You Won't Learn This in School: Disabling Kernel Functions in Your Process(2009)
a year ago
- #Windows
- #Debugging
- #Low-Level
- The article discusses a problem where Direct3D and Flash were interfering with unhandled exception filters by installing their own handlers repeatedly, causing unreliable crash reports.
- A solution was implemented by disabling the `SetUnhandledExceptionFilter` function after installing a custom handler, ensuring the custom exception handler remains in place.
- The method involves code modification to replace the function's prologue with a return statement, effectively nullifying calls to `SetUnhandledExceptionFilter`.
- The article provides a detailed code snippet demonstrating how to safely modify the function in memory, including checks to ensure the expected code is present before modification.
- Discussions in the comments cover potential issues with newer Windows versions, the impact on other processes, and alternative solutions like IAT hooking.
- The technique is noted to work on modern Windows versions, including Vista, and is defended as a valid approach for user-mode API manipulation.
- Comments also explore the implications of such techniques, including their use in malware and the importance of understanding low-level Windows internals.