nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-tech_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-02-19 00:27:38 +09:00 committed by GitHub
parent beb142ee69
commit 9ff435a62c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
malware-tech_ref_and_memo.md
View File

@ -94,16 +94,27 @@ to do...
## API obfuscation ## API obfuscation
[A Museum of API Obfuscation on Win32](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)<br> [A Museum of API Obfuscation on Win32](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)<br>
### Using GetProcAddress and GetModulehandleA ### Using GetProcAddress and GetModulehandleA
- GetProcAddressを利用して呼び出したいAPIのアドレスを動的に解決する - GetProcAddressを利用して呼び出したいAPIのアドレスを動的に解決することでAPIの呼び出し解析を回避する
- GetProcAddressの引数は第一引数に対象dllのハンドルを指定(i.e. GetModuleHandleA("kernel32.dll"))し第二引数にdllから呼び出したいAPI名を指定 - GetProcAddressの引数は第一引数に対象dllのハンドルを指定(i.e. GetModuleHandleA("kernel32.dll"))し第二引数にdllから呼び出したいAPI名を指定
``` ```cpp
FARPROC GetProcAddress( // Get a handle on kernel32.dll
HMODULE hModule, HMODULE kernel32 = GetModuleHandleA("kernel32.dll");
LPCSTR lpProcName
);
```
// Define the prototype of 'OpenProcess' (see https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openprocess)
using OpenProcessPrototype = HANDLE(WINAPI*)(DWORD, BOOL, DWORD);
// Perform the dynamic resolving using GetProcAddress
OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(kernel32, "OpenProcess");
```
- GetProcAddressやGetModuleWのみインポートすること自体が怪しまれる可能性がある
- ref:
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
### Using PEB
- GetProcAddressやGetModulehanleWのアドレスも動的に解決させることができる
- PEB(Process Environmental Block)の[PEB_LDR_DATA](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data)構造体や[LDR_DATA_TABLE_ENTRY](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data#remarks)構造体のリストを反復処理して目的のDLL名を探しアドレスを取得する
- 目的のDLLのメモリ内のエクスポートテーブルから呼び出す対象のAPIを探しアドレスを取得する
- ref:
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
## PowerShell Script obfuscation ## PowerShell Script obfuscation
- 難読化ツール<br> - 難読化ツール<br>