Known ring3 memory protections that can be handled at a simple level.
- Add a syscall hook
- Specify the action to be taken when the syscall you hooked is called. You can spoof the R10 and RAX values. (RAX is the value returned.)
- If syscalls are not invoked safely in the process safe method, your callback will be executed.
- The callback is called as it appears and the RAX is spoofed.
There are many ways to inject a dynamic link library using LoadLibrary in the process.
In either case, LoadLibrary will reference LdrLoadDll, which is still an internal function. In EasySafe, you can add certain dlls to the allowlist and call your callback without loading the rest.