Simple security question about madKernel

delphi package - easy access to kernel objects etc.
Post Reply
JM123
Posts: 16
Joined: Fri Mar 17, 2006 9:02 pm

Simple security question about madKernel

Post by JM123 »

As i understand, madKernel is a wrapper for the win32 functions.

Does that mean by hooking CreateToolhelp32SnapShot() , Process32First(), Process32Next() etc, processes and modules can be "hidden" from madKernel?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

In win9x: yes. In the NT family: no. Because in the NT family madKernel is using something different to enumerate processes.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

P.S: Well, if with "etc" you mean "NtQuerySystemInformation", then yes, you can hide from madKernel in the NT family, too.
JM123
Posts: 16
Joined: Fri Mar 17, 2006 9:02 pm

Post by JM123 »

Ok, thanks for clearing that up.
Post Reply