Shaurma

Thank you for your kindly reply. Let me please to clarify a bit. To be more precise, it about 250k+ disk events in a few seconds. Is it a lot?...

> "APC injection" is in reality about how you _run_ the injected code, It seems this is a bit incorrect. It is possible to use APC to _run gadgets_, but...

The question is "Could we use APC to run chain (or some elements from) like VirtualAlloc, VirtualProtect and, then, NtWriteVirtualMemory(or any similar gadget) as many times as necessary to fill...

> APC was just used for _running_ the stub composed of gadgets... ...to [purpose] inject a shellcode :-) Easy like this. > it really doesn't matter if you call `VirtualAlloc`...

Yeah, your idea regarding raw is equal to vs seems better if the size of the resulting image does not make any sense. Since past ideas have not been rejected,...

Hm... It crashes on "crc_outer" label while trying to xor. I guess something wrong with getting kernel32 base. Are we are talking about injection of x64 shellcode in WOW64 process?...

Should't be enough for x64 to use LdrLoadDll+LdrGetProcedureAddress instead of LoadLibraryA+GetProcAddress ? Okay, sometimes you need to unmap kernel32 and user32 regions, but I do not see other pitfalls..

The above did not help me. I've done: ``` plugmod_t* idaapi init( void ) { Settings.Init( ); Settings.Load( "sigmaker.ini" ); return PLUGIN_OK; } plugin_t PLUGIN = { IDP_INTERFACE_VERSION, PLUGIN_MOD, ```

Actually, I don't think it depends on CRT version, cuz I tried on Windows 7 and Windows 10. Only need to bypass GetFileType, then Spdlog is going to work perfect.

We could confirm this problem. In our case each call to "readertxt" adds 33mb leak.