{"id":58694,"date":"2022-09-27T16:58:34","date_gmt":"2022-09-27T08:58:34","guid":{"rendered":"https:\/\/version-2.com\/?p=58694"},"modified":"2022-09-29T17:40:58","modified_gmt":"2022-09-29T09:40:58","slug":"intro-to-windows-win32-api","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/09\/intro-to-windows-win32-api\/","title":{"rendered":"Intro to Windows (Win32) API"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\n

Since I talked about how to enumerate Windows-based systems \u2013 a step you will have during an engagement, it is only natural to expand more on the topic (Windows, not enumeration, at least for now).<\/p>

<\/p>

You might have successfully enumerated, exploited, established persistence, and maybe even exfiltrated data\u2026 but there\u2019s much more to it, and a lot of stuff comes into play. In the upcoming articles, I will cherry-pick the stuff that is most interesting to me, but I will also try to provide you with a general overview so that you can more easily structure and map out the stuff I\u2019ve been talking about.<\/p>

This one is geared more towards red team type of activity, as the knowledge of the Windows API can be leveraged when you care about evasion e.g., as a red teamer (of course, it\u2019s not only<\/em> about evasion\u2026); something a pentester usually doesn\u2019t have to worry about. Just keep that distinction in the back of your mind.<\/p>

<\/p>

However, in the case of red team engagements, since the emulation of an adversary is essential, you will see stuff that usually doesn\u2019t get included in your pentests or vulnerability assessments. Phishing is permitted (out of scope in most of the pentests) and is usually something red teams will opt for (gotta keep that stuff realistic, right?); evasion is also vital since an adversary will try to stay on your corporate network as long as it is possible for them. It\u2019s also kinda in the name; you are in the role of the red team, and the evasion pertains to throwing the blue team off your tracks. This is quite different and very interesting for us here, as it opens a plethora of new options you will think about and probably use during the engagement.<\/p>

<\/p>

Terms like living off the land, phishing, bypassing UAC, bypassing AVs, C2, etc. all come into play! And more. Much more. This is terrifyingly fun, and even though the Windows API might not be the most attractive topic of the bunch here, its important to have a firm grasp on the stuff you\u2019re abusing, and I wanted to give you just a brief overview of how one would abuse the system calls for their nefarious purpose.<\/p>

<\/p>

Red teams will regularly abuse the Windows API to hide and evade the blue team, in the same way, they\u2019ll use shellcode to evade AVs, or use the LOL (living off the land) methodology, and much more (evade runtime detection, logging and monitoring, generally employing tool agnostic approach in this endeavor).<\/p>

<\/p>

Okay! So that\u2019s a bit more of an intro, but I wanted to level with you here and set some expectations while also (hopefully) making the upcoming articles (as well as this one and the previous one) more sensible in the grand scheme of things.<\/p>

<\/p>

The Windows (Win32) API<\/h4>

<\/p>

The first distinction to be aware of here is that Windows has two main modes through which it accesses hardware, the kernel<\/strong>, and the user<\/strong> mode. This goes back to the release of the Win32 API which is a library that\u2019s used to interface between the user applications and the kernel.<\/p>

The API here calls the interfaces and sends the info to the system which is then processed in the kernel mode. These two modes are essential because they determine how much access a driver or an application gets \u2013 kernel, memory, or hardware access. Also, note that with some languages and their interaction with the Win32 API, the application can go through the runtime first before going through the API.<\/p>

The Win32 API breakdown can be briefly described as follows:<\/p>