From de495b86209ea646933754f42fa9a731bdfd6d76 Mon Sep 17 00:00:00 2001 From: mether049 Date: Tue, 23 Jun 2020 22:02:51 +0900 Subject: [PATCH] Update malware-analysis_ref_and_memo.md --- malware-analysis_ref_and_memo.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/malware-analysis_ref_and_memo.md b/malware-analysis_ref_and_memo.md index 691a401..6ecf1cd 100644 --- a/malware-analysis_ref_and_memo.md +++ b/malware-analysis_ref_and_memo.md @@ -538,11 +538,11 @@ Injecition/Hollowingされたプロセスの自動検出
|:-|:-|:-|:-| |[GetModuleHandle](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulehandlea)
kernel32/libloaderapi.h (include Windows.h)|PCSTR lpModuleName(モジュール名)|**Success**:a handle to the specified module
**Fail**:NULL|指定したモジュールへのハンドルを取得| |[ReadProcessMemory](https://docs.microsoft.com/ja-jp/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory)
kernel32/memoryapi.h (include Windows.h)|1.HANDLE hProcess
2.LPCVOID lpBaseAddress
3.LPVOID lpBuffer>
4.SIZE_T nSize
5.SIZE_T \*lpNumberOfBytesRead|**Success**:non zero
**Fail**:zero(0)|特定のプロセスの指定したアドレスからメモリの内容を読み取る| -|[CreateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa)
kernel32.dll/processthreadsapi.h (include Windows.h)|LPCSTR lpApplicationName
LPSTR lpCommandLine
LPSECURITY_ATTRIBUTES lpProcessAttributes
LPSECURITY_ATTRIBUTES lpThreadAttributes
BOOL bInheritHandles
DWORD dwCreationFlags
LPVOID lpEnvironment
LPCSTR lpCurrentDirectory
LPSTARTUPINFOA lpStartupInfo
LPPROCESS_INFORMATION lpProcessInformation|**Success**:non zero
**Fail** zero|新しいプロセスの作成| +|[CreateProcess](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa)
kernel32.dll/processthreadsapi.h (include Windows.h)|1. LPCSTR lpApplicationName
2. LPSTR lpCommandLine
3. LPSECURITY_ATTRIBUTES lpProcessAttributes
4. LPSECURITY_ATTRIBUTES lpThreadAttributes
5. BOOL bInheritHandles
6. DWORD dwCreationFlags
7. LPVOID lpEnvironment
8. LPCSTR lpCurrentDirectory
9. LPSTARTUPINFOA lpStartupInfo
10. LPPROCESS_INFORMATION lpProcessInformation|**Success**:non zero
**Fail** zero|新しいプロセスの作成| |[CreateRemoteThread](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread)
kernel32/processthreadsapi.h (include Windows.h)|1.HANDLE hProcess
2.LPSECURITY_ATTRIBUTES lpThreadAttributes
3.SIZE_T dwStackSize
4.LPTHREAD_START_ROUTINE lpStartAddress
5.LPVOID lpParameter
DWORD dwCreationFlags
6.LPDWORD lpThreadId|**Success**:a handle to the new thread
**Fail**:Null|別プロセス上に対してスレッドを作成| |[InitializeCriticalSection](https://docs.microsoft.com/ja-jp/windows/win32/api/synchapi/nf-synchapi-initializecriticalsection)
kernel32/synchapi.h (include Windows.h)|LPCRITICAL_SECTION lpCriticalSection|-|クリティカルセクションを初期化,クリティカルセクションオブジェクトにより1つのプロセスの複数スレッド間で相互排他の同期が行える| |[InitializeListHead](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-initializelisthead)
wdm.h (include Wdm.h, Ntddk.h, Ntifs.h, Wudfwdm.h)|PLIST_ENTRY ListHead|-|LIST_ENTRY構造体の初期化| -|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapiprocessthreadsapi.h (include Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 Windows Server 2008 R2, Windows.h)/nf-synchapi-createmutexa)
kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes
2.BOOL bInitialOwner
3.LPCSTR lpName|**Success**:a handle to the newly created mutex object
**Fail**:Null|Mutexを作成| +|[CreateMutex](https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa)
kernel32/synchapi.h (include Windows.h)|1.LPSECURITY_ATTRIBUTES lpMutexAttributes
2.BOOL bInitialOwner
3.LPCSTR lpName|**Success**:a handle to the newly created mutex object
**Fail**:Null|Mutexを作成| |[GetModuleFileName](https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getmodulefilenamea)
kernel32/libloaderapi.h (include Windows.h)|1. HMODULE hModule
2. LPSTR lpFilenam
3. DWORD nSize|**Success**:the length of the string that is copied to the buffer, in characters, not including the terminating null character
**Fail**:zero|現在のプロセスにロードされている特定のモジュールの完全修飾パスを取得,hModuleがNullの場合現在のプロセスの実行ファイルのパスを取得| |[GetUserName](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getusernamea)
Advapi32.dll/winbase.h (include Windows.h)|1. LPSTR lpBuffer
2. LPDWORD pcbBuffer|**Success**:a nonzero value
**Fail**:zero|現在のスレッドのユーザ名を取得|