nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-tech_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-02-18 23:59:40 +09:00 committed by GitHub
parent ffa081c03b
commit beb142ee69
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
malware-tech_ref_and_memo.md
View File

@ -92,7 +92,18 @@ to do...
[The 0x33 Segment Selector (Heavens Gate)](https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html)<br>
## API obfuscation
[A Museum of API Obfuscation on Win32](http://eval.symantec.com/mktginfo/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)<br>
[A Museum of API Obfuscation on Win32](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)<br>
### Using GetProcAddress and GetModulehandleA
- GetProcAddressを利用して呼び出したいAPIのアドレスを動的に解決する
- GetProcAddressの引数は第一引数に対象dllのハンドルを指定(i.e. GetModuleHandleA("kernel32.dll"))し第二引数にdllから呼び出したいAPI名を指定
```
FARPROC GetProcAddress(
HMODULE hModule,
LPCSTR lpProcName
);
```
## PowerShell Script obfuscation
- 難読化ツール<br>