This article explains how attackers can use custom shellcode and Windows internals like PEB and TEB structures to evade detection and manipulate process information. It emphasizes writing unique payloads, dynamically resolving API addresses, and encoding strings for stealth. #PEB #TEB
Keypoints
- Custom shellcode provides better evasion and control over payload behavior.
- Understanding Windows memory structures like PEB and TEB is essential for stealthy API resolution.
- Functions like __readgsqword and linked list traversal help identify loaded DLLs and their addresses.
- Encoding strings as hexadecimal values allows payloads to be self-contained and less detectable.
- Proper compilation settings and disassembly techniques are crucial for converting C++ code into effective shellcode.