1
0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00

Update malware-tech_ref_and_memo.md

This commit is contained in:
mether049 2020-02-19 00:33:13 +09:00 committed by GitHub
parent 9ff435a62c
commit d07bade349
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -109,12 +109,14 @@ OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(kernel32
- GetProcAddressやGetModuleWのみインポートすること自体が怪しまれる可能性がある
- ref:
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
- [Salted algorithm - part 1,virusbulletin.,2014](https://www.virusbulletin.com/virusbulletin/2014/01/salted-algorithm-part-1)
### Using PEB
- GetProcAddressやGetModulehanleWのアドレスも動的に解決させることができる
- PEB(Process Environmental Block)の[PEB_LDR_DATA](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data)構造体や[LDR_DATA_TABLE_ENTRY](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data#remarks)構造体のリストを反復処理して目的のDLL名を探しアドレスを取得する
- 目的のDLLのメモリ内のエクスポートテーブルから呼び出す対象のAPIを探しアドレスを取得する
- ref:
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
- [Salted algorithm - part 1,virusbulletin.,2014](https://www.virusbulletin.com/virusbulletin/2014/01/salted-algorithm-part-1)
## PowerShell Script obfuscation
- 難読化ツール<br>