wineggdrop

GetProcessTimes API get called a lot

PcwCollectData seem to be native call of pdhcollectquerydata

good to know

something not about the cpu usage hiding but PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY.when r77 rootkit is installed,no doubt creating new process with PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY still get injected because r77 rookit interrupts the ntresumethread call,and inject...

a process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON set supposes to block 3rd party module injection but with Microsoft digital signature.If I inject the r77's dll with normal injection,some error windows will pop up,but...

that error won't occur using test console/full installation.As long as the injection won't involve dll file on disk,no error shows up.

C:\Windows\System32\KERNEL32.DLL -> CreateProcessAsUserW C:\Windows\System32\KERNELBASE.dll -> CreateProcessAsUserW C:\Windows\System32\advapi32.dll -> CreateProcessAsUserW CreateProcessAsUserW could be in all 3 of them,you may need to hook all 3

https://github.com/user-attachments/assets/1d4afb18-e3f0-46a8-bd2e-618666d09afa I don't understand why case 3 test fails(the dll fail to load into notepad.exe) if the logon user is not the default administrator(all 3 test succeed loading the dll...

Disable the pooling injection result the same when Kaspersky is on,probably Kaspersky causes it.However,the race condition possibly would happen in chance,just in rare condition since detecting if process is hooked...

> Yes, in theory when a process is injected twice in the **exact** same moment, this condition could be satisfied, resulting in r77 loading twice. > > ``` > //...