From 8b6d58aed371480f2a22033f5a92523d4da8f711 Mon Sep 17 00:00:00 2001 From: mether049 Date: Tue, 7 Jan 2020 00:54:00 +0900 Subject: [PATCH] Update analysis_processhollowing.md --- Trickbot/analysis_processhollowing.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Trickbot/analysis_processhollowing.md b/Trickbot/analysis_processhollowing.md index 6f2ee9a..f60240a 100644 --- a/Trickbot/analysis_processhollowing.md +++ b/Trickbot/analysis_processhollowing.md @@ -114,6 +114,10 @@ Process Hollowingにも利用するデータに関する説明 - 各APIの呼び出しで処理が失敗した場合,その時点でプロセスが終了する ![](https://github.com/mether049/malware/blob/master/Trickbot/img/apicall_15_720.png) +- 以下は[NtQueryInformationProcess](https://docs.microsoft.com/ja-jp/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess?redirectedfrom=MSDN)の呼び出し後におけるPROCESS_BASIC_INFORMATION構造体の各メンバの値である +- svchost.exeのプロセスIDは9652 +![](https://github.com/mether049/malware/blob/master/Trickbot/img/PROCESS_BASIC_INFORMATION.png) +![](https://github.com/mether049/malware/blob/master/Trickbot/img/processhacker.PNG) ## to do.. - 解析を進めて以下の部分について修正・追加を行う