Lately I’ve been poking around at Windows internals and writing low level code. This morning I thought I’d try to bypass Window’s Defender and try to get a low score on Virus Total. One trick I’ve been playing with is writing shellcode to the Windows registry to keep things “fileless.” It’s not super fancy, but it’s kind of neat. I combined that with indirect syscalls and some cryptographic routines to get Windows Defender to chill out....
wifiExtract The other day my grandmother forgot her Windows WiFi SSID and password when she wanted to share it with a friend. So I thought if I could just automate the retrieval of her wireless profiles, she would never forget them again in the future. It turns out, the Windows API offers a nice way to enumerate WLAN information. First, we open a handle to the WLAN system by first calling the WlanOpenHandle function, which we can then use to enumerate WLAN interfaces with the WlanEnumInterfaces function....
In previous posts, I covered how to observe process information in Windbg by starting a debugging session and dumping the Process Environment Block. And how we can view the EPROCESS structure, including a doubly linked-list of active processes via ActiveProcessLinks. But in this post, we’ll discuss yet another way of gleaning information about processes in Windows, this time from another structure within the Windows ecosystem: the SYSTEM_PROCESS_INFORMATION structure. SYSTEM_PROCESS_INFORMATION Structure Microsoft tells us in their documentation that this structure holds various entries which hold system and process information....
In the Windows kernel, each process is assigned an EPROCESS structure, which is a kernel object that represents a program or process. And a Process Environment Block (PEB) is just one of many structures pointed to by the EPROCESS structure. A snippet from _EPROCESS as documented on Vergilius Project: volatile ULONGLONG OwnerProcessId; struct _PEB* Peb; struct _MM_SESSION_SPACE* Session; VOID* Sparel; In user space however, we cannot directly reference all of the EPROCESS structures and their data....