LCF-AT Posted December 15, 2022 Share Posted December 15, 2022 Hi guys, so I was just coding around a little and testing my stuff in OllyDBG and was wondering why I could not find the CreateProcess function in my intermodular calls list. Then I was checking out my IAT of my app and there could also not found the CreateProcess function and just found a address to AcLayers address which seems to be on top before calling the function. Just wanna know why and of course why? Is it just a on top protection function or something? Is it needed to use it by Windows and is there a way to prevent / disable that and is there also a function list what APIs are affected from those OnTop AcLayers PRE calls? Why that injection? Below my IAT part.. 0045C108 >77175980 KERNEL32.ExitProcess 0045C10C >77173830 JMP to KERNELBA.DeleteFileA 0045C110 >6E1018A0 AcLayers.6E1018A0 <---- CreateProcessA inside call 0045C114 >77173800 JMP to KERNELBA.CreateFileA 0045C118 >77167D40 KERNEL32.CompareStringA 0045C11C >771735B0 JMP to KERNELBA.CloseHandle greetz Link to comment
kao Posted December 15, 2022 Share Posted December 15, 2022 It's called Application Compatibility Engine. Google for "shim Application Compatibility Engine" to learn more. To disable this feature, there's a system-wide setting: https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.ApplicationCompatibility::AppCompatTurnOffEngine 4 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now