hacktricks/reversing/common-api-used-in-malware.md

164 lines
8.7 KiB
Markdown
Raw Normal View History

# API za Kawaida Zinazotumiwa katika Programu hasidi
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2022-04-28 16:01:33 +00:00
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
## Kijumla
2022-05-01 16:32:23 +00:00
### Mtandao
2020-12-03 18:00:02 +00:00
| Sockets za Moja kwa Moja | Sockets za WinAPI |
| ------------------------ | ------------------ |
| socket() | WSAStratup() |
| bind() | bind() |
| listen() | listen() |
| accept() | accept() |
| connect() | connect() |
| read()/recv() | recv() |
| write() | send() |
| shutdown() | WSACleanup() |
2020-12-03 18:00:02 +00:00
### Uthabiti
2020-12-03 18:00:02 +00:00
| Usajili | Faili | Huduma |
| ------------------ | ------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
| RegOpenKeyEx() | CopyFile() | CreateService() |
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile() | |
| RegGetValue() | ReadFile() | |
2020-12-03 18:00:02 +00:00
### Ufichaji
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina |
| --------------------- |
| WinCrypt |
| CryptAcquireContext() |
| CryptGenKey() |
| CryptDeriveKey() |
| CryptDecrypt() |
| CryptReleaseContext() |
2020-12-03 18:00:02 +00:00
### Kuzuia Uchambuzi/VM
2020-12-03 18:00:02 +00:00
| Jina la Kazi | Maelekezo ya Utoaji wa Kusanyiko |
| -------------------------------------------------------- | --------------------------------- |
| IsDebuggerPresent() | CPUID() |
| GetSystemInfo() | IN() |
| GlobalMemoryStatusEx() | |
| GetVersion() | |
| CreateToolhelp32Snapshot \[Angalia ikiwa mchakato unafanya kazi] | |
| CreateFileW/A \[Angalia ikiwa faili ipo] | |
2020-12-03 18:00:02 +00:00
### Ufichaji
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina | |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc | Alokisha kumbukumbu (pakiti) |
2024-02-11 02:13:58 +00:00
| VirtualProtect | Badilisha ruhusa ya kumbukumbu (pakiti inayotoa ruhusa ya utekelezaji kwa sehemu) |
| ReadProcessMemory | Uingizaji katika michakato ya nje |
| WriteProcessMemoryA/W | Uingizaji katika michakato ya nje |
| NtWriteVirtualMemory | |
| CreateRemoteThread | Uingizaji wa DLL/Mchakato... |
| NtUnmapViewOfSection | |
| QueueUserAPC | |
| CreateProcessInternalA/W | |
2020-12-03 18:00:02 +00:00
### Utekelezaji
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina la Kazi |
| --------------- |
2020-12-09 00:31:50 +00:00
| CreateProcessA/W |
| ShellExecute |
| WinExec |
| ResumeThread |
| NtResumeThread |
2020-12-03 18:00:02 +00:00
### Mbalimbali
2021-09-07 00:15:14 +00:00
2024-02-11 02:13:58 +00:00
* GetAsyncKeyState() -- Kurekodi funguo
* SetWindowsHookEx -- Kurekodi funguo
* GetForeGroundWindow -- Pata jina la dirisha linaloendesha (au tovuti kutoka kwa kivinjari)
2024-02-11 02:13:58 +00:00
* LoadLibrary() -- Ingiza maktaba
* GetProcAddress() -- Ingiza maktaba
* CreateToolhelp32Snapshot() -- Orodhesha michakato inayoendesha
* GetDC() -- Piga skrini
* BitBlt() -- Piga skrini
2024-02-11 02:13:58 +00:00
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Fikia Mtandao
* FindResource(), LoadResource(), LockResource() -- Fikia rasilimali za kutekelezeka
2021-09-07 00:15:14 +00:00
## Mbinu za Programu hasidi
2021-09-07 00:15:14 +00:00
### Uingizaji wa DLL
2021-09-07 00:15:14 +00:00
2024-02-11 02:13:58 +00:00
Tekeleza DLL isiyojulikana ndani ya mchakato mwingine
2021-09-07 00:15:14 +00:00
1. Tafuta mchakato wa kuingiza DLL hasidi: CreateToolhelp32Snapshot, Process32First, Process32Next
2024-02-11 02:13:58 +00:00
2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
4. Unda mnyororo katika mchakato ambao utapakia DLL hasidi: CreateRemoteThread, LoadLibrary
2021-09-07 00:15:14 +00:00
2024-02-11 02:13:58 +00:00
Vipengele vingine vya kutumia: NTCreateThreadEx, RtlCreateUserThread
2021-09-07 00:15:14 +00:00
### Uingizaji wa DLL wa Kielekezi
Pakia DLL hasidi bila kuita simu za kawaida za API za Windows.\
DLL inaorodheshwa ndani ya mchakato, itatatua anwani za uingizaji, kurekebisha mahali na kuita kazi ya DllMain.
### Utekapishaji wa Mnyororo
Pata mnyororo kutoka kwa mchakato na ufanye upakie DLL hasidi
1. Pata mnyororo wa lengo: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Fungua mnyororo: OpenThread
3. Sitishe mnyororo: SuspendThread
4. Andika njia ya DLL hasidi ndani ya mchakato wa mwathiriwa: VirtualAllocEx, WriteProcessMemory
5. Rejesha mnyororo unao pakia maktaba: ResumeThread
### Uingizaji wa PE
Uingizaji wa Utekelezaji wa Portable: Programu itaandikwa kwenye kumbukumbu ya mchakato wa mwathiriwa na itatekelezwa kutoka hapo.
2022-05-01 16:32:23 +00:00
### Ufyonzaji wa Mchakato
2022-05-01 16:32:23 +00:00
Programu hasidi itafuta kanuni halali kutoka kumbukumbu ya mchakato na kupakia faili hasidi
1. Unda mchakato mpya: CreateProcess
2. Futa kumbukumbu: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Andika faili hasidi kwenye kumbukumbu ya mchakato: VirtualAllocEc, WriteProcessMemory
4. Weka kuingia na tekeleza: SetThreadContext, ResumeThread
## Kufunga
* **SSDT** (**System Service Descriptor Table**) inaelekeza kwa kazi za msingi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
* Rootkit inaweza kubadilisha pointer hizi kuwa anwani anazodhibiti
* **IRP** (**I/O Request Packets**) hupitisha vipande vya data kutoka kwa sehemu moja hadi nyingine. Karibu kila kitu katika kernel hutumia IRPs na kila kifaa kina kichupo chake cha kazi ambacho kinaweza kufungwa: DKOM (Udanganyifu wa Moja kwa Moja wa Vitu vya Kernel)
* **IAT** (**Import Address Table**) ni muhimu kwa kutatua mahitaji. Inawezekana kufunga kichupo hiki ili kuteka kificho kitakachoitwa.
* **EAT** (**Export Address Table**) Kufunga. Kufunga hizi zinaweza kufanywa kutoka kwa **userland**. Lengo ni kufunga kazi zilizoagizwa na DLLs.
* **Inline Hooks**: Aina hii ni ngumu kufikia. Hii inahusisha kubadilisha kificho cha kazi yenyewe. Labda kwa kuweka kuruka mwanzoni mwa hii.
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>