killchain-compendium/Miscellaneous/Win32.md

43 lines
1.4 KiB
Markdown
Raw Normal View History

2022-11-13 16:00:22 +01:00
# Win32 API
* Users are able to send systemcalls to the kernel without invoking direct kernel mode
* Header files and DLLs are referenced to call standard functions, [Windows.h](https://en.wikipedia.org/wiki/Windows.h)
* There are core and supplemental DLLs
* Core DLLs are KERNEL32, USER32 and ADVAPI32
* Supplemental DLLs are NTDLL, COM or FVEAPI
* API calls have a call structure with explicit parameters
* ASLR is used
## API Calls
* [Win32 API calls doc](https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list)
* [MalAPI.io](http://malapi.io/) provides API calls to exploit
* Extend functionality by extending the naming scheme
* __A__ is ANSI
* __W__ is Unicode
* __Ex__ is extended functionalities for I/O
### C API
* `windows.h` can be included to provide functionality
* Instantiate a variable with a function provided by the API
### P/Invoke
* DLL imports and external methods can be imported via [P/Invoke](https://docs.microsoft.com/en-us/dotnet/standard/native-interop/pinvoke)
* Subsitutes the `windows.h` implementation and may be used instead of it for __powershell__ and __.NET__
```C#
using System;
using System.Runtime.InteropServices;
public class Program
{
[DllImport("user32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int MessageBox(IntPtr hWnd, string lpText, string lpCaption, uint uType);
...
}
```