Native API

The use of "naked" native API (also known as raw API) is considered a kind of hacking aerobatics. However, this is not just. On the contrary, using such perversions without a reason is an indication of an amateurish approach. This is not only because native API functions are undocumented and subject to constant changes but also because they are unsuitable for direct use (that's why they are called "raw"). These functions are semi-products, implementing low-level primitives, a kind of building block that requires large amount of "coupling" code. Individual examples of implementation of such a code can be found in ntdlLdll and kernel32.dll.

In Windows NT, access to native API functions is carried out through the int 2Eh interrupt. The interrupt number is loaded into the EAX register, and the address of the parameters block with the argument is loaded into the EDX register. In Windows XP, the sysenter machine command is used for the same purpose; however, the main properties of int 2Eh have been fully preserved (at least for now).

The most interesting native API functions used in shellcodes are listed in Listing 11.10.

Listing 11.10: Main native API functions
image from book
 000h        AcceptConnectPort        (24 bytes of parameters) 00Ah        AllocateVirtualMemory    (24 bytes of parameters) 012h        ConnectPort              (32 bytes of parameters) 017h        CreateFile               (44 bytes of parameters) 019h        CreateKey                (28 bytes of parameters) 0lCh        CreateNamedPipeFile      (56 bytes of parameters) 0lEh        CreatePort               (20 bytes of parameters) 0lFh        CreateProcess            (32 bytes of parameters) 024h        CreateThread             (32 bytes of parameters) 029h        DeleteFile               (4 bytes of parameters) 02Ah        DeleteKey                (4 bytes of parameters) 02Ch        DeleteValueKey           (8 bytes of parameters) 02Dh        DeviceloControlFile      (40 bytes of parameters) 03Ch        FreeVirtualMemory        (16 bytes of parameters) 03Ch        GetContextThread         (8 bytes of parameters) 049h        MapViewOfSection         (40 bytes of parameters) 04Fh        OpenFile                 (24 bytes of parameters) 051h        OpenKey                  (12 bytes of parameters) 054h        OpenProcess              (16 bytes of parameters) 059h        OpenThread               (16 bytes of parameters) 067h        QueryEaFile              (36 bytes of parameters) 086h        ReadFile                 (36 bytes of parameters) 089h        ReadVirtualMemory        (20 bytes of parameters) 08Fh        ReplyPort                (8 bytes of parameters) 092h        RequestPort              (8 bytes of parameters) 096h        ResumeThread             (8 bytes of parameters) 09Ch        SetEaFile                (16 bytes of parameters) 0B3h        SetValueKey              (24 bytes of parameters) 0B5h        ShutdownSystem           (4 bytes of parameters) 0BAh        SystemDebugControl       (24 bytes of parameters) 0BBh        TerminateProcess         (8 bytes of parameters) 0BCh        TerminateThread          (8 bytes of parameters) 0C2h        UrunapViewOfSection      (8 bytes of parameters) 0C3h        VdinControl              (8 bytes of parameters) 0C8h        WriteFile                (36 bytes of parameters) 0CBh        WriteVirtualMemory       (20 bytes of parameters) 0CCh        W32Call                  (20 bytes of parameters) 
image from book
 


Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net