hacktricks/reversing/common-api-used-in-malware.md

180 lines
8.8 KiB
Markdown
Raw Normal View History

# Common API used in Malware
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
<summary>Support HackTricks</summary>
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 14:09:38 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-03-14 23:01:13 +00:00
**Try Hard Security Group**
2024-03-26 14:56:40 +00:00
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
2024-03-14 23:01:13 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
## Generic
2022-05-01 16:32:23 +00:00
### Networking
2020-12-03 18:00:02 +00:00
| Raw Sockets | WinAPI Sockets |
| ------------- | -------------- |
| socket() | WSAStratup() |
| bind() | bind() |
| listen() | listen() |
| accept() | accept() |
| connect() | connect() |
| read()/recv() | recv() |
| write() | send() |
| shutdown() | WSACleanup() |
2020-12-03 18:00:02 +00:00
### Persistence
2020-12-03 18:00:02 +00:00
| Registry | File | Service |
| ---------------- | ------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
| RegOpenKeyEx() | CopyFile() | CreateService() |
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile() | |
| RegGetValue() | ReadFile() | |
2020-12-03 18:00:02 +00:00
### Encryption
2020-12-03 18:00:02 +00:00
| Name |
| --------------------- |
| WinCrypt |
| CryptAcquireContext() |
| CryptGenKey() |
| CryptDeriveKey() |
| CryptDecrypt() |
| CryptReleaseContext() |
2020-12-03 18:00:02 +00:00
### Anti-Analysis/VM
2020-12-03 18:00:02 +00:00
| Function Name | Assembly Instructions |
| --------------------------------------------------------- | --------------------- |
| IsDebuggerPresent() | CPUID() |
| GetSystemInfo() | IN() |
| GlobalMemoryStatusEx() | |
| GetVersion() | |
| CreateToolhelp32Snapshot \[Check if a process is running] | |
| CreateFileW/A \[Check if a file exist] | |
2020-12-03 18:00:02 +00:00
### Stealth
2020-12-03 18:00:02 +00:00
| Name | |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc | Alloc memory (packers) |
| VirtualProtect | Change memory permission (packer giving execution permission to a section) |
| ReadProcessMemory | Injection into external processes |
| WriteProcessMemoryA/W | Injection into external processes |
| NtWriteVirtualMemory | |
| CreateRemoteThread | DLL/Process injection... |
| NtUnmapViewOfSection | |
| QueueUserAPC | |
| CreateProcessInternalA/W | |
2020-12-03 18:00:02 +00:00
### Execution
2020-12-03 18:00:02 +00:00
| Function Name |
| ---------------- |
2020-12-09 00:31:50 +00:00
| CreateProcessA/W |
| ShellExecute |
| WinExec |
| ResumeThread |
| NtResumeThread |
2020-12-03 18:00:02 +00:00
### Miscellaneous
2020-12-03 18:00:02 +00:00
* GetAsyncKeyState() -- Key logging
2020-12-03 18:00:02 +00:00
* SetWindowsHookEx -- Key logging
* GetForeGroundWindow -- Get running window name (or the website from a browser)
* LoadLibrary() -- Import library
* GetProcAddress() -- Import library
* CreateToolhelp32Snapshot() -- List running processes
* GetDC() -- Screenshot
* BitBlt() -- Screenshot
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
* FindResource(), LoadResource(), LockResource() -- Access resources of the executable
2020-12-03 18:00:02 +00:00
## Malware Techniques
2021-09-07 00:15:14 +00:00
### DLL Injection
2021-09-07 00:15:14 +00:00
Execute an arbitrary DLL inside another process
1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
### Reflective DLL Injection
2021-09-07 00:15:14 +00:00
Load a malicious DLL without calling normal Windows API calls.\
2021-09-07 00:15:14 +00:00
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
### Thread Hijacking
2021-09-07 00:15:14 +00:00
Find a thread from a process and make it load a malicious DLL
1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Open the thread: OpenThread
3. Suspend the thread: SuspendThread
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
5. Resume the thread loading the library: ResumeThread
### PE Injection
2021-09-07 00:15:14 +00:00
Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
### Process Hollowing
2021-09-07 00:15:14 +00:00
The malware will unmap the legitimate code from memory of the process and load a malicious binary
1. Create a new process: CreateProcess
2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
4. Set the entrypoint and execute: SetThreadContext, ResumeThread
## Hooking
2021-09-07 00:15:14 +00:00
2021-11-30 16:46:07 +00:00
* The **SSDT** (**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
2021-09-07 00:15:14 +00:00
* A rootkit may modify these pointer to addresses that he controls
* **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
* The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
2021-11-30 16:46:07 +00:00
* **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
2023-03-19 18:16:17 +00:00
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.
2022-04-28 16:01:33 +00:00
2024-03-14 23:01:13 +00:00
**Try Hard Security Group**
2024-03-26 14:56:40 +00:00
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
2024-03-14 23:01:13 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2024-07-19 14:09:38 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
<details>
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
<summary>Support HackTricks</summary>
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2024-07-19 14:09:38 +00:00
{% endhint %}