Nostr Web Client

Ya but we’re not just talking about detections. The agent for each of these still needs kernel admin to hook? So you’d have to abuse the deployed agent in most cases, which is too sophisticated for 99.999% of attacks, but the risk is still present, right?

Tyler Burns 1y ago

No, you don't need kernel mode access to hook into API calls like NtReadVirtualMemory, NtOpenProcess, etc which are all API calls that exist in usermode space. Having usermode hooks certainly makes it easier for malware to thus unhook the security agent and avoid detection. So it is a trade off.

Reply to this note

Please Login to reply.

Discussion

Dimi 1y ago

Ah, ok, now I follow. Ya. I don’t recall any usermode only agents on my radar in 2017, probably because of the lesser features. Was leaning heavily on the response part.