1
0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
mether049-malware/malware-tech_ref_and_memo.md
2020-01-03 16:51:48 +09:00

99 lines
6.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Anti-analysis
- Anti-analysisに利用されるAPI,ファイル名プロセス名dllレジストリ等の一覧まとめ<br>
[Collection of Anti-Malware Analysis Tricks.(2016-10)](https://forum.tuts4you.com/topic/38931-collection-of-anti-malware-analysis-tricks/)
## Injection/Hollowing
- 正規プロセス等のアドレス空間にコードを注入することで検知や分析を妨害するTechnique
- 利用される正規プロセスsvchost.exe,explorer.exe,regsvr32.exe等
- Heaven's Gateと組み合わせて利用される場合あり
- ref:
- 各種Injection/Hollowingで利用されるAPIの一覧<br>
[HUNTING PROCESS INJECTION BY WINDOWSAPI CALLS (2019-11)](https://malwareanalysis.co/wp-content/uploads/2019/11/Hunting-Process-Injection-by-Windows-API-Calls.pdf)<br>
- 図で分かりやすく説明<br>
[Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques](https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)
### Dll Injection
- 正規プロセス探索->プロセスのハンドル取得->メモリ領域確保->悪性DLL注入->実行
- e.g. CreateToolhelp32Snapshot,Process32First,Process32Next->OpenProcess->VirtualAllocEx->WriteProcessMemory->CreateRemoteThread
[07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365](https://www.virustotal.com/gui/file/07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365/detection)
### Thread Execution Hijacking
- 正規プロセス,スレッド探索->スレッドのハンドル取得->スレッド停止->メモリ領域確保->悪性コード注入->EIP書き換え->実行
- e.g. CreateToolhelp32Snapshot,Thread32First,Thread32Next->OpenThread->SuspendThread->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread
[787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e](https://www.virustotal.com/gui/file/787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e/detection)
### Dll Injection Using SetWindowsHookEx(Hook Injection)
- Hooking:
> Hooking is a technique used to intercept function calls.
- SetWindowsHookEx
> - The first argument is the type of event. The events reflect the range of hook types, and vary from pressing keys on the keyboard (WH_KEYBOARD) to inputs to the mouse (WH_MOUSE), CBT, etc.
> - The second argument is a pointer to the function the malware wants to invoke upon the event execution.
> - The third argument is a module that contains the function.
> - The last argument to this function is the thread with which the hook procedure is to be associated.
- dll読み込み->アドレス解決->正規プロセス,スレッドの探索->フック
- e.g. LoadLibrary->GetProcAddress->CreateToolhelp32Snapshot,Thred32First,Thread32Next->SetWindowsHookEx
[5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1](https://www.virustotal.com/gui/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/detection)
### Process Hollowing
- 正規プロセス作成(サスペンド状態)->空洞化->メモリ領域確保->悪性コード注入->エントリポイント設定->実行<br>
- e.g. CreateProcess->ZwUnmapViewOfSection(NtUnmapViewOfSection)->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread<br>
[eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144](https://www.virustotal.com/gui/file/eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144/detection)
### APC Injection
- プロセス,スレッド探索->アラート状態->ハンドル取得->キューに追加
- e.g. Createtoolhelp32Snapshot,Thread32First,Thread32Next->WaitForMultipleObjectEx->OpenThread->VirtualAllocEx->WriteProcessMemory->QueueUserAPC
- QueueUserAPC
> - First args: a handle to the target thread
> - Second args: a pointer to the function that the malware wants to run
> - Third args: the parameter that is passed to the function pointer.
[f74399cc0be275376dad23151e3d0c2e2a1c966e6db6a695a05ec1a30551c0ad](https://www.virustotal.com/gui/file/f74399cc0be275376dad23151e3d0c2e2a1c966e6db6a695a05ec1a30551c0ad/detection)
### ATOM BOMBING
to do...
### Shell Tray Window Injection
to do...
### Shim Injection
to do...
### IAT and Inline Hooking
to do...
### ALPC Injection
to do...
### REFLECTIVE PE Injection
to do...
### LOCKPOS
to do...
### KERNEL CALLBACK TABLE
to do...
### CLIPBRDWNDCLASS
to do...
### PROGATE
to do...
### EARLY BIRD
to do...
### CONSOLE WINDOW CLASS
to do...
### TOOLTIP Process Injection
to do...
### 永続化
- **Applnit_Dlls**<br>
to do...
- **AppCertDlls**<br>
to do...
- **IFEO**<br>
to do...
## Heaven's Gate
- 0x33セグメントセレクターを使用して32ビットWOW64プロセスで64ビットコードを実行するTechnique<br>
- x86用ユーザモードデバッガでの追跡が難しい<br>
- WinDBG等のカーネルモードデバッガでは追跡することができる<br>
- 名前の由来はVX Heavenに投稿されたから<br>
- 少なくともtrickbot,locky,emotet等では利用されていた<br>
- ref:<br>
[Knockin on Heavens Gate Dynamic Processor Mode Switching(2012-09)](http://rce.co/knockin-on-heavens-gate-dynamic-processor-mode-switching/)<br>
[The 0x33 Segment Selector (Heavens Gate)](https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html)<br>
## API obfuscation
[A Museum of API Obfuscation on Win32](http://eval.symantec.com/mktginfo/enterprise/media/security_response/whitepapers/a_museum_of_api_obfuscation_on_win32.pdf)<br>
# Anti-detection
## DGA
- ドメイン生成アルゴリズム<br>
- 数学的なアルゴリズムを利用して一定間隔ごとに異なる通信先ドメインを生成することにより,ドメイン名での検知を困難にする<br>
- 43ファミリのDGAに対してseedタイプDGAタイプエントロピーTLD等様々な観点から比較<br>
[A Comprehensive Measurement Study of Domain Generating Malware,USENIX2016](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann)