diff --git a/Trickbot/analysis_processhollowing.md b/Trickbot/analysis_processhollowing.md index f60240a..d537c90 100644 --- a/Trickbot/analysis_processhollowing.md +++ b/Trickbot/analysis_processhollowing.md @@ -116,6 +116,7 @@ Process Hollowingにも利用するデータに関する説明 ![](https://github.com/mether049/malware/blob/master/Trickbot/img/apicall_15_720.png) - 以下は[NtQueryInformationProcess](https://docs.microsoft.com/ja-jp/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess?redirectedfrom=MSDN)の呼び出し後におけるPROCESS_BASIC_INFORMATION構造体の各メンバの値である - svchost.exeのプロセスIDは9652 + ![](https://github.com/mether049/malware/blob/master/Trickbot/img/PROCESS_BASIC_INFORMATION.png) ![](https://github.com/mether049/malware/blob/master/Trickbot/img/processhacker.PNG)