10 KiB

Raw Permalink Blame History

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

Generic

Networking

Raw Sockets	WinAPI Sockets
socket()	WSAStratup()
bind()	bind()
listen()	listen()
accept()	accept()
connect()	connect()
read()/recv()	recv()
write()	send()
shutdown()	WSACleanup()

Persistence

Registry	File	Service
RegCreateKeyEx()	GetTempPath()	OpenSCManager
RegOpenKeyEx()	CopyFile()	CreateService()
RegSetValueEx()	CreateFile()	StartServiceCtrlDispatcher()
RegDeleteKeyEx()	WriteFile()
RegGetValue()	ReadFile()

Encryption

Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()

Anti-Analysis/VM

Function Name	Assembly Instructions
IsDebuggerPresent()	CPUID()
GetSystemInfo()	IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]

Stealth

Name
VirtualAlloc	Alloc memory (packers)
VirtualProtect	Change memory permission (packer giving execution permission to a section)
ReadProcessMemory	Injection into external processes
WriteProcessMemoryA/W	Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread	DLL/Process injection...
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W

Execution

Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread

Miscellaneous

GetAsyncKeyState() -- Key logging
SetWindowsHookEx -- Key logging
GetForeGroundWindow -- Get running window name (or the website from a browser)
LoadLibrary() -- Import library
GetProcAddress() -- Import library
CreateToolhelp32Snapshot() -- List running processes
GetDC() -- Screenshot
BitBlt() -- Screenshot
InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
FindResource(), LoadResource(), LockResource() -- Access resources of the executable

Malware Techniques

DLL Injection

Execute an arbitrary DLL inside another process

Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
Open the process: GetModuleHandle, GetProcAddress, OpenProcess
Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary

Other functions to use: NTCreateThreadEx, RtlCreateUserThread

Reflective DLL Injection

Load a malicious DLL without calling normal Windows API calls.
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.

Thread Hijacking

Find a thread from a process and make it load a malicious DLL

Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
Open the thread: OpenThread
Suspend the thread: SuspendThread
Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
Resume the thread loading the library: ResumeThread

PE Injection

Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.

Process Hollowing

The malware will unmap the legitimate code from memory of the process and load a malicious binary

Create a new process: CreateProcess
Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
Set the entrypoint and execute: SetThreadContext, ResumeThread

Hooking

The SSDT (System Service Descriptor Table) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
- A rootkit may modify these pointer to addresses that he controls
IRP (I/O Request Packets) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
The IAT (Import Address Table) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
EAT (Export Address Table) Hooks. This hooks can be done from userland. The goal is to hook exported functions by DLLs.
Inline Hooks: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.