3 Dynamic API Calling – Thread, Process, and Environment Information

In this chapter, we will learn the basics of Windows API calls in x86 assembly. We will first learn about the Thread Environment Block (TEB) and the Process Environment Block (PEB), and how attackers use these features in malicious software. By the end of this chapter, you should have a better understanding of how the compiler makes dynamic calls through calling conventions so that the program will run as we expect. With these foundations in place, you can move step by step toward the goal of writing your own Windows shellcode. For example, calling a Windows API that does not exist in our source code allows evading antivirus detection of blacklisted API names.

In this chapter, ...

Get Windows APT Warfare now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows APT Warfare by Sheng-Hao Ma, Ziv Chang, Federico Maggi

3

Dynamic API Calling – Thread, Process, and Environment Information

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly