A developer who likes swimming

Joined June 2020
Filter
Exclude
Time range
-
Near
It is an honor for me to be mentioned in a post by the great @modexpblog and @MDSecLabs . I'm pleased my work has been useful - I came up with the idea in March thanks to the lockdown - despite FreshyCalls being simply a PoC. Cheers & happy New Year!
In our final blog post of 2020, @modexpblog catalogues a variety of methods for bypassing user-mode hooks for red teams mdsec.co.uk/2020/12/bypassin… We'll be back in 2021.... #happynewyear
0
9
21
Replying to @TheRealWover
Im lacking a bit of context. Do you have any example to share?
0
0
0
Hey @TheRealWover could you open me DM, please?
0
0
0
Replying to @TheRealWover
You’re welcome!
0
0
0
Replying to @TheRealWover
Look at this line here: github.com/TheWover/DInvoke/… "(UInt64)pApiSetNamespace + (UInt64)SetEntry.ValueOffset" will be the first host but "(UInt64)pApiSetNamespace + (UInt64)SetEntry.ValueOffset + sizeof(Data. PE.ApiSetValueEntry)" will be the second. It's just like an array
1
0
0
Replying to @TheRealWover
Yep, this is definitely your case. In DInvoke you only take the first virtual host but api-ms-win-core-processthreads-l1-1-0 has 2, kernel32.dll and kernelbase.dll. You will need to detect the loop somehow and then take the second one. Maybe keeping the previous host?
1
0
0
Replying to @TheRealWover
Sometimes you need to use the second DLL host instead, get the api set as usual but use the second entry of the value array. You can take a look at the BlackBone code if you want to see an implementation
1
0
3
Maybe the CG is moving the address of the variable? Try to pin the variable: GCHandle handle = GCHandle.Alloc(lpSize, GCHandleType.Pinned); And instead of "ref lpSize" use handle.AddrOfPinnedObject()
0
0
0