Windows API\tparsed\teasily

Posted on by

When I wrote my first API monitor around year 2004 I had a real struggle finding prototypes of Windows API, because there was not that much documentation available at that time. I remember extracting data from various sources, including a classic WIN32.HLP file.

As time progressed I got well versed in progressive versions of MSDN/SDK/DDK Help file versions decompilation: HLP files with HelpDeco, CHM files hh, hxs with VSHIK (HxComp.exe IIRC), and finally connecting out to the local server on http://127.0.0.1:47873 to retrieve XML files.

Today you just need to download a repo of source files from Github.

Within minutes you can get a file like this:

Feed the children, feed them well

Posted on by

This is a quick blurb about idea I shared on Twitter today.

When you create a child process system calls a combo of these two functions:

  • NtAllocateVirtualMemory
  • NtWriteVirtualMemory

One could intercept these calls (using a hardware breakpoint, patching, or even tracing), and when memory buffer is allocated, extend the allocation size literally creating a code/data cave. Then when the writing is done, build a buffer that will contain the original data meant to be written & appended buffer e.g. shellcode that will fill-in the cave.

Now it’s only a matter of executing the code, which could be done using GUI-based tricks (e.g. Propagate, or common windows callback procedures).

Note: the APIs may need to be changed on 64-bit system if the parent and child process are mixed architecture (NtWow64AllocateVirtualMemory64 & NtWow64WriteVirtualMemory64).