Yeah that was also my understanding, and I can't imagine a av module able to int... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		simfoo on July 19, 2024 \| parent \| context \| favorite \| on: CrowdStrike Update: Windows Bluescreen and Boot Lo... Yeah that was also my understanding, and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols. But of course you never know without decompiling the module

yjftsjthsd-h on July 19, 2024 [–]

> and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols.

I can, considering that you can do that from user space using strace. Or ebpf which is probably the actual right way to do this kind of thing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact