by madshi » Tue Sep 19, 2017 5:08 pm
I fully agree that trying to break the new process mitigations doesn't sound like a good idea. Doing so seems like malware-like behaviour to me, and as you say, it might up security holes. I've also talked to a big anti-virus company (which is using madCodeHook) about it, and they share the same view.
A key question is at which point in time the process mitigations actually become active. Is it already before even ntdll.dll's entry point is called (or would be called, if there were one)? Or do the mitigations only become active after statically linked dlls got initialized? Maybe there's a chance to install hooks before the mitigations become active. However, if we do that, unhooking the APIs again will become tricky.