Event JSON
{
"id": "8b9e73587b315f42090be310b8fdaa2373103014cf21f69825c8fa72c5dd64fc",
"pubkey": "6c5fbbb2ed7c3a8df0f17376ad38167bef90ad337d0cc46d26f0ca68620b9a71",
"created_at": 1721402870,
"kind": 1,
"tags": [
[
"e",
"c11e6270f33a491371323e34ca146b2216ac289b1a385b06e1c5e999795ef08d",
"",
"root"
],
[
"e",
"5cf3540ef4d42d3bf090e12fe76fd6f4d48f3a584234ac272e13b5cae1022677"
],
[
"e",
"96eebe79db778d8b05d012d154c1e2a8143e6c5521f895291f9b37d04793d84c",
"",
"reply"
],
[
"p",
"3f770d65d3a764a9c5cb503ae123e62ec7598ad035d836e2a810f3877a745b24"
],
[
"p",
"7ca66d4166b16f54a16868191ba1c6386a976624f4634f3896d9b6740a388ca3"
],
[
"p",
"3c07d68edf71f6d22374dffae054e6801468594e7b0d0625fb5bcd24b202264d"
],
[
"p",
"32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245"
],
[
"p",
"6c5fbbb2ed7c3a8df0f17376ad38167bef90ad337d0cc46d26f0ca68620b9a71"
],
[
"p",
"1f830dd875130b134fbf3f27a69eecd8613a499748a71b5a271a719febae14ed"
]
],
"content": "No, you don't need kernel mode access to hook into API calls like NtReadVirtualMemory, NtOpenProcess, etc which are all API calls that exist in usermode space. Having usermode hooks certainly makes it easier for malware to thus unhook the security agent and avoid detection. So it is a trade off.",
"sig": "a2614a4e35dff5caefe55a20fbf70088f3bdd2ec519083c40c6b37c961d222e6371047fbd8aa3b0dd3e634bd332c6db00f5cd06605f02ce2d83df19864bf976a"
}
