Formatul Portable Executable

DefCamp
DefCampDefCamp
Defcamp 0x7DB ,[object Object],[object Object],[object Object],http://www.rstcenter.com/forum/
Formatul Portable Executable
 
 
 
 
 
 
 
 
 
 
 
 
DLL Injection ,[object Object],[object Object],[object Object]
Registry
HHOOK SetWindowsHookEx (  int  idHook , HOOKPROC  lpfn , HINSTANCE  hMod , DWORD  dwThreadId  ); WH_CALLWNDPROC Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure. WH_CBT Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure. WH_KEYBOARD Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure. SetWindowsHookEx
CreateRemoteThread HANDLE WINAPI CreateRemoteThread( __in HANDLE  hProcess ,  __in LPSECURITY_ATTRIBUTES  lpThreadAttributes ,  __in SIZE_T  dwStackSize , __in LPTHREAD_START_ROUTINE  lpStartAddress ,  __in LPVOID  lpParameter ,  __in DWORD  dwCreationFlags ,  __out LPDWORD  lpThreadId  );
API Hooking ,[object Object],[object Object],[object Object],[object Object]
Exemplu API
Load PE File CopyMemory idh, abExeFile(0), Len(idh) If idh.e_magic <> IMAGE_DOS_SIGNATURE Then MsgBox &quot;MZ signature not found!&quot;, vbCritical, &quot;File load error&quot; Exit Sub End If CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh) If inh.Signature <> IMAGE_NT_SIGNATURE Then MsgBox &quot;PE signature not found!&quot;, vbCritical, &quot;File load error&quot; Exit Sub End If si.cb = Len(si) If CreateProcess(vbNullString, fisier, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then Exit Sub context.ContextFlags = CONTEXT86_INTEGER If GetThreadContext(pi.hThread, context) = 0 Then GoTo ClearProcess Call ReadProcessMemory(pi.hProcess, ByVal context.Ebx + 8, addr, 4, 0) If addr = 0 Then GoTo ClearProcess If ZwUnmapViewOfSection(pi.hProcess, addr) Then GoTo ClearProcess ImageBase = VirtualAllocEx(pi.hProcess, ByVal inh.OptionalHeader.ImageBase, inh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE) If ImageBase = 0 Then GoTo ClearProcess Call WriteProcessMemory(pi.hProcess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfHeaders, ret) lOffset = idh.e_lfanew + Len(inh) For i = 0 To inh.FileHeader.NumberOfSections - 1 CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish) Call WriteProcessMemory(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRawData), ish.SizeOfRawData, ret) Call VirtualProtectEx(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristics), addr) Next i Call WriteProcessMemory(pi.hProcess, ByVal context.Ebx + 8, ImageBase, 4, ret) context.Eax = ImageBase + inh.OptionalHeader.AddressOfEntryPoint Call SetThreadContext(pi.hThread, context) Call ResumeThread(pi.hThread) Exit Sub
1 of 21

Recommended

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012 by
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012DefCamp
1.6K views23 slides
NYU hacknight, april 6, 2016 by
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
403 views37 slides
Sniffing Mach Messages by
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
1.7K views41 slides
Unix Programming with Perl by
Unix Programming with PerlUnix Programming with Perl
Unix Programming with PerlKazuho Oku
32.3K views35 slides
Art of Web Backdoor - Pichaya Morimoto by
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
4K views34 slides
Using the Power to Prove by
Using the Power to ProveUsing the Power to Prove
Using the Power to ProveKazuho Oku
2.8K views19 slides

More Related Content

What's hot

Synack Shakacon OSX Malware Persistence by
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
1.3K views57 slides
Codetainer: a Docker-based browser code 'sandbox' by
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
3.8K views30 slides
Unix Programming with Perl 2 by
Unix Programming with Perl 2Unix Programming with Perl 2
Unix Programming with Perl 2Kazuho Oku
5.6K views34 slides
Mach-O Internals by
Mach-O InternalsMach-O Internals
Mach-O InternalsAnthony Shoumikhin
6.5K views30 slides
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah! by
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
2.1K views68 slides
PHP Secure Programming by
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
2.5K views39 slides

What's hot(20)

Synack Shakacon OSX Malware Persistence by Ivan Einstein
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
Ivan Einstein1.3K views
Codetainer: a Docker-based browser code 'sandbox' by Jen Andre
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre3.8K views
Unix Programming with Perl 2 by Kazuho Oku
Unix Programming with Perl 2Unix Programming with Perl 2
Unix Programming with Perl 2
Kazuho Oku5.6K views
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah! by Synack
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
Synack2.1K views
Debugging: Rules & Tools by Ian Barber
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
Ian Barber11.8K views
Simple php backdoor_by_dk by Stan Adrian
Simple php backdoor_by_dkSimple php backdoor_by_dk
Simple php backdoor_by_dk
Stan Adrian797 views
[2014 CodeEngn Conference 11] 정든품바 - 웹성코드 by GangSeok Lee
[2014 CodeEngn Conference 11] 정든품바 - 웹성코드[2014 CodeEngn Conference 11] 정든품바 - 웹성코드
[2014 CodeEngn Conference 11] 정든품바 - 웹성코드
GangSeok Lee1.5K views
Django - Know Your Namespace: Middleware by howiworkdaily
Django - Know Your Namespace: MiddlewareDjango - Know Your Namespace: Middleware
Django - Know Your Namespace: Middleware
howiworkdaily842 views
Introduction to puppet - Hands on Session at HPI Potsdam by Christoph Oelmüller
Introduction to puppet - Hands on Session at HPI PotsdamIntroduction to puppet - Hands on Session at HPI Potsdam
Introduction to puppet - Hands on Session at HPI Potsdam
DLL Hijacking on OS X by Synack
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS X
Synack11.9K views
ZeroNights: Automating iOS blackbox security scanning by Mikhail Sosonkin
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin1.5K views
Getting started with TDD - Confoo 2014 by Eric Hogue
Getting started with TDD - Confoo 2014Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014
Eric Hogue1.6K views

Viewers also liked

Quick & Dirty Tips for x64 hooks by
Quick & Dirty Tips for x64 hooksQuick & Dirty Tips for x64 hooks
Quick & Dirty Tips for x64 hooks용환 노
1.3K views22 slides
Userland Hooking in Windows by
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
2.3K views33 slides
2006 03 15_pe & api hook by
2006 03 15_pe & api hook2006 03 15_pe & api hook
2006 03 15_pe & api hook용환 노
1.5K views34 slides
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요 by
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요NAVER D2
3.5K views54 slides
악성코드 분석 도구 by
악성코드 분석 도구악성코드 분석 도구
악성코드 분석 도구Youngjun Chang
5.9K views25 slides
2.악성코드와 분석 방안 by
2.악성코드와 분석 방안2.악성코드와 분석 방안
2.악성코드와 분석 방안Youngjun Chang
2.3K views34 slides

Viewers also liked(7)

Quick & Dirty Tips for x64 hooks by 용환 노
Quick & Dirty Tips for x64 hooksQuick & Dirty Tips for x64 hooks
Quick & Dirty Tips for x64 hooks
용환 노1.3K views
2006 03 15_pe & api hook by 용환 노
2006 03 15_pe & api hook2006 03 15_pe & api hook
2006 03 15_pe & api hook
용환 노1.5K views
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요 by NAVER D2
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요
제12회 IT4U 강연회 - 악성코드 분석 잘하고 싶어요
NAVER D23.5K views
악성코드 분석 도구 by Youngjun Chang
악성코드 분석 도구악성코드 분석 도구
악성코드 분석 도구
Youngjun Chang5.9K views
2.악성코드와 분석 방안 by Youngjun Chang
2.악성코드와 분석 방안2.악성코드와 분석 방안
2.악성코드와 분석 방안
Youngjun Chang2.3K views
제12회 IT4U 강연회 - 화이트햇 해커들의 웹 해킹 by NAVER D2
제12회 IT4U 강연회 - 화이트햇 해커들의 웹 해킹제12회 IT4U 강연회 - 화이트햇 해커들의 웹 해킹
제12회 IT4U 강연회 - 화이트햇 해커들의 웹 해킹
NAVER D22.7K views

Similar to Formatul Portable Executable

Code Injection in Windows by
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
4.2K views22 slides
Arduino、Web 到 IoT by
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
7.5K views82 slides
Essay On Cmit 350 Final Project by
Essay On Cmit 350 Final ProjectEssay On Cmit 350 Final Project
Essay On Cmit 350 Final ProjectNancy Jarjis
2 views60 slides
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U... by
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
714 views73 slides
Sandboxie process isolation with kernel hooks by
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksKarlFrank99
281 views19 slides
6. processes and threads by
6. processes and threads6. processes and threads
6. processes and threadsMarian Marinov
2.2K views32 slides

Similar to Formatul Portable Executable (20)

Arduino、Web 到 IoT by Justin Lin
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoT
Justin Lin7.5K views
Essay On Cmit 350 Final Project by Nancy Jarjis
Essay On Cmit 350 Final ProjectEssay On Cmit 350 Final Project
Essay On Cmit 350 Final Project
Nancy Jarjis2 views
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U... by Vincenzo Iozzo
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo714 views
Sandboxie process isolation with kernel hooks by KarlFrank99
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
KarlFrank99281 views
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ... by PROIDEA
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA181 views
Ransomware for fun and non-profit by Youness Zougar
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar3K views
44CON London 2015 - How to drive a malware analyst crazy by 44CON
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON1.4K views
How to drive a malware analyst crazy by Michael Boman
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
Michael Boman1.1K views
Web application security by Ravi Raj
Web application securityWeb application security
Web application security
Ravi Raj897 views
DEF CON 24 - Patrick Wardle - 99 problems little snitch by Felipe Prado
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado41 views
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one! by Synack
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
Synack1.4K views
Reutov, yunusov, nagibin random numbers take ii by DefconRussia
Reutov, yunusov, nagibin   random numbers take iiReutov, yunusov, nagibin   random numbers take ii
Reutov, yunusov, nagibin random numbers take ii
DefconRussia14.9K views
Strategies to design FUD malware by Pedro Tavares
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
Pedro Tavares3.6K views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp443 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Recently uploaded

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
27 views49 slides
PharoJS - Zürich Smalltalk Group Meetup November 2023 by
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
139 views17 slides
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
72 views29 slides
Zero to Automated in Under a Year by
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a YearNetwork Automation Forum
22 views23 slides
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by
STKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfDr. Jimmy Schwarzkopf
24 views29 slides
Uni Systems for Power Platform.pptx by
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptxUni Systems S.M.S.A.
58 views21 slides

Recently uploaded(20)

ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi139 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc72 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023   corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn26 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software317 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec15 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker48 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman38 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 -  Week 3 Session 5Business Analyst Series 2023 -  Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10345 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views

Formatul Portable Executable

  • 1.
  • 3.  
  • 4.  
  • 5.  
  • 6.  
  • 7.  
  • 8.  
  • 9.  
  • 10.  
  • 11.  
  • 12.  
  • 13.  
  • 14.  
  • 15.
  • 17. HHOOK SetWindowsHookEx ( int idHook , HOOKPROC lpfn , HINSTANCE hMod , DWORD dwThreadId ); WH_CALLWNDPROC Installs a hook procedure that monitors messages before the system sends them to the destination window procedure. For more information, see the CallWndProc hook procedure. WH_CBT Installs a hook procedure that receives notifications useful to a computer-based training (CBT) application. For more information, see the CBTProc hook procedure. WH_KEYBOARD Installs a hook procedure that monitors keystroke messages. For more information, see the KeyboardProc hook procedure. SetWindowsHookEx
  • 18. CreateRemoteThread HANDLE WINAPI CreateRemoteThread( __in HANDLE hProcess , __in LPSECURITY_ATTRIBUTES lpThreadAttributes , __in SIZE_T dwStackSize , __in LPTHREAD_START_ROUTINE lpStartAddress , __in LPVOID lpParameter , __in DWORD dwCreationFlags , __out LPDWORD lpThreadId );
  • 19.
  • 21. Load PE File CopyMemory idh, abExeFile(0), Len(idh) If idh.e_magic <> IMAGE_DOS_SIGNATURE Then MsgBox &quot;MZ signature not found!&quot;, vbCritical, &quot;File load error&quot; Exit Sub End If CopyMemory inh, abExeFile(idh.e_lfanew), Len(inh) If inh.Signature <> IMAGE_NT_SIGNATURE Then MsgBox &quot;PE signature not found!&quot;, vbCritical, &quot;File load error&quot; Exit Sub End If si.cb = Len(si) If CreateProcess(vbNullString, fisier, 0, 0, False, CREATE_SUSPENDED, 0, 0, si, pi) = 0 Then Exit Sub context.ContextFlags = CONTEXT86_INTEGER If GetThreadContext(pi.hThread, context) = 0 Then GoTo ClearProcess Call ReadProcessMemory(pi.hProcess, ByVal context.Ebx + 8, addr, 4, 0) If addr = 0 Then GoTo ClearProcess If ZwUnmapViewOfSection(pi.hProcess, addr) Then GoTo ClearProcess ImageBase = VirtualAllocEx(pi.hProcess, ByVal inh.OptionalHeader.ImageBase, inh.OptionalHeader.SizeOfImage, MEM_RESERVE Or MEM_COMMIT, PAGE_READWRITE) If ImageBase = 0 Then GoTo ClearProcess Call WriteProcessMemory(pi.hProcess, ByVal ImageBase, abExeFile(0), inh.OptionalHeader.SizeOfHeaders, ret) lOffset = idh.e_lfanew + Len(inh) For i = 0 To inh.FileHeader.NumberOfSections - 1 CopyMemory ish, abExeFile(lOffset + i * Len(ish)), Len(ish) Call WriteProcessMemory(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, abExeFile(ish.PointerToRawData), ish.SizeOfRawData, ret) Call VirtualProtectEx(pi.hProcess, ByVal ImageBase + ish.VirtualAddress, ish.VirtualSize, Protect(ish.characteristics), addr) Next i Call WriteProcessMemory(pi.hProcess, ByVal context.Ebx + 8, ImageBase, 4, ret) context.Eax = ImageBase + inh.OptionalHeader.AddressOfEntryPoint Call SetThreadContext(pi.hThread, context) Call ResumeThread(pi.hThread) Exit Sub