Dynamic API Resolution

Create declerations for the functions you are going to call.

HANDLE (WINAPI *myHeapCreate)( DWORD flOptions, SIZE_T dwInitialSize, SIZE_T dwMaximumSize );
LPVOID (WINAPI *myHeapAlloc)( HANDLE hHeap, DWORD  dwFlags, SIZE_T dwBytes);

Resolve them,

HMODULE kernel32dll             = GetModuleHandleA("kernel32.dll");
myHeapCreate                    = GetProcAddress(kernel32dll, "HeapCreate");
myHeapAlloc                     = GetProcAddress(kernel32dll, "HeapAlloc");

And now you call them,

HANDLE hHeap = myHeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
void* hmem = myHeapAlloc(hHeap, 0, 0x1000);

You can ideally encode hardcode strings like "kernel32.dll", "HeapCreate" etc.

https://github.com/morph3/myldr/blob/main/templates/default_template.c

Dynamically resolving hashed-NTAPI Calls

https://mez0.cc/posts/dynamic-api-fnv/

PreviousProcess Hollowing NextSuspended Threads

Last updated 2 years ago