# Anti-analysis - Anti-analysisに利用されるAPI,ファイル名,プロセス名,dll,レジストリ等の一覧まとめ
[Collection of Anti-Malware Analysis Tricks.(2016-10)](https://forum.tuts4you.com/topic/38931-collection-of-anti-malware-analysis-tricks/) ## Injection/Hollowing - 正規プロセス等のアドレス空間にコードを注入することで検知や分析を妨害するTechnique - 利用される正規プロセス:svchost.exe,explorer.exe,regsvr32.exe等 - Heaven's Gateと組み合わせて利用される場合あり - ref: - 各種Injection/Hollowingで利用されるAPIの一覧
[HUNTING PROCESS INJECTION BY WINDOWSAPI CALLS (2019-11)](https://malwareanalysis.co/wp-content/uploads/2019/11/Hunting-Process-Injection-by-Windows-API-Calls.pdf)
- 図で分かりやすく説明
[Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques](https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process) ### Dll Injection - 正規プロセス探索->プロセスのハンドル取得->メモリ領域確保->悪性DLL注入->実行 - e.g. CreateToolhelp32Snapshot,Process32First,Process32Next->OpenProcess->VirtualAllocEx->WriteProcessMemory->CreateRemoteThread
[07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365](https://www.virustotal.com/gui/file/07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365/detection) ### Thread Execution Hijacking - 正規プロセス,スレッド探索->スレッドのハンドル取得->スレッド停止->メモリ領域確保->悪性コード注入->EIP書き換え->実行 - e.g. CreateToolhelp32Snapshot,Thread32First,Thread32Next->OpenThread->SuspendThread->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread [787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e](https://www.virustotal.com/gui/file/787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e/detection) ### Dll Injection Using SetWindowsHookEx(Hook Injection) - Hooking: > Hooking is a technique used to intercept function calls. - SetWindowsHookEx > - The first argument is the type of event. The events reflect the range of hook types, and vary from pressing keys on the keyboard (WH_KEYBOARD) to inputs to the mouse (WH_MOUSE), CBT, etc. > - The second argument is a pointer to the function the malware wants to invoke upon the event execution. > - The third argument is a module that contains the function. > - The last argument to this function is the thread with which the hook procedure is to be associated. - dll読み込み->アドレス解決->正規プロセス,スレッドの探索->フック - e.g. LoadLibrary->GetProcAddress->CreateToolhelp32Snapshot,Thred32First,Thread32Next->SetWindowsHookEx [5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1](https://www.virustotal.com/gui/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/detection) ### Process Hollowing - 正規プロセス作成(サスペンド状態)->空洞化->メモリ領域確保->悪性コード注入->エントリポイント設定->実行
- e.g. CreateProcess->ZwUnmapViewOfSection(NtUnmapViewOfSection)->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread
[eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144](https://www.virustotal.com/gui/file/eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144/detection) ### APC Injection - プロセス,スレッド探索->アラート状態->ハンドル取得->キューに追加 - e.g. Createtoolhelp32Snapshot,Thread32First,Thread32Next->WaitForMultipleObjectEx->OpenThread->VirtualAllocEx->WriteProcessMemory->QueueUserAPC - QueueUserAPC > - First args: a handle to the target thread > - Second args: a pointer to the function that the malware wants to run > - Third args: the parameter that is passed to the function pointer. [f74399cc0be275376dad23151e3d0c2e2a1c966e6db6a695a05ec1a30551c0ad](https://www.virustotal.com/gui/file/f74399cc0be275376dad23151e3d0c2e2a1c966e6db6a695a05ec1a30551c0ad/detection) ### ATOM BOMBING to do... ### Shell Tray Window Injection to do... ### Shim Injection to do... ### IAT and Inline Hooking to do... ### ALPC Injection to do... ### REFLECTIVE PE Injection to do... ### LOCKPOS to do... ### KERNEL CALLBACK TABLE to do... ### CLIPBRDWNDCLASS to do... ### PROGATE to do... ### EARLY BIRD to do... ### CONSOLE WINDOW CLASS to do... ### TOOLTIP Process Injection to do... ### 永続化 - **Applnit_Dlls**
to do... - **AppCertDlls**
to do... - **IFEO**
to do... ## Heaven's Gate - 0x33セグメントセレクターを使用して32ビット(WOW64)プロセスで64ビットコードを実行するTechnique
- x86用ユーザモードデバッガでの追跡が難しい
- WinDBG等のカーネルモードデバッガでは追跡することができる
- 名前の由来はVX Heavenに投稿されたから
- 少なくともtrickbot,locky,emotet等では利用されていた
- ref:
[Knockin’ on Heaven’s Gate – Dynamic Processor Mode Switching(2012-09)](http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/)
[The 0x33 Segment Selector (Heavens Gate)](https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html)
## API obfuscation [A Museum of API Obfuscation on Win32](http://eval.symantec.com/mktginfo/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)
# Anti-detection ## DGA - ドメイン生成アルゴリズム
- 数学的なアルゴリズムを利用して一定間隔ごとに異なる通信先ドメインを生成することにより,ドメイン名での検知を困難にする
- 43ファミリのDGAに対してseedタイプ,DGAタイプ,エントロピー,TLD等様々な観点から比較
[A Comprehensive Measurement Study of Domain Generating Malware,USENIX2016](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann)