Ordinal Values, Windows Functions, and C#

By Red Siege | June 8, 2021

There’s many different techniques that an offensive security professional could use to try to have their code avoid detection by various AV and EDR products. Various options include encrypting part of their code, code obfuscation, guardrails, and a lot more. But one cool trick that seems to keep surviving the test of time is utilizing ordinal values when working with the API. What are ordinal values? Let’s check this out.

 

https://media.geeksforgeeks.org/wp-content/uploads/CommonArticleDesign1-min.png

 

The easiest way for me to visualize and understand what ordinal values are is to think of finding them as an array. If I want to reference a specific value stored in an array, I have to do so by referencing its position in the array (in the above image, it might be something like array[8]). The fun thing is this same concept can be applied to functions called within various Windows DLLs, such as kernel32, etc.

Let’s say I want to use QueueUserAPC within code that I am writing. Normally, I would use P/Invoke to define QueueUserAPC so that it can be utilized throughout my code. The code would look something similar to the following:

 

P/Invoke Definition for QueueUserAPC

 

So we can easily see that QueueUserAPC resides within kernel32.dll. The next step would be trying to figure out how to define QueueUserAPC via its ordinal value (position) within kernel32.dll. Thankfully, there’s multiple tools that can help you find this information, such as PEView. All you need to do is download PEView, have it open up kernel32.dll (or any dll you want to figure this information out for), and look at the Export Address Table. Finally, just look for the specific function call you are interested in (in this case, QueueUserAPC

 

PEView Opening kernel32.dll

 

In this screenshot, we can see that QueueUserAPC has a value of “045A”. You’ll likely quickly recognize that this is the hexidecimal representation of its position, so in base 10 QueueUserAPC’s position is “1114”. Great, now that you have its position, the last step is defining the function call via its ordinal value.

To do so, you should define the EntryPoint value when defining QueueUserApc to specify the position within kernel32.dll that you want to call. Your code should look pretty similar to the following screenshot.

 

QueueUserAPC Defined by its Ordinal Value

 

You can see that the ordinal value is used in the QueueUserAPC function definition. Additionally, you likely noticed that rather than giving the function name its standard name of “QueueUserAPC”, in this case it’s being defined as “ChrisQueueUserAPC”. The name that you specify does not matter, it could be called any name because it’s not the name that is important, but the ordinal value which ensures that the correct function is ultimately called.

User Beware

It is worth noting that there can be some drawbacks when using ordinal values, the biggest of which is that you have to be very targeted with your code. Ordinal values of functions can change from version to version, service pack to service pack, or major version to major version. There’s no guarantee that they will have the same ordinal value. Therefore you likely want to maintain a running database that you can quickly lookup and find the ordinal value of the function call you want to run with respect to the operating system version it is running on.

Hopefully this helps to show how you can not only look up the ordinal value of a function you want to use, but also how to leverage ordinal values within your code. If you have any questions about the topic, don’t hesitate to reach out and contact us. We’re happy to help answer any questions you may have!

Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

By Red Siege | July 8, 2024

by Mike Saunders, Principal Security Consultant This blog is the fourth in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the series […]

Learn More
Adventures in Shellcode Obfuscation! Part 4: RC4 with a Twist

Adventures in Shellcode Obfuscation! Part 3: Encryption

By Red Siege | July 1, 2024

By Mike Saunders, Principal Security Consultant   This blog is the third in a series of blogs on obfuscation techniques for hiding shellcode. You can find the rest of the […]

Learn More
Adventures in Shellcode Obfuscation! Part 3: Encryption

Phone Switch Labs CTF – Walk-Through

By Red Siege | June 26, 2024

by Douglas Berdeaux, Senior Security Consultant CTF redsiege.com/phoneswitch Getting Started Phone phreaking is the practice of exploring and hacking telephones, telephone switches, telephone test equipment, and physically exploring the telephone […]

Learn More
Phone Switch Labs CTF – Walk-Through

Find Out What’s Next

Stay in the loop with our upcoming events.