Windows-Internals on Jesus Oseguera

Windows-Internals on Jesus Oseguerahttps://r0tbyt3.dev/tags/windows-internals/Recent content in Windows-Internals on Jesus OsegueraHugoen-usAPI Set Resolutionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/api-set-resolution/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/api-set-resolution/API Set Resolution API Set Resolution - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewBlocking Driver Loading Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/blocking-driver-loading-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/blocking-driver-loading-kernel/Blocking Driver Loading Kernel Blocking Driver Loading Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewCheck If Process Is WOW64https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/check-if-process-is-wow64/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/check-if-process-is-wow64/Check If Process Is WOW64 Check If Process Is WOW64 - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewCleaning Driver Artifacts from Memory Dumps Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/cleaning-driver-artifacts-from-memory-dumps-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/cleaning-driver-artifacts-from-memory-dumps-kernel/Cleaning Driver Artifacts from Memory Dumps Kernel Cleaning Driver Artifacts from Memory Dumps Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewDisabling the Debugger Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/disabling-the-debugger-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/disabling-the-debugger-kernel/Disabling the Debugger Kernel Disabling the Debugger Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewDLL Injection via ZwCreateThreadEx Kernel Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/dll-injection-via-zwcreatethreadex-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/dll-injection-via-zwcreatethreadex-kernel-internals/DLL Injection via ZwCreateThreadEx Kernel Internals DLL Injection via ZwCreateThreadEx Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewElevate Process to SYSTEM Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/elevate-process-to-system-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/elevate-process-to-system-kernel/Elevate Process to SYSTEM Kernel Elevate Process to SYSTEM Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewEnable SeDebugPrivilegehttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/enable-sedebugprivilege/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/enable-sedebugprivilege/Enable SeDebugPrivilege Enable SeDebugPrivilege - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewHide Process Kernel Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-process-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-process-kernel-internals/Hide Process Kernel Internals Hide Process Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewHide Thread Kernel Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-thread-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/hide-thread-kernel-internals/Hide Thread Kernel Internals Hide Thread Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewIndirect Syscallshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/indirect-syscalls/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/indirect-syscalls/Indirect Syscalls Indirect Syscalls - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewKernel Modules Enumeration via AuxKlibQueryModuleInformationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-auxklibquerymoduleinformation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-auxklibquerymoduleinformation/Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via AuxKlibQueryModuleInformation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewKernel Modules Enumeration via PsLoadedModuleListhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-psloadedmodulelist/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-psloadedmodulelist/Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via PsLoadedModuleList - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewKernel Modules Enumeration via ZwQuerySystemInformationhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-zwquerysysteminformation/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/kernel-modules-enumeration-via-zwquerysysteminformation/Kernel Modules Enumeration via ZwQuerySystemInformation Kernel Modules Enumeration via ZwQuerySystemInformation - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewMmgetsystemroutineaddress Replacement with String Hashing Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/mmgetsystemroutineaddress-replacement-with-string-hashing-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/mmgetsystemroutineaddress-replacement-with-string-hashing-kernel/Mmgetsystemroutineaddress Replacement with String Hashing Kernel Mmgetsystemroutineaddress Replacement with String Hashing Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewProcess Enumeration via ZwQuerySystemInformation Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/process-enumeration-via-zwquerysysteminformation-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/process-enumeration-via-zwquerysysteminformation-kernel/Process Enumeration via ZwQuerySystemInformation Kernel Process Enumeration via ZwQuerySystemInformation Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewReading a File Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/reading-a-file-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/reading-a-file-kernel/Reading a File Kernel Reading a File Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Kernel Versionhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-kernel-version/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-kernel-version/Retrieving Kernel Version Retrieving Kernel Version - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Process Identifier Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-identifier-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-identifier-kernel/Retrieving Process Identifier Kernel Retrieving Process Identifier Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Process Image Base Address Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-image-base-address-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-image-base-address-kernel/Retrieving Process Image Base Address Kernel Retrieving Process Image Base Address Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Process Name Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-name-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-name-kernel/Retrieving Process Name Kernel Retrieving Process Name Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Process Parent ID Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-parent-id-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-parent-id-kernel/Retrieving Process Parent ID Kernel Retrieving Process Parent ID Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving Process Session ID Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-session-id-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-process-session-id-kernel/Retrieving Process Session ID Kernel Retrieving Process Session ID Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewRetrieving the Address of an Unexported ZW API Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-the-address-of-an-unexported-zw-api-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/retrieving-the-address-of-an-unexported-zw-api-kernel/Retrieving the Address of an Unexported ZW API Kernel Retrieving the Address of an Unexported ZW API Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewShellcode Injection via ZwCreateThreadEx Kernel Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/shellcode-injection-via-zwcreatethreadex-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/shellcode-injection-via-zwcreatethreadex-kernel-internals/Shellcode Injection via ZwCreateThreadEx Kernel Internals Shellcode Injection via ZwCreateThreadEx Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewSyscall Gadget Pattern Scanhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-gadget-pattern-scan/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-gadget-pattern-scan/Syscall Gadget Pattern Scan Syscall Gadget Pattern Scan - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewSyscall Number Retrieval from NTDLL Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-number-retrieval-from-ntdll-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscall-number-retrieval-from-ntdll-kernel/Syscall Number Retrieval from NTDLL Kernel Syscall Number Retrieval from NTDLL Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewSyscalls Tamperinghttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscalls-tampering/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/syscalls-tampering/Syscalls Tampering Syscalls Tampering - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewTampered Syscalls via Hardware Breakpointshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/tampered-syscalls-via-hardware-breakpoints/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/tampered-syscalls-via-hardware-breakpoints/Tampered Syscalls via Hardware Breakpoints Tampered Syscalls via Hardware Breakpoints - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewTerminating a Process Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/terminating-a-process-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/terminating-a-process-kernel/Terminating a Process Kernel Terminating a Process Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewThread Enumeration Techniqueshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-techniques/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-techniques/Thread Enumeration Techniques Thread Enumeration Techniques - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewThread Enumeration via ProcFShttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-procfs/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-procfs/Thread Enumeration via ProcFS Thread Enumeration via ProcFS - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewThread Enumeration via Syscallhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-syscall/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-enumeration-via-syscall/Thread Enumeration via Syscall Thread Enumeration via Syscall - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewThread Hijacking Kernel Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-hijacking-kernel-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/thread-hijacking-kernel-internals/Thread Hijacking Kernel Internals Thread Hijacking Kernel Internals - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewUser Mode Function Lookup in Process Modules Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-function-lookup-in-process-modules-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-function-lookup-in-process-modules-kernel/User Mode Function Lookup in Process Modules Kernel User Mode Function Lookup in Process Modules Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format OverviewUser Mode Process Modules Enumeration Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-process-modules-enumeration-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/user-mode-process-modules-enumeration-kernel/User Mode Process Modules Enumeration Kernel User Mode Process Modules Enumeration Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel Using Class in C Kernel WinAPIs PE File Format OverviewUsing Class in C Kernelhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/using-class-in-c-kernel/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/using-class-in-c-kernel/Using Class in C Kernel Using Class in C Kernel - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel WinAPIs PE File Format OverviewWinAPIs PE File Format Overviewhttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/winapis-pe-file-format-overview/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/winapis-pe-file-format-overview/WinAPIs PE File Format Overview WinAPIs PE File Format Overview - a cybersecurity concept, technique, or tool relevant to this section of the wiki. Related Links: API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C KernelWindows Internalshttps://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/Mon, 01 Jan 0001 00:00:00 +0000https://r0tbyt3.dev/wiki/content/cybersecurity/malware-development/windows-internals/Windows Internals Windows Internals - foundational knowledge of Windows architecture, kernel structures, API resolution, and PE file format for malware development. API Set Resolution Blocking Driver Loading Kernel Check If Process Is WOW64 Cleaning Driver Artifacts from Memory Dumps Kernel Disabling the Debugger Kernel DLL Injection via ZwCreateThreadEx Kernel Internals Elevate Process to SYSTEM Kernel Enable SeDebugPrivilege Hide Process Kernel Internals Hide Thread Kernel Internals Indirect Syscalls Kernel Modules Enumeration via AuxKlibQueryModuleInformation Kernel Modules Enumeration via PsLoadedModuleList Kernel Modules Enumeration via ZwQuerySystemInformation Mmgetsystemroutineaddress Replacement with String Hashing Kernel Process Enumeration via ZwQuerySystemInformation Kernel Reading a File Kernel Retrieving Kernel Version Retrieving Process Identifier Kernel Retrieving Process Image Base Address Kernel Retrieving Process Name Kernel Retrieving Process Parent ID Kernel Retrieving Process Session ID Kernel Retrieving the Address of an Unexported ZW API Kernel Shellcode Injection via ZwCreateThreadEx Kernel Internals Syscall Gadget Pattern Scan Syscall Number Retrieval from NTDLL Kernel Syscalls Tampering Tampered Syscalls via Hardware Breakpoints Terminating a Process Kernel Thread Enumeration Techniques Thread Enumeration via ProcFS Thread Enumeration via Syscall Thread Hijacking Kernel Internals User Mode Function Lookup in Process Modules Kernel User Mode Process Modules Enumeration Kernel Using Class in C Kernel WinAPIs PE File Format Overview Related Links: Beacon Object Files (BOF) C2 and Networking Credential Dumping Malware Concepts Payload and PE Persistence Process Injection Sleep Obfuscation