While testing payloads, I stumbled across a security feature implemented within a popular browser, which acts like an EDR. By hooking a key Windows AP

How is my Browser blocking RWX execution ?

submited by
Style Pass
2025-01-05 11:30:16

While testing payloads, I stumbled across a security feature implemented within a popular browser, which acts like an EDR. By hooking a key Windows API, it checks thread creation at runtime and then decides whether this should run or not.

I have been testing a new type of process injection technique. It will probably be published on this blog in the near-future but the purpose here is not that injection technique in particular, but how I randomly came across a mechanism within a browser which acts like an EDR.

While injecting and executing successfully against something simple as notepad.exe is a nice start, the real test consists in confirming that this still works properly against more complex applications (.NET, large multi-threaded apps like browsers, etc…).

This is especially important for injection techniques since they will in some way interfere with the target process. Therefore, ensuring stability is key.

Leave a Comment