Gergely Bod

I doubt `NtCreateThreadEx` is failing because Windows Defender or other AV product is blocking its call. I tried: 1. Turning off Windows Defender temporarely -> made no difference 2. Decided...

@hasherezade @PraMiD Both of you are right, that error is 0xc0000022 (ACCESS_DENIED) as reported by API Monitor (the tool) as well. I am already in the middle of some kernel...

So to cut the story short: **Windows Defender's minifilter called WdFilter has mitigations against transacted process creation.** The filter driver will log this message (reversing wdfilter.sys) ```"[Mini-filter] Blocked transacted process...

See here: https://www.kernelmode.info/forum/viewtopic0b8b.html?t=4879 This issue has already been raised on some "hacker forums" with some possible workarounds: https://hackforums.net/printthread.php?tid=6036393

Thanks for the links, I want to analyze (maybe mitigate) both Transacted Hollowing and Porcess Ghosting. Your POCs on these techniques are immensely helpful! :)

Can you show the output of `clang -v` as well?