Quote: Originally Posted by Ryan2320
So the built in DEP
protection would not stop this either, or I am thinking of something different??
DEP prevents malicious code from running from memory locations that only Windows and other programs should use. Such malware damages your system by taking over one or more memory locations in use by a program. These kind of attacks used to be quite common, as a result MS introduced the DEP feature from XP SP2 onwards. DEP does not prevent nasties from being installed on your computer, it just monitors your programs to determine if they use system memory safely. The way it does this to mark some memory locations as "non-executable". If any program tries to run code (ANY code) from such a protected location, DEP closes the program and notifies you with a warning message.
The kernel hook exploits described by Matousec are different and are a direct result of software vendors not following the laid down rules and guidelines for kernel mode code writing. There are MS documents which describe how this is to be done correctly and stably but many vendors just dont bother. So basically, most current AVs and firewalls are faulty by design and need to rectify at their end.