Category Archives: programming

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 1 Comment

Windows Process Injection: Asynchronous Procedure Call (APC)

Introduction An early example of APC injection can be found in a 2005 paper by the late Barnaby Jack called Remote Windows Kernel Exploitation – Step into the Ring 0. Until now, these posts have focused on relatively new, lesser-known … Continue reading

Posted in assembly, injection, malware, process injection, programming, shellcode, windows | Tagged , , , | Leave a comment

Windows Process Injection: KnownDlls Cache Poisoning

Introduction This is a quick post in response to a method of injection described by James Forshaw in Bypassing CIG Through KnownDlls. The first example of poisoning the KnownDlls cache on Windows can be sourced back to a security advisory … Continue reading

Posted in injection, programming, windows | Tagged , , , | Leave a comment

Windows Process Injection: Tooltip or Common Controls

Introduction Tooltips appear automatically to a mouse pointer hovering over an element in a user interface. This helps users identify the purpose of a file, a button or menu item. These tooltips store data about itself in a structure located … Continue reading

Posted in injection, process injection, programming, security, windows | Tagged , , | Leave a comment

Windows Process Injection: Breaking BaDDEr

Introduction Dynamic Data Exchange (DDE) is a data sharing protocol while the Dynamic Data Exchange Management Library (DDEML) facilitates sharing of data among applications over the DDE protocol. DDE made the headlines in October 2017 after a vulnerability was discovered … Continue reading

Posted in injection, malware, process injection, programming, windows | Tagged , , , , | Leave a comment

Windows Process Injection: DNS Client API

Introduction This is a quick response to Code Execution via surgical callback overwrites by Adam. He suggests overwriting DNS memory functions to facilitate process injection. This post will demonstrate how the injection works with explorer.exe. It was only tested on … Continue reading

Posted in assembly, injection, malware, process injection, programming, security, windows | Tagged , , , , | Leave a comment

Windows Process Injection: Multiple Provider Router (MPR) DLL and Shell Notifications

Introduction Memory for MPR network providers can be modified to facilitate process injection by overwriting one of the function pointers and then invoking it via shell change notifications or window messages. While searching for a method of invocation, it was … Continue reading

Posted in programming, security, windows | Tagged , , , | Leave a comment