| skipped 3 lines |
| 4 | 4 | | This PoC code demostrate how TpAllocWork, TpPostWork and TpReleaseWork can be used to execute machine code, the code start a image file |
| 5 | 5 | | by calling: |
| 6 | 6 | | |
| | 7 | + | ``` |
| 7 | 8 | | TpAllocWork ---> RtlCreateProcessParametersEx |
| 8 | 9 | | TpAllocWork ---> ZwCreateUserProcess (syscalled) |
| 9 | 10 | | TpAllocWork ---> ZwResumeThread (syscalled) |
| 10 | 11 | | TpAllocWork ---> RtlDestroyProcessParameters |
| | 12 | + | ``` |
| 11 | 13 | | |
| 12 | 14 | | All API calls happens in memory only, no reference to ntdll og kernel32 on file system, so the machine code can be obfuscated, calls to |
| 13 | 15 | | function in kernel32 (in memory) is done by resolving the base address of kernel32 and then lookup the hash value of the function and then: |
| skipped 27 lines |
