search

Xacone / BestEdrOfTheMarket

Little user-mode AV/EDR evasion lab for training & learning purposes
https://xacone.github.io/BestEdrOfTheMarketV2.html
MIT License
947 stars 103 forks source link

Use PssCaptureSnapshot instead of CreateToolhelp32Snapshot for process state capture #12

Open Xacone opened 2 months ago

Xacone commented 2 months ago

CreateToolhelp32Snapshot captures the state of all the processes = takes more time PssCaptureSnapshot captures a single process at a time

https://github.com/Xacone/BestEdrOfTheMarket/blob/5b9f24facf9455bf658baa85aead0e1ca1358b48/BestEdrOfTheMarket/IPCUtils.h#L793