Yeah that was also my understanding, and I can't imagine a av module able to int... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		simfoo on July 19, 2024 \| parent \| context \| favorite \| on: CrowdStrike Update: Windows Bluescreen and Boot Lo... Yeah that was also my understanding, and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols. But of course you never know without decompiling the module

yjftsjthsd-h on July 19, 2024 [–]

> and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols.

I can, considering that you can do that from user space using strace. Or ebpf which is probably the actual right way to do this kind of thing.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact