kav6 hook the kernel32. dll inside: LoadLibraryA/W LoadLibraryExA/W GetProcAddress 5 function. If you find a function's return address located on the stack,then pop up a"buffer overrun detected"Alarm. And subsequent calls to load the dll where the function will alarm. Bypass method: shellcode inside,to call these the function's return address is placed. code segment or kernel32. dll, etc. inside. The specific implementation is to improvise:-)
axis small review: each AV hook function are not the same, interested may wish to talk with. Know the principles, you want to break these protection is relatively easy. In addition shellcode to bypass protection than Trojan bypass protection should be simple, because generally the shellcode is in the vulnerability in the use itself is in the process of implementation.