Category Archives: security

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 1 Comment

Windows Process Injection: Tooltip or Common Controls

Introduction Tooltips appear automatically to a mouse pointer hovering over an element in a user interface. This helps users identify the purpose of a file, a button or menu item. These tooltips store data about itself in a structure located … Continue reading

Posted in injection, process injection, programming, security, windows | Tagged , , | Leave a comment

Windows Process Injection: DNS Client API

Introduction This is a quick response to Code Execution via surgical callback overwrites by Adam. He suggests overwriting DNS memory functions to facilitate process injection. This post will demonstrate how the injection works with explorer.exe. It was only tested on … Continue reading

Posted in assembly, injection, malware, process injection, programming, security, windows | Tagged , , , , | Leave a comment

Windows Process Injection: Multiple Provider Router (MPR) DLL and Shell Notifications

Introduction Memory for MPR network providers can be modified to facilitate process injection by overwriting one of the function pointers and then invoking it via shell change notifications or window messages. While searching for a method of invocation, it was … Continue reading

Posted in programming, security, windows | Tagged , , , | Leave a comment

Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL

Introduction UPDATE: After being available for twenty years, Dr.Dobb’s removed access to two articles linked from here. I’ve no idea why. A DynaCall() Function for Win32 was published in the August 1998 edition of Dr.Dobbs Journal. The author, Ton Plooy, … Continue reading

Posted in assembly, programming, security, shellcode, windows | Tagged , , , , , , , | Leave a comment

Shellcode: In-Memory Execution of DLL

Introduction In March 2002, the infamous group 29A published their sixth e-zine. One of the articles titled In-Memory PE EXE Execution by Z0MBiE demonstrated how to manually load and run a Portable Executable entirely from memory. The InMem client provided … Continue reading

Posted in assembly, injection, programming, security, shellcode, windows | Tagged , , , | 2 Comments

How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code

Introduction Previous Research AMSI Example in C AMSI Context AMSI Initialization AMSI Scanning CLR Implementation of AMSI AMSI Bypass A (Patching Data) AMSI Bypass B (Patching Code 1) AMSI Bypass C (Patching Code 2) WLDP Example in C WLDP Bypass … Continue reading

Posted in assembly, programming, security, windows | Tagged , , , | 8 Comments