mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-29 08:01:00 +00:00
161 lines
8 KiB
Markdown
161 lines
8 KiB
Markdown
|
# API Kwa Kawaida Hutumiwa katika Programu Hasidi
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
||
|
|
||
|
Njia nyingine za kusaidia HackTricks:
|
||
|
|
||
|
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
||
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||
|
|
||
|
</details>
|
||
|
|
||
|
**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**
|
||
|
|
||
|
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||
|
|
||
|
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||
|
|
||
|
***
|
||
|
|
||
|
## Kawaida
|
||
|
|
||
|
### Uunganishaji
|
||
|
|
||
|
| Sockets za Moja kwa Moja | Sockets za WinAPI |
|
||
|
| ------------------------ | ------------------ |
|
||
|
| socket() | WSAStratup() |
|
||
|
| bind() | bind() |
|
||
|
| listen() | listen() |
|
||
|
| accept() | accept() |
|
||
|
| connect() | connect() |
|
||
|
| read()/recv() | recv() |
|
||
|
| write() | send() |
|
||
|
| shutdown() | WSACleanup() |
|
||
|
|
||
|
### Uthabiti
|
||
|
|
||
|
| Usajili | Faili | Huduma |
|
||
|
| ----------------- | -------------- | ---------------------------- |
|
||
|
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
|
||
|
| RegOpenKeyEx() | CopyFile() | CreateService() |
|
||
|
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
|
||
|
| RegDeleteKeyEx() | WriteFile() | |
|
||
|
| RegGetValue() | ReadFile() | |
|
||
|
|
||
|
### Ufichaji
|
||
|
|
||
|
| Jina |
|
||
|
| --------------------- |
|
||
|
| WinCrypt |
|
||
|
| CryptAcquireContext() |
|
||
|
| CryptGenKey() |
|
||
|
| CryptDeriveKey() |
|
||
|
| CryptDecrypt() |
|
||
|
| CryptReleaseContext() |
|
||
|
|
||
|
### Kupinga Uchambuzi/VM
|
||
|
|
||
|
| Jina la Kazi | Maagizo ya Mkusanyiko |
|
||
|
| --------------------------------------------------------- | --------------------- |
|
||
|
| IsDebuggerPresent() | CPUID() |
|
||
|
| GetSystemInfo() | IN() |
|
||
|
| GlobalMemoryStatusEx() | |
|
||
|
| GetVersion() | |
|
||
|
| CreateToolhelp32Snapshot \[Angalia ikiwa mchakato unakimbia] | |
|
||
|
| CreateFileW/A \[Angalia ikiwa faili ipo] | |
|
||
|
|
||
|
### Kujificha
|
||
|
|
||
|
| Jina | |
|
||
|
| ------------------------ | -------------------------------------------------------------------------- |
|
||
|
| VirtualAlloc | Alloc kumbukumbu (pakiti) |
|
||
|
| VirtualProtect | Badilisha ruhusa ya kumbukumbu (pakiti inayotoa ruhusa ya utekelezaji kwa sehemu) |
|
||
|
| ReadProcessMemory | Uingizaji kwenye michakato ya nje |
|
||
|
| WriteProcessMemoryA/W | Uingizaji kwenye michakato ya nje |
|
||
|
| NtWriteVirtualMemory | |
|
||
|
| CreateRemoteThread | Uingizaji wa DLL/Mchakato... |
|
||
|
| NtUnmapViewOfSection | |
|
||
|
| QueueUserAPC | |
|
||
|
| CreateProcessInternalA/W | |
|
||
|
|
||
|
### Utekelezaji
|
||
|
|
||
|
| Jina la Kazi |
|
||
|
| --------------- |
|
||
|
| CreateProcessA/W |
|
||
|
| ShellExecute |
|
||
|
| WinExec |
|
||
|
| ResumeThread |
|
||
|
| NtResumeThread |
|
||
|
|
||
|
### Mbalimbali
|
||
|
|
||
|
* GetAsyncKeyState() -- Udukuzi wa funguo
|
||
|
* SetWindowsHookEx -- Udukuzi wa funguo
|
||
|
* GetForeGroundWindow -- Pata jina la dirisha linaloendesha (au tovuti kutoka kwa kivinjari)
|
||
|
* LoadLibrary() -- Ingiza maktaba
|
||
|
* GetProcAddress() -- Ingiza maktaba
|
||
|
* CreateToolhelp32Snapshot() -- Orodhesha michakato inayoendesha
|
||
|
* GetDC() -- Piga skrini
|
||
|
* BitBlt() -- Piga skrini
|
||
|
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Fikia Mtandao
|
||
|
* FindResource(), LoadResource(), LockResource() -- Fikia rasilimali za kutekelezeka
|
||
|
|
||
|
## Mbinu za Programu Hasidi
|
||
|
|
||
|
### Uingizaji wa DLL
|
||
|
|
||
|
Tekeleza DLL isiyojulikana ndani ya mchakato mwingine
|
||
|
|
||
|
1. Tafuta mchakato wa kuingiza DLL hasidi: CreateToolhelp32Snapshot, Process32First, Process32Next
|
||
|
2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
|
||
|
3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
|
||
|
4. Unda mnyororo katika mchakato ambao utapakia DLL hasidi: CreateRemoteThread, LoadLibrary
|
||
|
|
||
|
Vipengele vingine vya kutumia: NTCreateThreadEx, RtlCreateUserThread
|
||
|
|
||
|
### Uingizaji wa DLL wa Kielekezi
|
||
|
|
||
|
Pakia DLL hasidi bila kuita simu za kawaida za API za Windows.\
|
||
|
DLL inaorodheshwa ndani ya mchakato, itatatua anwani za uingizaji, kurekebisha mahali na kuita kazi ya DllMain.
|
||
|
|
||
|
### Utekapishaji wa Mnyororo
|
||
|
|
||
|
Pata mnyororo kutoka kwa mchakato na ufanye upakie DLL hasidi
|
||
|
|
||
|
1. Pata mnyororo wa lengo: CreateToolhelp32Snapshot, Thread32First, Thread32Next
|
||
|
2. Fungua mnyororo: OpenThread
|
||
|
3. Sitishe mnyororo: SuspendThread
|
||
|
4. Andika njia ya DLL hasidi ndani ya mchakato wa mwathiriwa: VirtualAllocEx, WriteProcessMemory
|
||
|
5. Rudisha mnyororo wa kuanzisha maktaba: ResumeThread
|
||
|
|
||
|
### Uingizaji wa PE
|
||
|
|
||
|
Uingizaji wa Utekelezaji wa Portable: Programu itaandikwa kwenye kumbukumbu ya mchakato wa mwathiriwa na itatekelezwa kutoka hapo.
|
||
|
|
||
|
### Ufyonzaji wa Mchakato
|
||
|
|
||
|
Programu hasidi itafuta msimbo halali kutoka kumbukumbu ya mchakato na kupakia faili hasidi
|
||
|
|
||
|
1. Unda mchakato mpya: CreateProcess
|
||
|
2. Futa kumbukumbu: ZwUnmapViewOfSection, NtUnmapViewOfSection
|
||
|
3. Andika faili hasidi kwenye kumbukumbu ya mchakato: VirtualAllocEc, WriteProcessMemory
|
||
|
4. Weka kuingia na tekeleza: SetThreadContext, ResumeThread
|
||
|
|
||
|
## Kufunga
|
||
|
|
||
|
* **SSDT** (**System Service Descriptor Table**) inaelekeza kwa kazi za msingi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
|
||
|
* Rootkit inaweza kurekebisha alama hizi kwa anwani anazodhibiti
|
||
|
* **IRP** (**I/O Request Packets**) hupitisha vipande vya data kutoka kwa sehemu moja hadi nyingine. Karibu kila kitu katika kernel hutumia IRPs na kila kifaa kina kichupo chake cha kazi ambacho kinaweza kufungwa: DKOM (Udukuzi wa Moja kwa Moja wa Vitu vya Kernel)
|
||
|
* **IAT** (**Import Address Table**) ni muhimu kwa kutatua mahitaji. Inawezekana kufunga kichupo hiki ili kuteka kificho kitakachoitwa.
|
||
|
* **EAT** (**Export Address Table**) Kufunga. Kufunga hii inaweza kufanywa kutoka kwa **userland**. Lengo ni kufunga kazi zilizoagizwa na DLLs.
|
||
|
* **Kufunga ya Ndani**: Aina hii ni ngumu kufikia. Hii inahusisha kurekebisha msimbo wa kazi yenyewe. Labda kwa kuweka kuruka mwanzoni mwa hii.
|
||
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
||
|
|
||
|
</details>
|