https://blog.lentic.de/tags/unsigned/ Recent content in Unsigned on fahersto's blog Hugo -- gohugo.io en <a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a> Fri, 18 Mar 2022 00:00:00 +0000 https://blog.lentic.de/posts/obregistercallbacks/ Fri, 18 Mar 2022 00:00:00 +0000 https://blog.lentic.de/posts/obregistercallbacks/ Monitor handle acquisition Acquiring a handle to a target process is a critical step in many code injection techniques. The Windows operating system exposes a mechanism that allows kernel mode drivers to supply handle operation callbacks. These callbacks can be registered by calling ObRegisterCallbacks. When a handle is created or duplicated the pre-operation callback is invoked before the operation is performed and the post-operation callback after the operation occurred. This mechanism is utilized by many antivirus and Anti-Cheat solutions to protect processes from code injection.