1
0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
mether049-malware/malware-tech_ref_and_memo.md
2020-01-05 22:52:38 +09:00

6.2 KiB
Raw Blame History

Anti-analysis

Injection/Hollowing

Dll Injection

Thread Execution Hijacking

  • 正規プロセス,スレッド探索->スレッドのハンドル取得->スレッド停止->メモリ領域確保->悪性コード注入->EIP書き換え->実行
  • e.g. CreateToolhelp32Snapshot,Thread32First,Thread32Next->OpenThread->SuspendThread->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e

Dll Injection Using SetWindowsHookEx(Hook Injection)

  • Hooking:

Hooking is a technique used to intercept function calls.

  • SetWindowsHookEx
  • The first argument is the type of event. The events reflect the range of hook types, and vary from pressing keys on the keyboard (WH_KEYBOARD) to inputs to the mouse (WH_MOUSE), CBT, etc.
  • The second argument is a pointer to the function the malware wants to invoke upon the event execution.
  • The third argument is a module that contains the function.
  • The last argument to this function is the thread with which the hook procedure is to be associated.

Process Hollowing

  • 正規プロセス作成(サスペンド状態)->空洞化->メモリ領域確保->悪性コード注入->エントリポイント設定->実行
  • e.g. CreateProcess->ZwUnmapViewOfSection(NtUnmapViewOfSection)->VirtualAllocEx->WriteProcessMemory->SetThreadContext->ResumeThread
    eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144

APC Injection

  • プロセス,スレッド探索->アラート状態->ハンドル取得->キューに追加
  • e.g. Createtoolhelp32Snapshot,Thread32First,Thread32Next->WaitForMultipleObjectEx->OpenThread->VirtualAllocEx->WriteProcessMemory->QueueUserAPC
  • QueueUserAPC
  • First args: a handle to the target thread
  • Second args: a pointer to the function that the malware wants to run
  • Third args: the parameter that is passed to the function pointer.

f74399cc0be275376dad23151e3d0c2e2a1c966e6db6a695a05ec1a30551c0ad

ATOM BOMBING

to do...

Shell Tray Window Injection

to do...

Shim Injection

to do...

IAT and Inline Hooking

to do...

ALPC Injection

to do...

REFLECTIVE PE Injection

to do...

LOCKPOS

to do...

KERNEL CALLBACK TABLE

to do...

CLIPBRDWNDCLASS

to do...

PROGATE

to do...

EARLY BIRD

to do...

CONSOLE WINDOW CLASS

to do...

TOOLTIP Process Injection

to do...

永続化

  • Applnit_Dlls
    to do...
  • AppCertDlls
    to do...
  • IFEO
    to do...

Heaven's Gate

API obfuscation

A Museum of API Obfuscation on Win32

Anti-detection

DGA

  • ドメイン生成アルゴリズム
  • 数学的なアルゴリズムを利用して一定間隔ごとに異なる通信先ドメインを生成することにより,ドメイン名での検知を困難にする
  • 43ファミリのDGAに対してseedタイプDGAタイプエントロピーTLD等様々な観点から比較
    A Comprehensive Measurement Study of Domain Generating Malware,USENIX2016