mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update malware-analysis_ref_and_memo.md
This commit is contained in:
parent
93d11f7d6a
commit
b4e8c505a1
@ -538,16 +538,14 @@ Injecition/Hollowingされたプロセスの自動検出<br>
|
|||||||
|:-|:-|:-|:-|
|
|:-|:-|:-|:-|
|
||||||
|[GetModuleHandle](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea)<br>kernel32/libloaderapi.h (include Windows.h)|PCSTR lpModuleName(モジュール名)|**Success**:a handle to the specified module<br>**Fail**:NULL|指定したモジュールへのハンドルを取得|
|
|[GetModuleHandle](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea)<br>kernel32/libloaderapi.h (include Windows.h)|PCSTR lpModuleName(モジュール名)|**Success**:a handle to the specified module<br>**Fail**:NULL|指定したモジュールへのハンドルを取得|
|
||||||
|[ReadProcessMemory](https://docs.microsoft.com/ja-jp/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory)<br>kernel32/memoryapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPCVOID lpBaseAddress<br>3.LPVOID lpBuffer><br>4.SIZE_T nSize<br>5.SIZE_T \*lpNumberOfBytesRead|**Success**:non zero<br>**Fail**:zero(0)|特定のプロセスの指定したアドレスからメモリの内容を読み取る|
|
|[ReadProcessMemory](https://docs.microsoft.com/ja-jp/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory)<br>kernel32/memoryapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPCVOID lpBaseAddress<br>3.LPVOID lpBuffer><br>4.SIZE_T nSize<br>5.SIZE_T \*lpNumberOfBytesRead|**Success**:non zero<br>**Fail**:zero(0)|特定のプロセスの指定したアドレスからメモリの内容を読み取る|
|
||||||
|
|[CreateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa)<br>kernel32.dll/processthreadsapi.h (include Windows.h)|LPCSTR lpApplicationName<br>LPSTR lpCommandLine<br>LPSECURITY_ATTRIBUTES lpProcessAttributes<br>LPSECURITY_ATTRIBUTES lpThreadAttributes<br>BOOL bInheritHandles<br>DWORD dwCreationFlags<br>LPVOID lpEnvironment<br>LPCSTR lpCurrentDirectory <br>LPSTARTUPINFOA lpStartupInfo<br>LPPROCESS_INFORMATION lpProcessInformation|**Success**:non zero<br>**Fail** zero|新しいプロセスの作成|
|
||||||
|[CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)<br>kernel32/processthreadsapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPSECURITY_ATTRIBUTES lpThreadAttributes<br>3.SIZE_T dwStackSize<br>4.LPTHREAD_START_ROUTINE lpStartAddress<br>5.LPVOID lpParameter<br>DWORD dwCreationFlags<br>6.LPDWORD lpThreadId|**Success**:a handle to the new thread<br>**Fail**:Null|別プロセス上に対してスレッドを作成|
|
|[CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)<br>kernel32/processthreadsapi.h (include Windows.h)|1.HANDLE hProcess<br>2.LPSECURITY_ATTRIBUTES lpThreadAttributes<br>3.SIZE_T dwStackSize<br>4.LPTHREAD_START_ROUTINE lpStartAddress<br>5.LPVOID lpParameter<br>DWORD dwCreationFlags<br>6.LPDWORD lpThreadId|**Success**:a handle to the new thread<br>**Fail**:Null|別プロセス上に対してスレッドを作成|
|
||||||
|[InitializeCriticalSection](https://docs.microsoft.com/ja-jp/windows/win32/api/synchapi/nf-synchapi-initializecriticalsection)<br>kernel32/synchapi.h (include Windows.h)|LPCRITICAL_SECTION lpCriticalSection|-|クリティカルセクションを初期化,クリティカルセクションオブジェクトにより1つのプロセスの複数スレッド間で相互排他の同期が行える|
|
|[InitializeCriticalSection](https://docs.microsoft.com/ja-jp/windows/win32/api/synchapi/nf-synchapi-initializecriticalsection)<br>kernel32/synchapi.h (include Windows.h)|LPCRITICAL_SECTION lpCriticalSection|-|クリティカルセクションを初期化,クリティカルセクションオブジェクトにより1つのプロセスの複数スレッド間で相互排他の同期が行える|
|
||||||
|[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)<br>wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化|
|
|[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)<br>wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化|
|
||||||
|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa)<br>kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes<br>2.BOOL bInitialOwner<br>3.LPCSTR lpName|**Success**:a handle to the newly created mutex object<br>**Fail**:Null|Mutexを作成|
|
|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapiprocessthreadsapi.h (include Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 Windows Server 2008 R2, Windows.h)/nf-synchapi-createmutexa)<br>kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes<br>2.BOOL bInitialOwner<br>3.LPCSTR lpName|**Success**:a handle to the newly created mutex object<br>**Fail**:Null|Mutexを作成|
|
||||||
|[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)<br>kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule<br>2. LPSTR lpFilenam<br>3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character<br>**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得|
|
|[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)<br>kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule<br>2. LPSTR lpFilenam<br>3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character<br>**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得|
|
||||||
|[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)<br>Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer<br>2. LPDWORD pcbBuffer|**Success**:a nonzero value<br>**Fail**:zero|現在のスレッドのユーザ名を取得|
|
|[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)<br>Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer<br>2. LPDWORD pcbBuffer|**Success**:a nonzero value<br>**Fail**:zero|現在のスレッドのユーザ名を取得|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Deobfuscation
|
### Deobfuscation
|
||||||
- バイナリの難読化解除に関するブログ
|
- バイナリの難読化解除に関するブログ
|
||||||
- [Tales Of Binary Deobfuscation - Part 1](https://ulexec.github.io/ulexec.github.io/article/2020/03/03/Deobfuscation_1.html)
|
- [Tales Of Binary Deobfuscation - Part 1](https://ulexec.github.io/ulexec.github.io/article/2020/03/03/Deobfuscation_1.html)
|
||||||
|
Loading…
Reference in New Issue
Block a user