This builds off of works from @Cneelis, @j00ru, @FoxHex0ne, and others. Greetz to @Dcept905 for testing and suggestions!
-
-
Prikaži ovu nit
-
Before-and-After example of classic CreateRemoteThread injection.pic.twitter.com/KPvcd1Silk
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
next step will be to dynamically compute the syscall numbers a starting point for you : https://github.com/hfiref0x/SyscallTables … nice work :P
-
Thanks! If I'm understanding your suggestion correctly, the syscall numbers are already computed at runtime when the assembly functions query the OS version information in the PEB.
- Još 7 drugih odgovora
Novi razgovor -
-
-
Anyway to get the MiniDumpWriteDump API with this?
-
Probably not as it doesn't make a direct syscall. However,
@0x00dtm,@mrjefftang, and@spotheplanet have write-ups and code on removing user-mode API hooks. Links are in the repo at the bottom.
Kraj razgovora
Novi razgovor -
-
-
I will just leave my old article here (kinda old (2005) but I believe similar idea): https://www.symantec.com/connect/articles/windows-syscall-shellcode … :-)
- Kraj razgovora
Novi razgovor -
-
-
Great work!
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Great work, no more sideloading a renamed ntdll.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.