winapi 리스트
VirtualAlloc - Allocate memory on current process
시그니쳐
LPVOID VirtualAlloc(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);파라미터
lpAddress- Address of the memory to be allocated0 = API chooses the location automatically
dwSize- Size of the allocationflAllocationType- Memory allocation typeUsually
MEM_COMMIT | MEM_RESERVE=0x3000
flProtect = Memory Protection constants - link
0x20 = RX
0x40 = RWX
0x04 = RW
VirtualAllocEx - Allocate memory on a remote process
시그니쳐
LPVOID VirtualAllocEx(
HANDLE hProcess,
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);파라미터
hProcess- Target process's handlelpAddress- Start address to allocate the memory0 = VirtualAllocEx automatically chooses the starting address for us (checkout DripLoader)
dwSize- Length/Amount of memory to allocateflAllocationType- Typo of memory allocation. UsuallyMEM_COMMIT | MEM_RESERVE = 0x3000flProtect= Memory Protection constants - link0x20 = RX
0x40 = RWX
0x04 = RW
OpenProcess - Retrieve a handle to a remote process based on PID
시그니쳐
HANDLE OpenProcess(
DWORD dwDesiredAccess,
BOOL bInheritHandle,
DWORD dwProcessId
);파라미터
dwDesiredAccess- Access right to obtain in target process. UsuallyPROCESS_ALL_ACCESS (0x001F0FF)bInheritHandle- True/False on whether the handle can be inherited to child process or not. UsuallyFalse, because we just don't care.dwProcessId- Target process's PID
VirtualProtect - Change memory protection
시그니쳐
BOOL VirtualProtect(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
);파라미터
lpAddress- Pointer to the start of the memory addressdwSize- Size of the memory to change the protection, in bytes.Usually lpAddress + dwSize, or the shellcode's length
flNewProtect- Memory protection constantlpflOldProtect- Pointer to a variable with current memory protection. Usually just0.
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
VirtualAlloc
MSDN
PInvoke.net
시그니쳐
파라미터
a
b
---
Last updated