Observations
This is the combination of PEB Walk Injection and Classic Code Injection With API Obfuscation. The names of the functions we need are obfuscated before getting a pointer to them via PEB walking.
Working
- Retrieve PEB (using inline assembly) of the current process, which contains information about loaded modules using inline asm:
<...>
PEB* peb;
<...>
__asm {
mov eax, fs: [0x30]
mov peb, eax
}- Using this pointer, traverse the PEB’s linked list of loaded modules to find the base address of the desired module using
CONTAINING_RECORD(lEntry, ...), then iterate through the list of loaded modules in the process, and obtain its base address. - Using the base address, retrieve the pointer to its functions using
GetProcAddressKernel32(after deobfuscation) - Run your shellcode using pointer to
VirtualAllocEx,WriteProcessMemory, andCreateRemoteThread(after deobfuscation).