Resolving Imports with GetProcAddress and Utilizing the PEB for Stealthier Injection

I’m continually impressed by the versatility of the new Hunter module. While using one of our most basic signatures for process injection, we came across some really interesting content that articulates evasion tradecraft. Specifically, this post talks about the different stages of static analysis evasion and how to dynamically load dead-giveaway API calls (VirtualAllocEx, WriteProcessMemory, CreateRemoteThreat, etc...) in a more obscure way. It first looks at using the Windows API call GetProcAddress() to resolve function addresses on the fly and then dives deeper into leveraging the Process Environment Block (PEB). Excellent read if you haven’t seen this blog before.
 
 
Blog:
https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/
 
 
Accompanying Code:
​ https://gist.github.com/christophetd/37141ba273b447ff885c323c0a7aff93
 
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam