crash.software
Projects
Pull Requests
Issues
Builds
BananaPhone
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY BananaPhone Commits 876da4fe
🤬
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 19 lines
    20 20   
    21 21  See examples in `example/`.
    22 22   
     23 +# Why
     24 + 
     25 +Here is an example I posted into a slack chan recently:
     26 + 
     27 +```
     28 +...
     29 +var (
     30 + modntdll = windows.NewLazySystemDLL("ntdll.dll")
     31 + ntapi = modntdll.NewProc("NtCreateThreadEx")
     32 +)
     33 +...
     34 + ntapi.Call(0, 1, 1, 1, 1)
     35 + var x *uintptr
     36 + bananaphone.NtCreateThreadEx(createthread, x, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2)
     37 + ntapi.Call(0, 3, 3, 3, 3)
     38 + ```
     39 + <imghere>
     40 +
     41 + What you're looking at is the output of API Monitor, which can be used to track a program's API calls. Each function was called with some easy to identify values (all 1's as a parameter, all 2's etc). What this shows is that the call made by `bananaphone.NtCreateThreadEx` is not captured by API Monitor, and any AV/EDR that uses similar methods probably won't catch it either. Neat.
     42 +
     43 + 
Please wait...
Page is in error, reload to recover