{"id":37132434,"url":"https://github.com/secfurry/owowningthewinapi","last_synced_at":"2026-01-14T15:27:13.476Z","repository":{"id":217804109,"uuid":"285829968","full_name":"secfurry/OwOwningTheWinAPI","owner":"secfurry","description":"OwOwning with the Windows API Examples and Code. DEFCON Furs 2020 presentation.","archived":true,"fork":false,"pushed_at":"2024-01-18T05:24:40.000Z","size":1452,"stargazers_count":12,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-06-21T15:30:18.810Z","etag":null,"topics":["go","golang","winapi","windows"],"latest_commit_sha":null,"homepage":"https://dij.sh/owo","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secfurry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-07T12:59:21.000Z","updated_at":"2024-01-18T05:25:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"893ce22a-e8a3-4a43-ab5a-0fee0b5392fd","html_url":"https://github.com/secfurry/OwOwningTheWinAPI","commit_stats":null,"previous_names":["secfurry/owowningthewinapi"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/secfurry/OwOwningTheWinAPI","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secfurry%2FOwOwningTheWinAPI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secfurry%2FOwOwningTheWinAPI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secfurry%2FOwOwningTheWinAPI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secfurry%2FOwOwningTheWinAPI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secfurry","download_url":"https://codeload.github.com/secfurry/OwOwningTheWinAPI/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secfurry%2FOwOwningTheWinAPI/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28424374,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T13:30:50.153Z","status":"ssl_error","status_checked_at":"2026-01-14T13:29:08.907Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","winapi","windows"],"created_at":"2026-01-14T15:27:12.726Z","updated_at":"2026-01-14T15:27:13.471Z","avatar_url":"https://github.com/secfurry.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OwOwning with the Windows API\n\n[PowerPoint Here](https://github.com/secfurry/OwOwningTheWinAPI/raw/master/Slides.pdf)\n\n**OwOwning with the Windows API** is a presentation given during the [DEFCON Furs 2020](https://2020.dcfurs.com) virtual conference.\n\nDuring the presentation, I (secfurry) explore the methods and function calls used to spoof parent process relationships in Windows and inject shellcode into Windows applications.\nI cover many undocumented or lesser known functions and provide code (saved here) to experiment and modify as you see fit.\n\nI can be reached on Twitter at [@secfurry](https://twitter.com/secfurry).\n\nPS: The code used in this presentation was given to one of my friends [@iDigitalFlame](https://twitter.com/iDigitalFlame) to use in development for his [malware framework XMT](https://github.com/iDigitalFlame/xmt), go check it out if you're interested in more cool stuff like this.\n\n## Links\n\n- [Zw and Nt Prefixes](https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/what-does-the-zw-prefix-mean-)\n- [PEB Block Overwriting](https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/)\n- [StartupInfoEx](https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-startupinfoexa)\n- [Detecting Parent Process Spoofing](https://blog.f-secure.com/detecting-parent-pid-spoofing/) ([Git Repo](https://github.com/countercept/ppid-spoofing))\n- [Preventing Parent Process Spoofing](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute#remarks)\n- [Another Writeup on Parent Spoofing](https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/)\n- [Parent Process Spoofing Office Macro](https://github.com/christophetd/spoofing-office-macro)\n\n### Windows API Function Reference\n\n- [OpenProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess)\n- [InitializeProcThreadAttributeList](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist)\n- [UpdateProcThreadAttribute](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)\n- [CreateProcessW](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw)\n- [WaitForSingleObject](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)\n- [DuplicateHandle](https://docs.microsoft.com/en-us/windows/win32/api/handleapi/nf-handleapi-duplicatehandle)\n- [LookupPrivilegeValue](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-lookupprivilegevaluea)\n- [OpenProcessToken](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken)\n- [AdjustTokenPrivileges](https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges)\n- [NtAllocateVirtualMemory](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory)\n- [NtWriteVirtualMemory](http://www.codewarrior.cn/ntdoc/winnt/mm/NtWriteVirtualMemory.htm)\n- [NtCreateThreadEx](https://securityxploded.com/ntcreatethreadex.php)\n\nUpdated on *08/07/2020*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecfurry%2Fowowningthewinapi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecfurry%2Fowowningthewinapi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecfurry%2Fowowningthewinapi/lists"}