mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update malware-analysis_ref_and_memo.md
This commit is contained in:
parent
4d50e4bce9
commit
93d11f7d6a
@ -543,6 +543,8 @@ Injecition/Hollowingされたプロセスの自動検出<br>
|
||||
|[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)<br>wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化|
|
||||
|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa)<br>kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes<br>2.BOOL bInitialOwner<br>3.LPCSTR lpName|**Success**:a handle to the newly created mutex object<br>**Fail**:Null|Mutexを作成|
|
||||
|[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)<br>kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule<br>2. LPSTR lpFilenam<br>3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character<br>**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得|
|
||||
|[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)<br>Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer<br>2. LPDWORD pcbBuffer|**Success**:a nonzero value<br>**Fail**:zero|現在のスレッドのユーザ名を取得|
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user