OwOwning with the Windows API
OwOwning with the Windows API is a presentation given during the DEFCON Furs 2020 virtual conference.
During the presentation, I (secfurry) explore the methods and function calls used to spoof parent process relationships in Windows and inject shellcode into Windows applications. I cover many undocumented or lesser known functions and provide code (saved here) to experiment and modify as you see fit.
I can be reached on Twitter at @secfurry.
PS: The code used in this presentation was given to one of my friends @iDigitalFlame to use in development for his malware framework XMT, go check it out if you're interested in more cool stuff like this.
Links
- Zw and Nt Prefixes
- PEB Block Overwriting
- StartupInfoEx
- Detecting Parent Process Spoofing (Git Repo)
- Preventing Parent Process Spoofing
- Another Writeup on Parent Spoofing
- Parent Process Spoofing Office Macro
Windows API Function Reference
- OpenProcess
- InitializeProcThreadAttributeList
- UpdateProcThreadAttribute
- CreateProcessW
- WaitForSingleObject
- DuplicateHandle
- LookupPrivilegeValue
- OpenProcessToken
- AdjustTokenPrivileges
- NtAllocateVirtualMemory
- NtWriteVirtualMemory
- NtCreateThreadEx
Updated on 08/07/2020