nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-analysis_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-06-23 21:59:25 +09:00 committed by GitHub
parent 93d11f7d6a
commit b4e8c505a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
malware-analysis_ref_and_memo.md
View File

@ -538,16 +538,14 @@ Injecition/Hollowingされたプロセスの自動検出<br>
|:-|:-|:-|:-| |:-|:-|:-|:-|
|[GetModuleHandle](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea)<br>kernel32/libloaderapi.h (include Windows.h)|PCSTR lpModuleName(モジュール名)|**Success**:a handle to the specified module<br>**Fail**:NULL|指定したモジュールへのハンドルを取得| |[GetModuleHandle](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea)<br>kernel32/libloaderapi.h (include Windows.h)|PCSTR lpModuleName(モジュール名)|**Success**:a handle to the specified module<br>**Fail**:NULL|指定したモジュールへのハンドルを取得|
|[ReadProcessMemory](https://docs.microsoft.com/ja-jp/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory)<br>kernel32/memoryapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPCVOID lpBaseAddress<br>3.LPVOID lpBuffer><br>4.SIZE_T nSize<br>5.SIZE_T \*lpNumberOfBytesRead|**Success**:non zero<br>**Fail**:zero(0)|特定のプロセスの指定したアドレスからメモリの内容を読み取る| |[ReadProcessMemory](https://docs.microsoft.com/ja-jp/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory)<br>kernel32/memoryapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPCVOID lpBaseAddress<br>3.LPVOID lpBuffer><br>4.SIZE_T nSize<br>5.SIZE_T \*lpNumberOfBytesRead|**Success**:non zero<br>**Fail**:zero(0)|特定のプロセスの指定したアドレスからメモリの内容を読み取る|
|[CreateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa)<br>kernel32.dll/processthreadsapi.h (include Windows.h)|LPCSTR lpApplicationName<br>LPSTR lpCommandLine<br>LPSECURITY_ATTRIBUTES lpProcessAttributes<br>LPSECURITY_ATTRIBUTES lpThreadAttributes<br>BOOL bInheritHandles<br>DWORD dwCreationFlags<br>LPVOID lpEnvironment<br>LPCSTR lpCurrentDirectory <br>LPSTARTUPINFOA lpStartupInfo<br>LPPROCESS_INFORMATION lpProcessInformation|**Success**:non zero<br>**Fail** zero|新しいプロセスの作成|
|[CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)<br>kernel32/processthreadsapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPSECURITY_ATTRIBUTES lpThreadAttributes<br>3.SIZE_T dwStackSize<br>4.LPTHREAD_START_ROUTINE lpStartAddress<br>5.LPVOID lpParameter<br>DWORD dwCreationFlags<br>6.LPDWORD lpThreadId|**Success**:a handle to the new thread<br>**Fail**:Null|別プロセス上に対してスレッドを作成| |[CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)<br>kernel32/processthreadsapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPSECURITY_ATTRIBUTES lpThreadAttributes<br>3.SIZE_T dwStackSize<br>4.LPTHREAD_START_ROUTINE lpStartAddress<br>5.LPVOID lpParameter<br>DWORD dwCreationFlags<br>6.LPDWORD lpThreadId|**Success**:a handle to the new thread<br>**Fail**:Null|別プロセス上に対してスレッドを作成|
|[InitializeCriticalSection](https://docs.microsoft.com/ja-jp/windows/win32/api/synchapi/nf-synchapi-initializecriticalsection)<br>kernel32/synchapi.h (include Windows.h)|LPCRITICAL_SECTION lpCriticalSection|-|クリティカルセクションを初期化,クリティカルセクションオブジェクトにより1つのプロセスの複数スレッド間で相互排他の同期が行える| |[InitializeCriticalSection](https://docs.microsoft.com/ja-jp/windows/win32/api/synchapi/nf-synchapi-initializecriticalsection)<br>kernel32/synchapi.h (include Windows.h)|LPCRITICAL_SECTION lpCriticalSection|-|クリティカルセクションを初期化,クリティカルセクションオブジェクトにより1つのプロセスの複数スレッド間で相互排他の同期が行える|
|[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)<br>wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化| |[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)<br>wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化|
|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa)<br>kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes<br>2.BOOL bInitialOwner<br>3.LPCSTR lpName|**Success**:a handle to the newly created mutex object<br>**Fail**:Null|Mutexを作成| |[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapiprocessthreadsapi.h (include Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 Windows Server 2008 R2, Windows.h)/nf-synchapi-createmutexa)<br>kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes<br>2.BOOL bInitialOwner<br>3.LPCSTR lpName|**Success**:a handle to the newly created mutex object<br>**Fail**:Null|Mutexを作成|
|[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)<br>kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule<br>2. LPSTR lpFilenam<br>3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character<br>**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得| |[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)<br>kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule<br>2. LPSTR lpFilenam<br>3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character<br>**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得|
|[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)<br>Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer<br>2. LPDWORD pcbBuffer|**Success**:a nonzero value<br>**Fail**:zero|現在のスレッドのユーザ名を取得| |[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)<br>Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer<br>2. LPDWORD pcbBuffer|**Success**:a nonzero value<br>**Fail**:zero|現在のスレッドのユーザ名を取得|
### Deobfuscation ### Deobfuscation
- バイナリの難読化解除に関するブログ - バイナリの難読化解除に関するブログ
- [Tales Of Binary Deobfuscation - Part 1](https://ulexec.github.io/ulexec.github.io/article/2020/03/03/Deobfuscation_1.html) - [Tales Of Binary Deobfuscation - Part 1](https://ulexec.github.io/ulexec.github.io/article/2020/03/03/Deobfuscation_1.html)