sylv1(@sylv1_secu) 's Twitter Profile Photo
sylv1
@sylv1_secu

9 years ago

nouvelle version avec chaine en dur 'ZwrueuerpcThread' patchée en ZwQueueApcThread avant GetProcAddress o_O

nouvelle version #dyreza avec chaine en dur 'ZwrueuerpcThread' patchée en ZwQueueApcThread avant GetProcAddress o_O
account_circle
✞ inversecos🩸(@inversecos) 's Twitter Profile Photo
✞ inversecos🩸
@inversecos

2 years ago

1\ : Detecting Malicious APC Code Injection

APCs can be queued to a thread to execute malicious code PRIOR to normal execution.

The first indication to look for are calls to queue APCs
> QueueUserAPC
> NTQueueApcThread
> ZwQueueAPCThread
> RtlQueueApcWow64Thread

1\ #MalwareAnalysis: Detecting Malicious APC Code Injection APCs can be queued to a thread to execute malicious code PRIOR to normal execution. The first indication to look for are calls to queue APCs > QueueUserAPC > NTQueueApcThread > ZwQueueAPCThread > RtlQueueApcWow64Thread
account_circle
Lokesh(@Loki_RE_artist) 's Twitter Profile Photo
Lokesh
@Loki_RE_artist

1 year ago

Executing shellcode using and API
AresLoader version 3.0
193[.233[.134.57/manager/payload


MalwareHunterTeam JAMESWT James Florian Roth bohops Michael Gillespie

Executing shellcode using #ZwQueueApcThread and #NtTestAlert API AresLoader version 3.0 193[.233[.134.57/manager/payload #malware #AresLoader #reversing #cybersecurite #MaaS #ThreatProtection #intel @malwrhunterteam @JAMESWT_MHT @James_inthe_box @cyb3rops @bohops @demonslay335
account_circle
sylv1(@sylv1_secu) 's Twitter Profile Photo
sylv1
@sylv1_secu

8 years ago

chaine en dur est désormais 'ZwrueTerpcThread' au lieu de ZwQueueApcThread (toujours pas bien compris ce que c'est censé contourner)

account_circle