[Loki]

What you will learn

• WinAPI function manual location with Assembly
  
• PEB Structure and PEB_LDR_DATA
  
• PE File Structure
  
• Relative Virtual Address calculation
  
• Export Address Table (EAT)
  
• Windows x64 calling-convention in practice
  
• Writing in Assembly like a real Giga-Chad...
  

Hidden Content

You must register or login to view this content.

[xzin0vich]

Chad contribution for chad leecher.

[thoth]

What you will learn

• WinAPI function manual location with Assembly
  
• PEB Structure and PEB_LDR_DATA
  
• PE File Structure
  
• Relative Virtual Address calculation
  
• Export Address Table (EAT)
  
• Windows x64 calling-convention in practice
  
• Writing in Assembly like a real Giga-Chad...
  

There is a new process injection method that leverages recent Windows APIs like:

GetThreadDescription/SetThreadDescription
and
ZwQueueApcThreadEx2

These API functions which were introduced in Windows 10. This approach benefits from the following:

1. Less Detection: By using APIs that are less commonly associated with process injection, such as
   SetThreadDescription
   , the method evades detection by many antivirus (AV) and endpoint detection and response (EDR) systems.
   
2. Bypassing Access Controls: It performs remote memory allocation and writing using a handle that lacks
   PROCESS_VM_WRITE
   access, which makes it harder for traditional security measures to detect unauthorized memory manipulation.
   
   

Overall, this technique is more stealthy and less likely to be flagged by security solutions compared to older, more established injection methods.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Ransomware sales/discussion/recruiting | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[Loki]

Chad contribution for chad leecher.

What?

What you will learn

• WinAPI function manual location with Assembly
  
• PEB Structure and PEB_LDR_DATA
  
• PE File Structure
  
• Relative Virtual Address calculation
  
• Export Address Table (EAT)
  
• Windows x64 calling-convention in practice
  
• Writing in Assembly like a real Giga-Chad...
  

There is a new process injection method that leverages recent Windows APIs like:

GetThreadDescription/SetThreadDescription
and
ZwQueueApcThreadEx2

These API functions which were introduced in Windows 10. This approach benefits from the following:

1. Less Detection: By using APIs that are less commonly associated with process injection, such as
   SetThreadDescription
   , the method evades detection by many antivirus (AV) and endpoint detection and response (EDR) systems.
   
2. Bypassing Access Controls: It performs remote memory allocation and writing using a handle that lacks
   PROCESS_VM_WRITE
   access, which makes it harder for traditional security measures to detect unauthorized memory manipulation.
   
   

Overall, this technique is more stealthy and less likely to be flagged by security solutions compared to older, more established injection methods.

While "ZwQueueApcThreadEx2" can be used for executing code via APCs, "GetThreadDescription" and "SetThreadDescription" are not related to code execution or function resolution.

EDIT: I stand corrected by @Cas and you, https://github.com/hasherezade/thread_namecalling

[lildrainer]

Lokie causally cooking

[null0_q]

nice, good read

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[fuliye]

What you will learn

• WinAPI function manual location with Assembly
  
• PEB Structure and PEB_LDR_DATA
  
• PE File Structure
  
• Relative Virtual Address calculation
  
• Export Address Table (EAT)
  
• Windows x64 calling-convention in practice
  
• Writing in Assembly like a real Giga-Chad...
  

ok bro,let s check it

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[zxdpxl]

thanks for you share, and i reading it

[jameco]

thx for sharing ur info

[DieselMariner712]

Thank you so much bro!