hacktricks/reversing/common-api-used-in-malware.md

# Common API used in Malware

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Genérico

### Rede

| Sockets Brutos   | Sockets WinAPI |
| ------------- | -------------- |
| socket()      | WSAStratup()   |
| bind()        | bind()         |
| listen()      | listen()       |
| accept()      | accept()       |
| connect()     | connect()      |
| read()/recv() | recv()         |
| write()       | send()         |
| shutdown()    | WSACleanup()   |

### Persistência

| Registro         | Arquivo          | Serviço                      |
| ---------------- | ------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager                |
| RegOpenKeyEx()   | CopyFile()    | CreateService()              |
| RegSetValueEx()  | CreateFile()  | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile()   |                              |
| RegGetValue()    | ReadFile()    |                              |

### Criptografia

| Nome                  |
| --------------------- |
| WinCrypt              |
| CryptAcquireContext() |
| CryptGenKey()         |
| CryptDeriveKey()      |
| CryptDecrypt()        |
| CryptReleaseContext() |

### Anti-Análise/VM

| Nome da Função                                             | Instruções de Assembly |
| --------------------------------------------------------- | --------------------- |
| IsDebuggerPresent()                                       | CPUID()               |
| GetSystemInfo()                                           | IN()                  |
| GlobalMemoryStatusEx()                                    |                       |
| GetVersion()                                              |                       |
| CreateToolhelp32Snapshot \[Verificar se um processo está em execução] |                       |
| CreateFileW/A \[Verificar se um arquivo existe]                    |                       |

### Stealth

| Nome                     |                                                                            |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc             | Alocar memória (packers)                                                  |
| VirtualProtect           | Alterar permissão de memória (packer dando permissão de execução a uma seção) |
| ReadProcessMemory        | Injeção em processos externos                                             |
| WriteProcessMemoryA/W    | Injeção em processos externos                                             |
| NtWriteVirtualMemory     |                                                                            |
| CreateRemoteThread       | Injeção de DLL/Processo...                                               |
| NtUnmapViewOfSection     |                                                                            |
| QueueUserAPC             |                                                                            |
| CreateProcessInternalA/W |                                                                            |

### Execução

| Nome da Função    |
| ---------------- |
| CreateProcessA/W |
| ShellExecute     |
| WinExec          |
| ResumeThread     |
| NtResumeThread   |

### Diversos

* GetAsyncKeyState() -- Registro de teclas
* SetWindowsHookEx -- Registro de teclas
* GetForeGroundWindow -- Obter nome da janela em execução (ou o site de um navegador)
* LoadLibrary() -- Importar biblioteca
* GetProcAddress() -- Importar biblioteca
* CreateToolhelp32Snapshot() -- Listar processos em execução
* GetDC() -- Captura de tela
* BitBlt() -- Captura de tela
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Acessar a Internet
* FindResource(), LoadResource(), LockResource() -- Acessar recursos do executável

## Técnicas de Malware

### Injeção de DLL

Executar uma DLL arbitrária dentro de outro processo

1. Localizar o processo para injetar a DLL maliciosa: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Abrir o processo: GetModuleHandle, GetProcAddress, OpenProcess
3. Escrever o caminho para a DLL dentro do processo: VirtualAllocEx, WriteProcessMemory
4. Criar uma thread no processo que carregará a DLL maliciosa: CreateRemoteThread, LoadLibrary

Outras funções a serem usadas: NTCreateThreadEx, RtlCreateUserThread

### Injeção de DLL Reflexiva

Carregar uma DLL maliciosa sem chamar as chamadas normais da API do Windows.\
A DLL é mapeada dentro de um processo, resolverá os endereços de importação, corrigirá as realocações e chamará a função DllMain.

### Sequestro de Thread

Encontrar uma thread de um processo e fazer com que ela carregue uma DLL maliciosa

1. Encontrar uma thread alvo: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Abrir a thread: OpenThread
3. Suspender a thread: SuspendThread
4. Escrever o caminho para a DLL maliciosa dentro do processo da vítima: VirtualAllocEx, WriteProcessMemory
5. Retomar a thread carregando a biblioteca: ResumeThread

### Injeção PE

Injeção de Execução Portátil: O executável será escrito na memória do processo da vítima e será executado a partir daí.

### Hollowing de Processo

O malware irá desmapear o código legítimo da memória do processo e carregar um binário malicioso

1. Criar um novo processo: CreateProcess
2. Desmapear a memória: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Escrever o binário malicioso na memória do processo: VirtualAllocEc, WriteProcessMemory
4. Definir o ponto de entrada e executar: SetThreadContext, ResumeThread

## Hooking

* A **SSDT** (**Tabela de Descritores de Serviço do Sistema**) aponta para funções do kernel (ntoskrnl.exe) ou driver GUI (win32k.sys) para que processos de usuário possam chamar essas funções.
* Um rootkit pode modificar esses ponteiros para endereços que ele controla
* **IRP** (**Pacotes de Solicitação de I/O**) transmitem pedaços de dados de um componente para outro. Quase tudo no kernel usa IRPs e cada objeto de dispositivo tem sua própria tabela de funções que pode ser hookada: DKOM (Manipulação Direta de Objetos do Kernel)
* A **IAT** (**Tabela de Endereços de Importação**) é útil para resolver dependências. É possível hookar esta tabela para sequestrar o código que será chamado.
* **EAT** (**Tabela de Endereços de Exportação**) Hooks. Esses hooks podem ser feitos a partir do **userland**. O objetivo é hookar funções exportadas por DLLs.
* **Inline Hooks**: Este tipo é difícil de alcançar. Isso envolve modificar o código das próprias funções. Talvez colocando um salto no início delas.

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`# Common API used in Malware`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% hint style="success" %}`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<details>`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<summary>Support HackTricks</summary>`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% endhint %}`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`## Genérico`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Rede`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`\| Sockets Brutos \| Sockets WinAPI \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| ------------- \| -------------- \|`
			`\| socket() \| WSAStratup() \|`
			`\| bind() \| bind() \|`
			`\| listen() \| listen() \|`
			`\| accept() \| accept() \|`
			`\| connect() \| connect() \|`
			`\| read()/recv() \| recv() \|`
			`\| write() \| send() \|`
			`\| shutdown() \| WSACleanup() \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Persistência`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`\| Registro \| Arquivo \| Serviço \|`
Translated ['physical-attacks/escaping-from-gui-applications/README.md', 2024-01-09 15:03:37 +00:00			`\| ---------------- \| ------------- \| ---------------------------- \|`
			`\| RegCreateKeyEx() \| GetTempPath() \| OpenSCManager \|`
			`\| RegOpenKeyEx() \| CopyFile() \| CreateService() \|`
			`\| RegSetValueEx() \| CreateFile() \| StartServiceCtrlDispatcher() \|`
			`\| RegDeleteKeyEx() \| WriteFile() \| \|`
			`\| RegGetValue() \| ReadFile() \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Criptografia`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R 2024-02-09 02:10:17 +00:00			`\| Nome \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| --------------------- \|`
			`\| WinCrypt \|`
			`\| CryptAcquireContext() \|`
			`\| CryptGenKey() \|`
			`\| CryptDeriveKey() \|`
			`\| CryptDecrypt() \|`
			`\| CryptReleaseContext() \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Anti-Análise/VM`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`\| Nome da Função \| Instruções de Assembly \|`
			`\| --------------------------------------------------------- \| --------------------- \|`
			`\| IsDebuggerPresent() \| CPUID() \|`
			`\| GetSystemInfo() \| IN() \|`
			`\| GlobalMemoryStatusEx() \| \|`
			`\| GetVersion() \| \|`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00			`\| CreateToolhelp32Snapshot \[Verificar se um processo está em execução] \| \|`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`\| CreateFileW/A \[Verificar se um arquivo existe] \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`### Stealth`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`\| Nome \| \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| ------------------------ \| -------------------------------------------------------------------------- \|`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`\| VirtualAlloc \| Alocar memória (packers) \|`
			`\| VirtualProtect \| Alterar permissão de memória (packer dando permissão de execução a uma seção) \|`
			`\| ReadProcessMemory \| Injeção em processos externos \|`
			`\| WriteProcessMemoryA/W \| Injeção em processos externos \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| NtWriteVirtualMemory \| \|`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00			`\| CreateRemoteThread \| Injeção de DLL/Processo... \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| NtUnmapViewOfSection \| \|`
			`\| QueueUserAPC \| \|`
			`\| CreateProcessInternalA/W \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Execução`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`\| Nome da Função \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| ---------------- \|`
GitBook: [master] 411 pages modified 2020-12-09 00:31:50 +00:00			`\| CreateProcessA/W \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| ShellExecute \|`
			`\| WinExec \|`
			`\| ResumeThread \|`
			`\| NtResumeThread \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Diversos`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* GetAsyncKeyState() -- Registro de teclas`
			`* SetWindowsHookEx -- Registro de teclas`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00			`* GetForeGroundWindow -- Obter nome da janela em execução (ou o site de um navegador)`
Translated to Portuguese 2023-06-06 18:56:34 +00:00			`* LoadLibrary() -- Importar biblioteca`
			`* GetProcAddress() -- Importar biblioteca`
			`* CreateToolhelp32Snapshot() -- Listar processos em execução`
			`* GetDC() -- Captura de tela`
			`* BitBlt() -- Captura de tela`
Translated ['generic-methodologies-and-resources/exfiltration.md', 'gene 2023-09-03 01:19:04 +00:00			`* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Acessar a Internet`
			`* FindResource(), LoadResource(), LockResource() -- Acessar recursos do executável`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`## Técnicas de Malware`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Injeção de DLL`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Executar uma DLL arbitrária dentro de outro processo`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`1. Localizar o processo para injetar a DLL maliciosa: CreateToolhelp32Snapshot, Process32First, Process32Next`
			`2. Abrir o processo: GetModuleHandle, GetProcAddress, OpenProcess`
			`3. Escrever o caminho para a DLL dentro do processo: VirtualAllocEx, WriteProcessMemory`
			`4. Criar uma thread no processo que carregará a DLL maliciosa: CreateRemoteThread, LoadLibrary`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['forensics/basic-forensic-methodology/memory-dump-analysis/R 2024-02-09 02:10:17 +00:00			`Outras funções a serem usadas: NTCreateThreadEx, RtlCreateUserThread`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Injeção de DLL Reflexiva`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Carregar uma DLL maliciosa sem chamar as chamadas normais da API do Windows.\`
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`A DLL é mapeada dentro de um processo, resolverá os endereços de importação, corrigirá as realocações e chamará a função DllMain.`
Translated ['physical-attacks/escaping-from-gui-applications/README.md', 2024-01-09 15:03:37 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`### Sequestro de Thread`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Encontrar uma thread de um processo e fazer com que ela carregue uma DLL maliciosa`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`1. Encontrar uma thread alvo: CreateToolhelp32Snapshot, Thread32First, Thread32Next`
			`2. Abrir a thread: OpenThread`
			`3. Suspender a thread: SuspendThread`
			`4. Escrever o caminho para a DLL maliciosa dentro do processo da vítima: VirtualAllocEx, WriteProcessMemory`
			`5. Retomar a thread carregando a biblioteca: ResumeThread`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`### Injeção PE`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`Injeção de Execução Portátil: O executável será escrito na memória do processo da vítima e será executado a partir daí.`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`### Hollowing de Processo`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`O malware irá desmapear o código legítimo da memória do processo e carregar um binário malicioso`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`1. Criar um novo processo: CreateProcess`
			`2. Desmapear a memória: ZwUnmapViewOfSection, NtUnmapViewOfSection`
			`3. Escrever o binário malicioso na memória do processo: VirtualAllocEc, WriteProcessMemory`
			`4. Definir o ponto de entrada e executar: SetThreadContext, ResumeThread`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['README.md', 'forensics/basic-forensic-methodology/partition 2024-03-09 13:15:58 +00:00			`## Hooking`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00			`* A SSDT (Tabela de Descritores de Serviço do Sistema) aponta para funções do kernel (ntoskrnl.exe) ou driver GUI (win32k.sys) para que processos de usuário possam chamar essas funções.`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`* Um rootkit pode modificar esses ponteiros para endereços que ele controla`
			`* IRP (Pacotes de Solicitação de I/O) transmitem pedaços de dados de um componente para outro. Quase tudo no kernel usa IRPs e cada objeto de dispositivo tem sua própria tabela de funções que pode ser hookada: DKOM (Manipulação Direta de Objetos do Kernel)`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`* A IAT (Tabela de Endereços de Importação) é útil para resolver dependências. É possível hookar esta tabela para sequestrar o código que será chamado.`
			`* EAT (Tabela de Endereços de Exportação) Hooks. Esses hooks podem ser feitos a partir do userland. O objetivo é hookar funções exportadas por DLLs.`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`* Inline Hooks: Este tipo é difícil de alcançar. Isso envolve modificar o código das próprias funções. Talvez colocando um salto no início delas.`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% hint style="success" %}`
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<details>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`<summary>Support HackTricks</summary>`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00
Translated ['README.md', 'crypto-and-stego/hash-length-extension-attack. 2024-09-04 13:31:41 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Translated ['forensics/basic-forensic-methodology/partitions-file-system 2024-03-26 15:44:24 +00:00
			`</details>`
Translated ['pentesting-web/browser-extension-pentesting-methodology/REA 2024-07-19 16:04:21 +00:00			`{% endhint %}`