Nim on the Attack
Process Injection Using Nim and the Windows API
https://huskyhacks.dev/2021/07/17/nim-exploit-dev/
#redteam #winapi #injection #nim
Process Injection Using Nim and the Windows API
https://huskyhacks.dev/2021/07/17/nim-exploit-dev/
#redteam #winapi #injection #nim
Native Function Static Map
A *very* imperfect attempt to correlate Kernel32 function calls to native API (Nt/Zw) counterparts/execution flow.
# https://u5ksv.csb.app/
# https://github.com/EspressoCake/NativeFunctionStaticMap
#mapping #pinvoke #winapi #maldev
A *very* imperfect attempt to correlate Kernel32 function calls to native API (Nt/Zw) counterparts/execution flow.
# https://u5ksv.csb.app/
# https://github.com/EspressoCake/NativeFunctionStaticMap
#mapping #pinvoke #winapi #maldev
Optimizing Windows Function Resolving: A Case Study Into GetProcAddress
https://phasetw0.com/windows-internals/optimizing_function_resolving/
#edr #evasion #winapi #getprocaddress
https://phasetw0.com/windows-internals/optimizing_function_resolving/
#edr #evasion #winapi #getprocaddress
Phasetw0
Optimizing Windows Function Resolving: A Case Study Into GetProcAddress - phasetw0
It was a cold winter morning. hypervis0r had just woken up at 1 AM because his sleep schedule was royally fucked, and he hopped onto the private...
This media is not supported in your browser
VIEW IN TELEGRAM
⚔️ Remote Code Injection by Abusing CreateProcess and GetEnvironmentVariable
New method of injecting code into a remote process without using WriteProcessMemory.
CreateProcess:
https://www.x86matthew.com/view_post?id=proc_env_injection
GetEnvironmentVariable:
https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection/
#maldev #process #inject #pinvoke #winapi
New method of injecting code into a remote process without using WriteProcessMemory.
CreateProcess:
https://www.x86matthew.com/view_post?id=proc_env_injection
GetEnvironmentVariable:
https://x-c3ll.github.io/posts/GetEnvironmentVariable-Process-Injection/
#maldev #process #inject #pinvoke #winapi
👍5
🛡 On Detection: Tactical to Functional
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
The goal of this series is to facilitate a conversation about the more technical aspects of attacks and how a deeper understanding at the more foundational levels helps to provide a batter base to build assumptions from.
🔗 Part 1: Discovering API Function Usage through Source Code Review
🔗 Part 2: Operations
🔗 Part 3: Expanding the Function Call Graph
#maldev #pinvoke #winapi #detection #blueteam #ttp
Medium
On Detection: Tactical to Functional
Part 1: Discovering API Function Usage through Source Code Review
👍3
This media is not supported in your browser
VIEW IN TELEGRAM
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region. This technique is finding RWX region in already running processes in this case OneDrive.exe and Write shellcode into that region and execute it without calling VirtualProtect, VirtualAllocEx, VirtualAlloc.
🚀 Steps:
— Find the OneDrive.exe in running processes;
— Get the handle of OneDrive.exe;
— Query remote process memory information;
— look for RWX memory regions;
— Write shellcode into found region of OneDrive.exe;
— Fork OneDrive.exe into a new process;
— Set the forked process's start address to the cloned shellcode;
— Terminate the cloned process after execution.
🔗 https://github.com/Offensive-Panda/RWX_MEMEORY_HUNT_AND_INJECTION_DV
#winapi #onedrive #injection #maldev #cpp
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥11👍5
⚙️ Remote Session Enumeration
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
The blog post explores how to enumerate remote user sessions on Windows using undocumented Windows APIs, specifically focusing on the implementation and usage of the WinStation API.
🔗 Research:
https://0xv1n.github.io/posts/sessionenumeration/
🔗 Source:
https://github.com/0xv1n/RemoteSessionEnum/blob/main/main.cpp
#windows #qwinsta #session #winapi #cpp
👍8
If you want to take a happy little journey through PEB structs, PE headers and kernel32.dll Export Table to spawn some "calc.exe" on x64 using Assembly, here it is.
📚 What you will learn:
— WinAPI function manual location with Assembly;
— PEB Structure and PEB_LDR_DATA;
— PE File Structure;
— Relative Virtual Address calculation;
— Export Address Table (EAT);
— Windows x64 calling-convention in practice;
— Writing in Assembly like a real Giga-Chad...
🔗 Source:
https://print3m.github.io/blog/x64-winapi-shellcoding
#maldev #winapi #x64 #shellcode #assembly
Please open Telegram to view this post
VIEW IN TELEGRAM
👍10🔥3