CryptInstallOIDFunctionAddress

Shellcode Loader

Abusing callback to run shellcode.

Overview

Eksekusi shellcode dengan CryptInstallOIDFunctionAddress.

Install fungsi sebagai callback saat membuka store baru.

BOOL CryptInstallOIDFunctionAddress(HMODULE hModule, DWORD dwEncodingType, LPCSTR pszFuncName, DWORD cFuncEntry, const CRYPT_OID_FUNC_ENTRY [] rgFuncEntry, DWORD dwFlags);

BOOL CryptFreeOIDFunctionAddress (HCRYPTOIDFUNCADDR hFuncAddr, DWORD dwFlags);

HCERTSTORE CertOpenStore (LPCSTR lpszStoreProvider, DWORD dwEncodingType, HCRYPTPROV_LEGACY hCryptProv, DWORD dwFlags, const void *pvPara);

BOOL CertCloseStore (HCERTSTORE hCertStore, DWORD dwFlags);

Reference

• MSDN CryptInstallOIDFunctionAddress
• MSDN CryptFreeOIDFunctionAddress
• MSDN CertOpenStore
• MSDN CertCloseStore