mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update malware-tech_ref_and_memo.md
This commit is contained in:
parent
9ff435a62c
commit
d07bade349
@ -109,12 +109,14 @@ OpenProcessPrototype OpenProcess = (OpenProcessPrototype)GetProcAddress(kernel32
|
||||
- GetProcAddressやGetModuleWのみインポートすること自体が怪しまれる可能性がある
|
||||
- ref:
|
||||
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
|
||||
- [Salted algorithm - part 1,virusbulletin.,2014](https://www.virusbulletin.com/virusbulletin/2014/01/salted-algorithm-part-1)
|
||||
### Using PEB
|
||||
- GetProcAddressやGetModulehanleWのアドレスも動的に解決させることができる
|
||||
- PEB(Process Environmental Block)の[PEB_LDR_DATA](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data)構造体や[LDR_DATA_TABLE_ENTRY](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data#remarks)構造体のリストを反復処理して,目的のDLL名を探しアドレスを取得する
|
||||
- 目的のDLLのメモリ内のエクスポートテーブルから呼び出す対象のAPIを探しアドレスを取得する
|
||||
- ref:
|
||||
- [Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader,2020-02](https://blog.christophetd.fr/hiding-windows-api-imports-with-a-customer-loader/)
|
||||
- [Salted algorithm - part 1,virusbulletin.,2014](https://www.virusbulletin.com/virusbulletin/2014/01/salted-algorithm-part-1)
|
||||
|
||||
## PowerShell Script obfuscation
|
||||
- 難読化ツール<br>
|
||||
|
Loading…
Reference in New Issue
Block a user