The Curious Case of ShellExecute
Open Analysis Live! Why can't you hook and suspend processes created via ShellExecute? We take a look at the internals for ShellExecute and what happens when that API is used to create a new process.
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
https://ko-fi.com/oalabs
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/
-----
Some background on the topics covered...
Link to the test script we used:
https://gist.github.com/herrcore/821a...
ShellExecute API documentation:
https://msdn.microsoft.com/en-us/libr...
Process creation flags documentation:
https://msdn.microsoft.com/en-us/libr...
CreateProcessInternalW API documentation:
http://a-twisted-world.blogspot.ca/20...
Also, a big shout out to Alex / nullandnull for discovering this quirk. We highly recommend all reverse engineers read his blog and check out his huge suite of awesome tools:
http://hooked-on-mnemonics.blogspot.com
https://bitbucket.org/Alexander_Hanel...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Смотрите видео The Curious Case of ShellExecute онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь OALabs 04 Ноябрь 2017, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 4,660 раз и оно понравилось 118 людям.