Hacker News new | ask | show | jobs
by lucasRW 693 days ago
Whatever protection is implemented in user-land can be removed from user-land too. This is why most EDR vendors are now gradually relying on kernel based mechanisms rather than doing stuff like injecting their DLL in a process, hooking syscalls, etc...
1 comments
JackSlateur 693 days ago
This is wrong, there are many facilities that, once applied, cannot be modified (unless reboot)
link
lucasRW 693 days ago
Such as ?
link
JackSlateur 692 days ago
Random example: https://man.openbsd.org/OpenBSD-7.3/msyscall

This is a syscall used by userspace to tell the kernel which memory portion is allowed to do syscalls

This syscall can only be used once : once the linker has done it, the kernel will refuse extra calls (so allowing more memory pages is not possible)

link