Category Archives: shellcode

Windows Process Injection: Command Line and Environment Variables

Windows Process Injection: Command Line and Environment Variables Contents Introduction Shellcode Environment Variables Command Line Window Title Runtime Data 1. Introduction There are many ways to load shellcode into the address space of a process, but knowing precisely where it’s … Continue reading

Posted in assembly, injection, malware, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , , | Leave a comment

Windows Process Injection: EM_GETHANDLE, WM_PASTE and EM_SETWORDBREAKPROC

Introduction Edit Controls Writing CP-1252 Compatible Code Initialization Set RAX to 0 Set RAX to 1 Set RAX to -1 Load and Store Data Two Byte Instructions Prefix Codes Generating Shellcode Injecting and Executing Demonstration Encoding Arbitrary Data Encoding Decoding … Continue reading

Posted in assembly, injection, process injection, programming, redteam, security, shellcode, windows | Tagged , , , , | 3 Comments

Shellcode: Encoding Null Bytes Faster With Escape Sequences

Introduction Quick post about a common problem removing null bytes in the loader generated by Donut. Replacing opcodes that contain null bytes with equivalent snippets is enough to solve the problem for a shellcode of no more than a few … Continue reading

Posted in assembly, donut, security, shellcode, windows | Tagged , , | 1 Comment

Shellcode: Recycling Compression Algorithms for the Z80, 8088, 6502, 8086, and 68K Architectures.

Recycling Compression Algorithms for the Z80, 8088, 6502, 8086, and 68K Architectures. Contents Introduction History Entropy Coding Universal code Lempel-Ziv (LZ77/LZ1) Lempel-Ziv-Storer-Szymanski (LZSS) Lempel-Ziv-Bell (LZB) Intel 8088 / 8086 LZE LZ4 LZSA aPLib MOS Technology 6502 Exomizer Pucrunch Zilog 80 … Continue reading

Posted in compression, encryption, iot, linux, optimization, programming, shellcode, windows | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Another method of bypassing ETW and Process Injection via ETW registration entries.

Contents Introduction Registering Providers Locating the Registration Table Parsing the Registration Table Code Redirection Disable Tracing Further Research 1. Introduction This post briefly describes some techniques used by Red Teams to disrupt detection of malicious activity by the Event Tracing … Continue reading

Posted in etw, process injection, redteam, security, shellcode, windows | Tagged , , , , | 1 Comment

Shellcode: Data Compression

Introduction This post examines data compression algorithms suitable for position-independent codes and assumes you’re already familiar with the concept and purpose of data compression. For those of you curious to know more about the science, or information theory, read Data … Continue reading

Posted in assembly, compression, linux, malware, programming, security, shellcode, windows | Tagged , , , , | 2 Comments

Windows Process Injection: Asynchronous Procedure Call (APC)

Introduction An early example of APC injection can be found in a 2005 paper by the late Barnaby Jack called Remote Windows Kernel Exploitation – Step into the Ring 0. Until now, these posts have focused on relatively new, lesser-known … Continue reading

Posted in assembly, injection, malware, process injection, programming, shellcode, windows | Tagged , , , | Leave a comment

Windows Process Injection: Winsock Helper Functions (WSHX)

Introduction The MSDN documentation states that Winsock Helper Functions (WSHX) are “obsolete for Windows Server 2003, Windows Vista, and later…”. However, Helper DLLs continue to be used by the latest build of Windows 10 to implement sockets for TCP, Infrared, … Continue reading

Posted in malware, process injection, programming, shellcode, windows | Tagged , , , , | Leave a comment

Shellcode: In-Memory Execution of JavaScript, VBScript, JScript and XSL

Introduction A DynaCall() Function for Win32 was published in the August 1998 edition of Dr.Dobbs Journal. The author, Ton Plooy, provided a function in C that allows an interpreted language such as VBScript to call external DLL functions via a … Continue reading

Posted in assembly, programming, security, shellcode, windows | Tagged , , , , , , , | Leave a comment

Shellcode: In-Memory Execution of DLL

Introduction In March 2002, the infamous group 29A published their sixth e-zine. One of the articles titled In-Memory PE EXE Execution by Z0MBiE demonstrated how to manually load and run a Portable Executable entirely from memory. The InMem client provided … Continue reading

Posted in assembly, injection, programming, security, shellcode, windows | Tagged , , , | 6 Comments