winapi 리스트
VirtualAlloc - Allocate memory on current process
시그니쳐
LPVOID VirtualAlloc(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
파라미터
lpAddress
- Address of the memory to be allocated0 = API chooses the location automatically
dwSize
- Size of the allocationflAllocationType
- Memory allocation typeUsually
MEM_COMMIT | MEM_RESERVE
=0x3000
flProtect = Memory Protection constants - link
0x20 = RX
0x40 = RWX
0x04 = RW
VirtualAllocEx - Allocate memory on a remote process
시그니쳐
LPVOID VirtualAllocEx(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
파라미터
hProcess
- Target process's handlelpAddress
- Start address to allocate the memory0 = VirtualAllocEx automatically chooses the starting address for us (checkout DripLoader)
dwSize
- Length/Amount of memory to allocateflAllocationType
- Typo of memory allocation. UsuallyMEM_COMMIT | MEM_RESERVE = 0x3000
flProtect
= Memory Protection constants - link0x20 = RX
0x40 = RWX
0x04 = RW
OpenProcess - Retrieve a handle to a remote process based on PID
시그니쳐
HANDLE OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId
);
파라미터
dwDesiredAccess
- Access right to obtain in target process. UsuallyPROCESS_ALL_ACCESS (0x001F0FF)
bInheritHandle
- True/False on whether the handle can be inherited to child process or not. UsuallyFalse
, because we just don't care.dwProcessId
- Target process's PID
VirtualProtect - Change memory protection
시그니쳐
BOOL VirtualProtect(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
);
파라미터
lpAddress
- Pointer to the start of the memory addressdwSize
- Size of the memory to change the protection, in bytes.Usually lpAddress + dwSize, or the shellcode's length
flNewProtect
- Memory protection constantlpflOldProtect
- Pointer to a variable with current memory protection. Usually just0
.
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
Last updated