| skipped 3 lines |
4 | 4 | | This PoC code demostrate how TpAllocWork, TpPostWork and TpReleaseWork can be used to execute machine code, the code start a image file |
5 | 5 | | by calling: |
6 | 6 | | |
| 7 | + | ``` |
7 | 8 | | TpAllocWork ---> RtlCreateProcessParametersEx |
8 | 9 | | TpAllocWork ---> ZwCreateUserProcess (syscalled) |
9 | 10 | | TpAllocWork ---> ZwResumeThread (syscalled) |
10 | 11 | | TpAllocWork ---> RtlDestroyProcessParameters |
| 12 | + | ``` |
11 | 13 | | |
12 | 14 | | All API calls happens in memory only, no reference to ntdll og kernel32 on file system, so the machine code can be obfuscated, calls to |
13 | 15 | | function in kernel32 (in memory) is done by resolving the base address of kernel32 and then lookup the hash value of the function and then: |
| skipped 27 lines |