killchain-compendium/misc/win32.md

1.4 KiB

Win32 API

  • Users are able to send systemcalls to the kernel without invoking direct kernel mode
  • Header files and DLLs are referenced to call standard functions, Windows.h
  • There are core and supplemental DLLs
    • Core DLLs are KERNEL32, USER32 and ADVAPI32
    • Supplemental DLLs are NTDLL, COM or FVEAPI
  • API calls have a call structure with explicit parameters
  • ASLR is used

API Calls

  • Win32 API calls doc
  • MalAPI.io provides API calls to exploit
  • Extend functionality by extending the naming scheme
    • A is ANSI
    • W is Unicode
    • Ex is extended functionalities for I/O

C API

  • windows.h can be included to provide functionality
  • Instantiate a variable with a function provided by the API

P/Invoke

  • DLL imports and external methods can be imported via P/Invoke
  • Subsitutes the windows.h implementation and may be used instead of it for powershell and .NET
using System;
using System.Runtime.InteropServices;

public class Program
{
    [DllImport("user32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    private static extern int MessageBox(IntPtr hWnd, string lpText, string lpCaption, uint uType);
    ...
}