Summary
Many of today’s antivirus software, endpoint monitoring and protection, and event log monitoring solutions are designed to increase performance by analyzing memory information only, without verifying that the content has been forged. In this chapter, we learned the basics of Windows API calls in x86 assembly, including TEBs and PEBs, as well as forged parameters, forged and hidden loaded DLLs, and more. With a proper understanding of the basics and the tactics used by malicious attackers, we can gain a better insight into the popular stalking techniques favored by a first-line cyber army. In the next chapter, we are going to further study how to analyze individual DLL modules in memory and get the desired API address without calling Windows APIs. We will also learn how hackers write Windows shellcode in x86 to execute specific attacks.
