Category Archives: programming

Windows Process Injection: Command Line and Environment Variables

Windows Process Injection: Command Line and Environment Variables Contents Introduction Shellcode Environment Variables Command Line Window Title Runtime Data 1. Introduction There are many ways to load shellcode into the address space of a process, but knowing precisely where it’s … Continue reading

Posted in assembly, injection, malware, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , , | Leave a comment

Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC

Introduction Edit Controls Writing CP-1252 Compatible Code Initialization Set RAX to 0 Set RAX to 1 Set RAX to -1 Load and Store Data Two Byte Instructions Prefix Codes Generating Shellcode Injecting and Executing Demonstration Encoding Arbitrary Data Encoding Decoding … Continue reading

Posted in assembly, injection, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , | 3 Comments

Invoking System Calls and Windows Debugger Engine

Introduction Quick post about Windows System calls that I forgot about working on after the release of Dumpert by Cn33liz last year, which is described in this post. Typically, EDR and AV set hooks on Win32 API or NT wrapper … Continue reading

Posted in assembly, programming, redteam, security, windows | Tagged , , , , , | 1 Comment

Shellcode: Recycling Compression Algorithms for the Z80, 8088, 6502, 8086, and 68K Architectures.

Recycling Compression Algorithms for the Z80, 8088, 6502, 8086, and 68K Architectures. Contents Introduction History Entropy Coding Universal code Lempel-Ziv (LZ77/LZ1) Lempel-Ziv-Storer-Szymanski (LZSS) Lempel-Ziv-Bell (LZB) Intel 8088 / 8086 LZE LZ4 LZSA aPLib MOS Technology 6502 Exomizer Pucrunch Zilog 80 … Continue reading

Posted in compression, encryption, iot, linux, optimization, programming, shellcode, windows | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 2 Comments

Windows Process Injection: Asynchronous Procedure Call (APC)

Introduction An early example of APC injection can be found in a 2005 paper by the late Barnaby Jack called Remote Windows Kernel Exploitation – Step into the Ring 0. Until now, these posts have focused on relatively new, lesser-known … Continue reading

Posted in assembly, injection, malware, process injection, programming, shellcode, windows | Tagged , , , | Leave a comment

Windows Process Injection: KnownDlls Cache Poisoning

Introduction This is a quick post in response to a method of injection described by James Forshaw in Bypassing CIG Through KnownDlls. The first example of poisoning the KnownDlls cache on Windows can be sourced back to a security advisory … Continue reading

Posted in injection, programming, windows | Tagged , , , | Leave a comment

Windows Process Injection: Tooltip or Common Controls

Introduction Tooltips appear automatically to a mouse pointer hovering over an element in a user interface. This helps users identify the purpose of a file, a button or menu item. These tooltips store data about itself in a structure located … Continue reading

Posted in injection, process injection, programming, security, windows | Tagged , , | Leave a comment

Windows Process Injection: Breaking BaDDEr

Introduction Dynamic Data Exchange (DDE) is a data sharing protocol while the Dynamic Data Exchange Management Library (DDEML) facilitates sharing of data among applications over the DDE protocol. DDE made the headlines in October 2017 after a vulnerability was discovered … Continue reading

Posted in injection, malware, process injection, programming, windows | Tagged , , , , | Leave a comment

Windows Process Injection: DNS Client API

Introduction This is a quick response to Code Execution via surgical callback overwrites by Adam. He suggests overwriting DNS memory functions to facilitate process injection. This post will demonstrate how the injection works with explorer.exe. It was only tested on … Continue reading

Posted in assembly, injection, malware, process injection, programming, security, windows | Tagged , , , , | Leave a comment