process_ghosting icon indicating copy to clipboard operation
process_ghosting copied to clipboard
verified publisher icon hasherezade

Blocked by wdfilter?

Open Mukad3 opened this issue 4 years ago • 1 comments

Hi,

I think this technique is being blocked by windows defender, even when it's disabled, and I'm not sure how. CreateRemoteThreadEx fails with 0xc0000022. I've confirmed it was working on windows 10 enterprise, with no defender installed.

Mukad3 avatar Oct 08 '21 04:10 Mukad3

I believe apps like sandboxie also does something to cause that fail. mabye they hook it

Josee-xav avatar Aug 03 '23 17:08 Josee-xav