From 3ea456c2e4d2ff09c98bb0e661901851f7062753 Mon Sep 17 00:00:00 2001
From: Felix Bauer <felix.bauer@atos.net>
Date: Thu, 26 Aug 2021 18:13:11 +0200
Subject: [PATCH] analysis package XLS: Add option ntdll-protect=0

There is an issue regarding the "ntdll write protection preventing AppV hooking
in Office 2016 32bit #21" in the capemon repository.
https://github.com/kevoreilly/capemon/issues/21

It states "Starting Winword and Excel 2016 32 bit with capemon loaded on recent
Windows 10 quickly ends in an error message The operating system is not
presently configured to run this application".

"... in the unhooked Winword.exe, disassembly of ntdll exports contain hooks
redirecting into module appvisvsubsystems32. In the monitored process, they do
not"
---
 analyzer/windows/modules/packages/xls.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/analyzer/windows/modules/packages/xls.py b/analyzer/windows/modules/packages/xls.py
index f3bcae8ab1c..c89a5b18de6 100644
--- a/analyzer/windows/modules/packages/xls.py
+++ b/analyzer/windows/modules/packages/xls.py
@@ -15,6 +15,7 @@ def __init__(self, options={}, config=None):
         self.config = config
         self.options = options
         self.options["exclude-apis"] = "memcpy"
+        self.options["ntdll-protect"] = "0"
 
     PATHS = [
         ("ProgramFiles", "Microsoft Office", "EXCEL.EXE"),