Author Topic: KProcessHacker3 & Self-Defense Mode  (Read 3091 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
KProcessHacker3 & Self-Defense Mode
« on: September 25, 2017, 10:10:07 AM »
Why is the self-defense mode blocking KProcessHacker3, a key component of Process Hacker  2?   In order to use Process Hacker 2 properly I have to disable a key component of avast.  Neither option is acceptable!!!!!!!!!!

George

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37639
  • F-Secure user
Re: KProcessHacker3 & Self-Defense Mode
« Reply #1 on: September 25, 2017, 10:13:49 AM »
Does avast give a message? if so what does it say, you may post a screeshot


Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: KProcessHacker3 & Self-Defense Mode
« Reply #2 on: September 25, 2017, 11:14:18 AM »
If KProcessHacker3 is poking around with avast processes, then I would expect avasts self-defence module to get moving. 

As you say the Avast self-defence module is a key component of Avast, so a screenshot could be helpful as Pondus suggests.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Spec8472

  • Avast team
  • Sr. Member
  • *
  • Posts: 298
Re: KProcessHacker3 & Self-Defense Mode
« Reply #3 on: September 25, 2017, 11:28:02 AM »
KProcessHacker.sys is blocked, because it is subverting Windows security model. It allows user mode caller (through kprocesshackers internal IOCTLs) to open processes/threads as kernel mode requester, basically bypassing standard AV filtering techniques which depends on object manager callback registration (ObRegisterCallbacks). Resulting kernel handle is returned to user mode and can be used to modify target thread/process (operations like suspend/terminate, modification of virtual memory etc.), This functionality can be easily reused by 3rd party attackers.
« Last Edit: September 25, 2017, 11:37:52 AM by Spec8472 »