Skip to content

Commit

Permalink
analysis package XLS: Add option ntdll-protect=0
Browse files Browse the repository at this point in the history 
There is an issue regarding the "ntdll write protection preventing AppV hooking
in Office 2016 32bit kevoreilly#21" in the capemon repository.
kevoreilly/capemon#21

It states "Starting Winword and Excel 2016 32 bit with capemon loaded on recent
Windows 10 quickly ends in an error message The operating system is not
presently configured to run this application".

"... in the unhooked Winword.exe, disassembly of ntdll exports contain hooks
redirecting into module appvisvsubsystems32. In the monitored process, they do
not"
  • Loading branch information
@Jack28
Jack28 authored and Felix Bauer committed Aug 31, 2021
1 parent 8a4edbe commit 3ea456c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions analyzer/windows/modules/packages/xls.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ def __init__(self, options={}, config=None):
self.config = config
self.options = options
self.options["exclude-apis"] = "memcpy"
self.options["ntdll-protect"] = "0"

PATHS = [
("ProgramFiles", "Microsoft Office", "EXCEL.EXE"),
Expand Down

0 comments on commit 3ea456c

Please sign in to comment.