Posted December 15, 20222 yr Hi guys, so I was just coding around a little and testing my stuff in OllyDBG and was wondering why I could not find the CreateProcess function in my intermodular calls list. Then I was checking out my IAT of my app and there could also not found the CreateProcess function and just found a address to AcLayers address which seems to be on top before calling the function. Just wanna know why and of course why? Is it just a on top protection function or something? Is it needed to use it by Windows and is there a way to prevent / disable that and is there also a function list what APIs are affected from those OnTop AcLayers PRE calls? Why that injection? Below my IAT part.. 0045C108 >77175980 KERNEL32.ExitProcess 0045C10C >77173830 JMP to KERNELBA.DeleteFileA 0045C110 >6E1018A0 AcLayers.6E1018A0 <---- CreateProcessA inside call 0045C114 >77173800 JMP to KERNELBA.CreateFileA 0045C118 >77167D40 KERNEL32.CompareStringA 0045C11C >771735B0 JMP to KERNELBA.CloseHandle greetz
December 15, 20222 yr It's called Application Compatibility Engine. Google for "shim Application Compatibility Engine" to learn more. To disable this feature, there's a system-wide setting: https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.ApplicationCompatibility::AppCompatTurnOffEngine
Create an account or sign in to comment