mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
136 lines
6.2 KiB
Markdown
136 lines
6.2 KiB
Markdown
# Common API used in Malware
|
|
|
|
## Generic
|
|
|
|
### Networking
|
|
|
|
| Raw Sockets | WinAPI Sockets |
|
|
| ------------- | -------------- |
|
|
| socket() | WSAStratup() |
|
|
| bind() | bind() |
|
|
| listen() | listen() |
|
|
| accept() | accept() |
|
|
| connect() | connect() |
|
|
| read()/recv() | recv() |
|
|
| write() | send() |
|
|
| shutdown() | WSACleanup() |
|
|
|
|
### Persistence
|
|
|
|
| Registry | File | Service |
|
|
| ---------------- | ------------- | ---------------------------- |
|
|
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
|
|
| RegOpenKeyEx() | CopyFile() | CreateService() |
|
|
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
|
|
| RegDeleteKeyEx() | WriteFile() | |
|
|
| RegGetValue() | ReadFile() | |
|
|
|
|
### Encryption
|
|
|
|
| Name |
|
|
| --------------------- |
|
|
| WinCrypt |
|
|
| CryptAcquireContext() |
|
|
| CryptGenKey() |
|
|
| CryptDeriveKey() |
|
|
| CryptDecrypt() |
|
|
| CryptReleaseContext() |
|
|
|
|
### Anti-Analysis/VM
|
|
|
|
| Function Name | Assembly Instructions |
|
|
| --------------------------------------------------------- | --------------------- |
|
|
| IsDebuggerPresent() | CPUID() |
|
|
| GetSystemInfo() | IN() |
|
|
| GlobalMemoryStatusEx() | |
|
|
| GetVersion() | |
|
|
| CreateToolhelp32Snapshot \[Check if a process is running] | |
|
|
| CreateFileW/A \[Check if a file exist] | |
|
|
|
|
### Stealth
|
|
|
|
| Name | |
|
|
| ------------------------ | -------------------------------------------------------------------------- |
|
|
| VirtualAlloc | Alloc memory (packers) |
|
|
| VirtualProtect | Change memory permission (packer giving execution permission to a section) |
|
|
| ReadProcessMemory | Injection into external processes |
|
|
| WriteProcessMemoryA/W | Injection into external processes |
|
|
| NtWriteVirtualMemory | |
|
|
| CreateRemoteThread | DLL/Process injection... |
|
|
| NtUnmapViewOfSection | |
|
|
| QueueUserAPC | |
|
|
| CreateProcessInternalA/W | |
|
|
|
|
### Execution
|
|
|
|
| Function Name |
|
|
| ---------------- |
|
|
| CreateProcessA/W |
|
|
| ShellExecute |
|
|
| WinExec |
|
|
| ResumeThread |
|
|
| NtResumeThread |
|
|
|
|
### Miscellaneous
|
|
|
|
* GetAsyncKeyState() -- Key logging
|
|
* SetWindowsHookEx -- Key logging
|
|
* GetForeGroundWindow -- Get running window name (or the website from a browser)
|
|
* LoadLibrary() -- Import library
|
|
* GetProcAddress() -- Import library
|
|
* CreateToolhelp32Snapshot() -- List running processes
|
|
* GetDC() -- Screenshot
|
|
* BitBlt() -- Screenshot
|
|
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
|
|
* FindResource(), LoadResource(), LockResource() -- Access resources of the executable
|
|
|
|
## Malware Techniques
|
|
|
|
### DLL Injection
|
|
|
|
Execute an arbitrary DLL inside another process
|
|
|
|
1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
|
|
2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
|
|
3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
|
|
4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary
|
|
|
|
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
|
|
|
|
### Reflective DLL Injection
|
|
|
|
Load a malicious DLL without calling normal Windows API calls.\
|
|
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
|
|
|
|
### Thread Hijacking
|
|
|
|
Find a thread from a process and make it load a malicious DLL
|
|
|
|
1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
|
|
2. Open the thread: OpenThread
|
|
3. Suspend the thread: SuspendThread
|
|
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
|
|
5. Resume the thread loading the library: ResumeThread
|
|
|
|
### PE Injection
|
|
|
|
Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
|
|
|
|
### Process Hollowing
|
|
|
|
The malware will unmap the legitimate code from memory of the process and load a malicious binary
|
|
|
|
1. Create a new process: CreateProcess
|
|
2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
|
|
3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
|
|
4. Set the entrypoint and execute: SetThreadContext, ResumeThread
|
|
|
|
## Hooking
|
|
|
|
* The **SSDT **(**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
|
|
* A rootkit may modify these pointer to addresses that he controls
|
|
* **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
|
|
* The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
|
|
* **EAT **(**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
|
|
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.
|