CYBER MONGOL
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • ASATA
  • Our Journey
  • Intelligence Engine
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

1/25/2021 0 Comments

Resolving Imports with GetProcAddress and Utilizing the PEB for Stealthier Injection

Picture
I’m continually impressed by the versatility of the new Hunter module. While using one of our most basic signatures for process injection, we came across some really interesting content that articulates evasion tradecraft. Specifically, this post talks about the different stages of static analysis evasion and how to dynamically load dead-giveaway API calls (VirtualAllocEx, WriteProcessMemory, CreateRemoteThreat, etc...) in a more obscure way. It first looks at using the Windows API call GetProcAddress() to resolve function addresses on the fly and then dives deeper into leveraging the Process Environment Block (PEB). Excellent read if you haven’t seen this blog before.
 
 
Blog:
https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/
 
 
Accompanying Code:
​ https://gist.github.com/christophetd/37141ba273b447ff885c323c0a7aff93
 
 
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam
 
0 Comments



Leave a Reply.

    Archives

    July 2021
    June 2021
    May 2021
    March 2021
    February 2021
    January 2021

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.