False positive?
tempeleng opened this issue · comments
Saw the following detections in Virtualbox guest OS:
[pafish] Hooks traced using ShellExecuteExW method 1
[pafish] Hooks traced using CreateProcessA method 1
Using pafish v056 compiled using gcc 64-bit. Tested on Windows 7 64-bit and Windows 8 64-bit.
I am not hooking those processes.
Hello!
This is not really an FP, the detection is triggered because it was compiled for 64-bit.
This detection method is looking for the bytes 8BFF (MOV EDI, EDI) at the beginning of the Windows API functions, which are used for hot patching, and are usually also modified to hook functions in userland.
In x64 these bytes are not present, and this is why pafish thinks the function may be hooked.
More details in the following article: https://blogs.msdn.microsoft.com/oldnewthing/20110921-00/?p=9583
The solution for this would be compile the 32-bit binary instead of 64-bit.