>the Bruteforcing Processes code doesn’t make sense, are Trend Micro developers not aware of enumerating processes via ZwQuerySystemInformation?
As someone whose work involves screwing around with Windows' internal, whenever I see codes like this, I immediately think that the developer doesn't trust Windows' API. I guess that Trend Micro believes there's a chance that ZwQuerySystemInformation has been hooked by a malicious process and its data is unreliable, and they would rather retrieve the information themselves by scanning the memory manually.
In this case, the regulatory board is Microsoft, and there’s nothing telling us (yet) that there isn’t a partnership in which they gave them certification knowing about some of their dirty tricks.
So Trend Micro cheats to get Microsoft certified, and my employer then uses Trend Micro virus scanning to get certified for HITRUST. It's turtles all the way down.
In the early screenshot where it shows the directory listing for "%TEMP%\RootKitBuster", three entries jump out (to me) as immediately interesting:
* sqlite3.dll
* scan_db.sql
* DB <-- a folder name
That scan_db.sql is likely full of SQL statements.
And SQLite can have user defined C functions added.
Depending on when those SQL statements are run (just for initial DB creation? during every run? etc), it could be a cheap and easy way to get your code running in a high privilege context. :)
As someone whose work involves screwing around with Windows' internal, whenever I see codes like this, I immediately think that the developer doesn't trust Windows' API. I guess that Trend Micro believes there's a chance that ZwQuerySystemInformation has been hooked by a malicious process and its data is unreliable, and they would rather retrieve the information themselves by scanning the memory manually.