-
The Windows Application Compatibility Framework (shimming) provides a way to change the system behaviour for an application in order to function like in older systems. It works via the IAT Import address Table at load time and can change functions, library addresses etc. this way. Creating a shim A shim can be registered with the system via…
-
Compile it natively or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the service / application somehow and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection
-
PE Portable Executung or DLL Dynamic Linking Libraries can be edited to remove or add capabilities or own code. Read and modify a PE file The following Python3 script reads a file, prints out a header, modified it to remove ASLR and write a new file without this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…