Introduction: Hello all, it's been a while since I have written a blog, I have been doing a lot of stuff and just hadn't got the time to document on the blog much but today I took sometime out to write about something cool, it's nothing new but it's very interesting, so a few weeks ago I came across an article by DarkVortex (Paranoid Ninja) the creator of BrutelRatel he wrote about how to clear the stack while calling any windows api. Basically EDRs and AVs tend to look at the stack when the program is running and when any windows api is called basically the stack gets filled with the function's arguments so one of the detection method of EDRs is to look to the stack and determine whether the functions are being used maliciously or not. He did that by using TpAlloc undocumented Windows api, it seemed very interesting to me and I wanted to implement the same technique but with different function but TpAlloc and similar APIs are undocumented which means if you wan...
- Get link
- X
- Other Apps