GET /api/techniques/221/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 221,
"key": "tamper-dll-export-names-getprocaddress-spoofing",
"unprotect_id": "U1241",
"name": "Tamper DLL Export Names & GetProcAddress Spoofing",
"description": "When a process is running, it is possible to change the results of the call to `GetProcAddress` API, for the exported functions of a module along with modifying the export's offsets and name at runtime. \r\n\r\nFor example, the offset of `kernel32.dll's` function `VirtualAlloc` can be change to the offset of another function. When `VirtualAlloc` is called (after getting its address from `GetProcAddress`), the second function will be called instead. \r\n\r\nTo achieve this, it is possible to use the WINAPI `MapAndLoad` from `ImageHlp.h`, then use `ImageDirectoryEntryToData` to get the list of exports. Then the `ImageRvaToVa` API can be used to retrieve each exported functions names offset; if desired the export name can be overwritten, resulting in calls to `GetProcAddress` with that export name to fail or be directed to another function.",
"resources": "",
"creation_date": "2022-08-11T10:08:44.579000Z",
"tags": "",
"modification_date": "2022-12-06T02:29:18.282000Z",
"category": [
4
],
"rules": [
122
],
"attachments": [],
"featured_api": [
3,
7,
381,
404,
425
],
"contributors": []
}
