know i should have edited my last post, but i cant as a guess, maybee i'll register)
     
Thread Status:
Not open for further replies.