Search found 4 matches
- Wed Apr 05, 2023 2:14 pm
- Forum: Enigma Virtual Box x86/x64
- Topic: Process32Next seeing temp file name
- Replies: 6
- Views: 4315
Re: Process32Next seeing temp file name
Yeah, I noticed quite a bit of hooks inside ntdll
- Wed Apr 05, 2023 12:37 pm
- Forum: Enigma Virtual Box x86/x64
- Topic: Process32Next seeing temp file name
- Replies: 6
- Views: 4315
Re: Process32Next seeing temp file name
Module32First/Module32Next are hooked and return correct data. As for Process32First/Process32Next - agree, they return this .tmp file name, but there are specifics to make it hooked and changed. I will add it into todo list, let see if it would be possible to develop. Thanks! For reference, here i...
- Wed Apr 05, 2023 7:56 am
- Forum: Enigma Virtual Box x86/x64
- Topic: Process32Next seeing temp file name
- Replies: 6
- Views: 4315
Re: Process32Next seeing temp file name
To elaborate a bit: I am calling Process32First / Process32Next from inside the box, so I expected this to be fixed up by the hooks placed from virtualbox. A workaround would be to detect the process name starting with 'evb' and ending with '.tmp', and then calling Module32First, because this will r...
- Mon Apr 03, 2023 6:23 pm
- Forum: Enigma Virtual Box x86/x64
- Topic: Process32Next seeing temp file name
- Replies: 6
- Views: 4315
Process32Next seeing temp file name
Process32First / Process32Next return the 'temp' filename for processes that are started from inside the box.
e.g. the process name will be `evb4760.tmp` instead of what is expected.
e.g. the process name will be `evb4760.tmp` instead of what is expected.