Gergely Bod

I doubt `NtCreateThreadEx` is failing because Windows Defender or other AV product is blocking its call. I tried: 1. Turning off Windows Defender temporarely -> made no difference 2. Decided...

@hasherezade @PraMiD Both of you are right, that error is 0xc0000022 (ACCESS_DENIED) as reported by API Monitor (the tool) as well. I am already in the middle of some kernel...

So to cut the story short: **Windows Defender's minifilter called WdFilter has mitigations against transacted process creation.** The filter driver will log this message (reversing wdfilter.sys) ```"[Mini-filter] Blocked transacted process...

See here: https://www.kernelmode.info/forum/viewtopic0b8b.html?t=4879 This issue has already been raised on some "hacker forums" with some possible workarounds: https://hackforums.net/printthread.php?tid=6036393

Thanks for the links, I want to analyze (maybe mitigate) both Transacted Hollowing and Porcess Ghosting. Your POCs on these techniques are immensely helpful! :)

Can you show the output of `clang -v` as well?

Thanks for reporting that this issue causes your production environment to be blocked. This greatly concerns us and our team will treat this issue with the highest priority. We will...

Sorry for the inconvenience and downtime caused. @rafalmiel Please provide an ETA on the fix ASAP.

I am proposing a board meeting with the Stakeholders. Time: 7 pm, Thursday, 15th March 2018 Location: 21 Pepper St, Isle of Dogs, London E14 9RP