In the previous blogpost - Fixing (Windows Internals) Meminfo.exe - we dig into the tool Meminfo.exe from Windows Internals Book highlighting “FileInfo requests”. I suggest you take a look at some details about another type of request named “SuperFetchQuery” which can be useful for some scenarios like Red Team / Privesc, Pentest, Exploit Dev or Maldev. Let’s take a look ! TL;DR The superfetch queries and fileInfo requests are alternatives methods that allow you to get many Windows i...| vegvisir
All the lessons I’m sharing here are based on what I learned/observed during my experiment.| Hack.Learn.Share
I’m almost 90% complete drafting this post when I came across this talk by @rad9800 that discusses the same topic. I’m still publishing this anyhow because I don’t want my efforts to go to waste and this post contains some ideas not mentioned in the talk.| Hack.Learn.Share
Last March, I tweeted something about converting WinAPI functions to their native counterparts. One of the WinAPIs I’m trying to convert is CreateProcess. Finally, after several months of on and off research, trials, and coding, I have successfully developed a PoC to launch a process using the native API NtCreateUserProcess()!| Hack.Learn.Share
Lately, I came across with KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.| Hack.Learn.Share
The use of libraries for development is great especially if you’re a beginner and wanted something that will surely work right out of the box and wanted to save time.| Hack.Learn.Share
Have you ever wanted to write malware (for educational purposes) but don’t know how/where to start? How about writing a custom implant to bypass an AV for an engagement but time is very limited? Or you just simply want to write malware to upskill and/or better understand how Windows API works but are too lazy to start working on it.| Hack.Learn.Share
Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.| Hack.Learn.Share
When I started my journey in Malware Development and AV/EDR Evasion, most of the articles and blog posts I have read recommended the use of syscalls. By using syscalls, an adversary can bypass detection controls (such as user-land Hooking) by jumping into the kernel-mode. Evasion is possible in this case since AV/EDR systems can only monitor an application’s behaviour in user-mode. Another advantage is the fact that any Windows API functions used will not be referenced in the import table.| Hack.Learn.Share