so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


Custom GetModuleHandle & GetProcAddress

In this blog post, we see how to retrieve a loaded module handle by parsing the PEB. Then, we use this handle to resolve function address by parsing the EAT.

We do this to avoid using GetModuleHandle and GetProcAddress functions which are often hooked by EDRs. This also prevents having functions considered as malicious to be present in our Import Table. We then take a look at the “API hashing” technique and its advantages. Finally, we fork mkwinsyscall to include our custom resolving Go module and create a drop-in replacement. Custom GetModuleHandle & GetProcAddress

August 5, 2023
#redteam#malware