|
|
|
|
|
|
by tsujamin
721 days ago
|
|
|
VirtualProtect might be unhooked in userspace by the payload, and the payload might only be decrypted for a short moment (to run a task, do a beacon cycle) so you’d have to be quick capturing its unobfuscated form. Not sure if you can actually hook/intercept VirtualProtect on the kernel side, probably not due to the performance and safety implications, but there are ETW feeds that emit telemetry for the call now (https://undev.ninja/introduction-to-threat-intelligence-etw/) |
|
|