codereversing.com
RCE Endeavors » General x86
http://www.codereversing.com/blog/archives/category/genx86
The End of the World. Archive for the ‘General x86’ Category. December 23rd, 2015. The non-invasive technique relies on remotely reading every allocated heap block in a target process and copying the bytes to the inspecting process. Once this iteration is done, a snapshot of the heap will be created and can then be accurately diffed against another snapshot at a later point in time to see how the heap state changed. This traversal is accomplished with the HeapList32First. Heap EnumerateProcessHeap (.
codereversing.com
RCE Endeavors » admin
http://www.codereversing.com/blog/archives/author/admin
The End of the World. December 23rd, 2015. The non-invasive technique relies on remotely reading every allocated heap block in a target process and copying the bytes to the inspecting process. Once this iteration is done, a snapshot of the heap will be created and can then be accurately diffed against another snapshot at a later point in time to see how the heap state changed. This traversal is accomplished with the HeapList32First. Functions from the Toolhelp API. The traversal code is shown below:.
codereversing.com
RCE Endeavors » About
http://www.codereversing.com/blog/about
The End of the World. December 5th, 2014. This page will be updated as the blog develops. Or follow on Twitter: @CodeReversing. E-Mail (will not be published) (required). Subscribe to comments feed. Hekate: x86/x64 Winsock Inspection/Modification (Alpha dev release). Manually Enumerating Process Modules. Stealth Techniques: Hiding Files in the Registry. Pepex – ZIRCONIC. On Hiding Functionality with Exception Handlers (1/2). Pepex – ZIRCONIC. On Hiding Functionality with Exception Handlers (1/2).
codereversing.com
RCE Endeavors » Nop Hopping: Hiding Functionality in Alignment
http://www.codereversing.com/blog/archives/226
The End of the World. Nop Hopping: Hiding Functionality in Alignment. Nop Hopping: Hiding Functionality in Alignment. May 17th, 2015. The NOPs are shown after the. These NOP blocks are all over the place; they’re inside the main executable, and in each loaded library. This gives a very. API along with Module32First. These will return the base address of the image and its libraries as well as their sizes in memory. ModuleMap GetModules (. DWORD dwProcessId ). ModuleMap mapModules ;. DWORD PTR dwBase =.
codereversing.com
RCE Endeavors » 2015 » May
http://www.codereversing.com/blog/archives/date/2015/05
The End of the World. Archive for May, 2015. Nop Hopping: Hiding Functionality in Alignment. May 17th, 2015. The NOPs are shown after the. These NOP blocks are all over the place; they’re inside the main executable, and in each loaded library. This gives a very. API along with Module32First. These will return the base address of the image and its libraries as well as their sizes in memory. ModuleMap GetModules (. DWORD dwProcessId ). ModuleMap mapModules ;. TH32CS SNAPMODULE, dwProcessId ). MEMORY BASIC ...
codereversing.com
RCE Endeavors » Extending External Window Functionality
http://www.codereversing.com/blog/archives/82
The End of the World. Extending External Window Functionality. Extending External Window Functionality. April 17th, 2011. HWND hWnd ;. HMENU hMenuBar ;. HMENU hAddedMenu ;. LONG PTR PrevWndProc ;. DWORD MENUITEM ID =. PROCESSWNDINFO g WindowInfo ;. LRESULT CALLBACK SubclassWndProc (. HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam ). MB ICONASTERISK ). G WindowInfo. PrevWndProc. HWnd, Msg, wParam, lParam ). BOOL CALLBACK EnumWindowProc (. HWND hWnd, LPARAM processId ). INT WINDOW LENGTH =. This handle ...
codereversing.com
RCE Endeavors » General x86-64
http://www.codereversing.com/blog/archives/category/genx8664
The End of the World. Archive for the ‘General x86-64’ Category. December 23rd, 2015. The non-invasive technique relies on remotely reading every allocated heap block in a target process and copying the bytes to the inspecting process. Once this iteration is done, a snapshot of the heap will be created and can then be accurately diffed against another snapshot at a later point in time to see how the heap state changed. This traversal is accomplished with the HeapList32First. DWORD processId, const. At th...
codereversing.com
RCE Endeavors » 2015 » April
http://www.codereversing.com/blog/archives/date/2015/04
The End of the World. Archive for April, 2015. April 24th, 2015. The code snippet covered here will be a function I wrote called. Interestingly enough, while Googling this, there appears to be an MSDN article. HWND hFoundHandle ;. BOOL CALLBACK EnumWindowsProc (. HWND hWnd, LPARAM lParam ). Read up to 255 characters of window title. TCHAR strWindowTitle [. HWnd, strWindowTitle, sizeof. StrWindowTitle, pWindowInfo -. StrWindowTitle, pWindowInfo -. HWND FindWindowLike (. EnumWindowsProc, (. April 16th, 2015.
codereversing.com
RCE Endeavors » Writing a Primitive Debugger: Part 5 (Miscellaneous)
http://www.codereversing.com/blog/archives/178
The End of the World. Writing a Primitive Debugger: Part 5 (Miscellaneous). Writing a Primitive Debugger: Part 5 (Miscellaneous). December 20th, 2014. In order to display a disassembly dump on x86 and x64, this debugger will take advantage of the BeaEngine. The disassembler code will be pretty straightforward to work with. BeaEngine has a. Structure that needs to be initialized with the architecture type and an address. This is then passed along to a. Function, which fills the structure with information ...