Category Archives: security

Windows Data Structures and Callbacks, Part 1

Windows Data Structures and Callbacks, Part 1 Contents Introduction Function Table List Event Tracing DLL Notifications Secure Memory Configuration Manager (CM) Vectored Exception Handling (VEH) Windows Error Reporting (WER) 1. Introduction A process can contain thousands of pointers to executable … Continue reading

Posted in data structures, redteam, security | Tagged , , , | Leave a comment

Windows Process Injection: Command Line and Environment Variables

Windows Process Injection: Command Line and Environment Variables Contents Introduction Shellcode Environment Variables Command Line Window Title Runtime Data 1. Introduction There are many ways to load shellcode into the address space of a process, but knowing precisely where it’s … Continue reading

Posted in assembly, injection, malware, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , , | Leave a comment

Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC

Introduction Edit Controls Writing CP-1252 Compatible Code Initialization Set RAX to 0 Set RAX to 1 Set RAX to -1 Load and Store Data Two Byte Instructions Prefix Codes Generating Shellcode Injecting and Executing Demonstration Encoding Arbitrary Data Encoding Decoding … Continue reading

Posted in assembly, injection, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , | 3 Comments

Shellcode: Encoding Null Bytes Faster With Escape Sequences

Introduction Quick post about a common problem removing null bytes in the loader generated by Donut. Replacing opcodes that contain null bytes with equivalent snippets is enough to solve the problem for a shellcode of no more than a few … Continue reading

Posted in assembly, donut, security, shellcode, windows | Tagged , , | 1 Comment

Invoking System Calls and Windows Debugger Engine

Introduction Quick post about Windows System calls that I forgot about working on after the release of Dumpert by Cn33liz last year, which is described in this post. Typically, EDR and AV set hooks on Win32 API or NT wrapper … Continue reading

Posted in assembly, programming, redteam, security, windows | Tagged , , , , , | 1 Comment

Another method of bypassing ETW and Process Injection via ETW registration entries.

Contents Introduction Registering Providers Locating the Registration Table Parsing the Registration Table Code Redirection Disable Tracing Further Research 1. Introduction This post briefly describes some techniques used by Red Teams to disrupt detection of malicious activity by the Event Tracing … Continue reading

Posted in etw, process injection, redteam, security, shellcode, windows | Tagged , , , , | 1 Comment

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 2 Comments

Windows Process Injection: Tooltip or Common Controls

Introduction Tooltips appear automatically to a mouse pointer hovering over an element in a user interface. This helps users identify the purpose of a file, a button or menu item. These tooltips store data about itself in a structure located … Continue reading

Posted in injection, process injection, programming, security, windows | Tagged , , | Leave a comment

Windows Process Injection: DNS Client API

Introduction This is a quick response to Code Execution via surgical callback overwrites by Adam. He suggests overwriting DNS memory functions to facilitate process injection. This post will demonstrate how the injection works with explorer.exe. It was only tested on … Continue reading

Posted in assembly, injection, malware, process injection, programming, security, windows | Tagged , , , , | Leave a comment

Windows Process Injection: Multiple Provider Router (MPR) DLL and Shell Notifications

Introduction Memory for MPR network providers can be modified to facilitate process injection by overwriting one of the function pointers and then invoking it via shell change notifications or window messages. While searching for a method of invocation, it was … Continue reading

Posted in programming, security, windows | Tagged , , , | Leave a comment