bats3c
commented
4 years ago Okay this sounds strange.
After you enabled the hook again if you run a gitl.exe status does it say that the hook is active?
Closed VirtualAlllocEx closed 4 years ago
bats3c
commented
4 years ago Okay this sounds strange.
After you enabled the hook again if you run a gitl.exe status does it say that the hook is active?
VirtualAlllocEx
commented
4 years ago Yes right, the hook status was OK. But as the strange thing was that, this problem do not always exist. I will do a few more tests and report the results to you
bats3c
commented
4 years ago Yeh, if you could that would be great
I do this tests on WIN10 PRO x64 Version 10.0.18363 Build 18363 with everything disabled in windows defender.
I open a cmd.exe in a privileged context and made the load and enabling. Everything was fine, after starting a new cmd.exe or powershell.exe nothing got detected by sysmon (used the swiftsecurity xml for sysmon).
In the second step I disabled the hook and enabled it again, open a new cmd and powershell and got logs in sysmon. Tried it a few timesm but wont work in the second run. So I restarted the win10 and after that everthing was fine again.
But I have to say, that wasn't always, just two minutes ago I tried multiple enabling and disabling and it works fine, no detections in ETW/Sysmon