The function NtSetInformationWorkerFactory, used to trigger code execution, is detected by WIN64AST for Win 10 by m5home, in "Behavior Monitor". Detection result is open thread handle with full access (which I never did!!) as well as creating a remote thread in target process (which I NEVER did too and what this rtsectionproject is ACTUALLY supposed to avoid in the first place!)
A solution seems to be yet another WorkerFactory function which was tested successfully on explorer.exe and notepad.exe. With new function the worker must NOT return to work after hijacking.
Only NtSetInformationWorkerFactory is detected, no NtDuplicateObject.
The function NtSetInformationWorkerFactory, used to trigger code execution, is detected by WIN64AST for Win 10 by m5home, in "Behavior Monitor". Detection result is open thread handle with full access (which I never did!!) as well as creating a remote thread in target process (which I NEVER did too and what this rtsectionproject is ACTUALLY supposed to avoid in the first place!)
A solution seems to be yet another WorkerFactory function which was tested successfully on explorer.exe and notepad.exe. With new function the worker must NOT return to work after hijacking.
Only NtSetInformationWorkerFactory is detected, no NtDuplicateObject.