2024-03-26 15:53:40 +00:00
# API Kwa Kawaida Hutumiwa katika Programu Hasidi
2024-03-09 13:19:32 +00:00
2022-04-28 16:01:33 +00:00
< details >
2024-03-09 13:19:32 +00:00
< summary > < strong > Jifunze AWS hacking kutoka sifuri hadi shujaa na< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2022-04-28 16:01:33 +00:00
2024-03-26 15:53:40 +00:00
* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA** ](https://github.com/sponsors/carlospolop )!
2024-03-09 13:19:32 +00:00
* Pata [**bidhaa rasmi za PEASS & HackTricks** ](https://peass.creator-spring.com )
2024-03-14 23:40:07 +00:00
* Gundua [**Familia ya PEASS** ](https://opensea.io/collection/the-peass-family ), mkusanyiko wetu wa kipekee wa [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-03-24 13:37:52 +00:00
* **Jiunge na** 💬 [**Kikundi cha Discord** ](https://discord.gg/hRep4RUj7f ) au [**kikundi cha telegram** ](https://t.me/peass ) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-03-26 15:53:40 +00:00
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) na [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repos za github.
2022-04-28 16:01:33 +00:00
< / details >
2024-03-26 15:53:40 +00:00
**Kikundi cha Usalama cha Kujitahidi Kwa Bidii**
2024-03-14 23:40:07 +00:00
2024-03-26 15:53:40 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:40:07 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2024-03-26 15:53:40 +00:00
## Kawaida
2022-05-01 16:32:23 +00:00
2024-03-26 15:53:40 +00:00
### Uunganishaji
2020-12-03 18:00:02 +00:00
2024-03-26 15:53:40 +00:00
| Sockets za Moja kwa Moja | Sockets za WinAPI |
| ------------------------ | ------------------ |
| socket() | WSAStratup() |
| bind() | bind() |
| listen() | listen() |
| accept() | accept() |
| connect() | connect() |
| read()/recv() | recv() |
| write() | send() |
| shutdown() | WSACleanup() |
2020-12-03 18:00:02 +00:00
2024-03-09 13:19:32 +00:00
### Uthabiti
2020-12-03 18:00:02 +00:00
2024-03-26 15:53:40 +00:00
| Usajili | Faili | Huduma |
| ----------------- | -------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
| RegOpenKeyEx() | CopyFile() | CreateService() |
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile() | |
| RegGetValue() | ReadFile() | |
2020-12-03 18:00:02 +00:00
2024-03-09 13:19:32 +00:00
### Ufichaji
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina |
2021-10-18 11:21:18 +00:00
| --------------------- |
| WinCrypt |
| CryptAcquireContext() |
| CryptGenKey() |
| CryptDeriveKey() |
| CryptDecrypt() |
| CryptReleaseContext() |
2020-12-03 18:00:02 +00:00
2024-03-26 15:53:40 +00:00
### Kupinga Uchambuzi/VM
2020-12-03 18:00:02 +00:00
2024-03-26 15:53:40 +00:00
| Jina la Kazi | Maagizo ya Mkusanyiko |
| --------------------------------------------------------- | --------------------- |
| IsDebuggerPresent() | CPUID() |
| GetSystemInfo() | IN() |
| GlobalMemoryStatusEx() | |
| GetVersion() | |
| CreateToolhelp32Snapshot \[Angalia ikiwa mchakato unakimbia] | |
| CreateFileW/A \[Angalia ikiwa faili ipo] | |
2020-12-03 18:00:02 +00:00
2024-03-26 15:53:40 +00:00
### Kujificha
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina | |
2021-10-18 11:21:18 +00:00
| ------------------------ | -------------------------------------------------------------------------- |
2024-03-26 15:53:40 +00:00
| VirtualAlloc | Alloc kumbukumbu (pakiti) |
2024-02-11 02:13:58 +00:00
| VirtualProtect | Badilisha ruhusa ya kumbukumbu (pakiti inayotoa ruhusa ya utekelezaji kwa sehemu) |
2024-03-26 15:53:40 +00:00
| ReadProcessMemory | Uingizaji kwenye michakato ya nje |
| WriteProcessMemoryA/W | Uingizaji kwenye michakato ya nje |
2021-10-18 11:21:18 +00:00
| NtWriteVirtualMemory | |
2024-03-26 15:53:40 +00:00
| CreateRemoteThread | Uingizaji wa DLL/Mchakato... |
2021-10-18 11:21:18 +00:00
| NtUnmapViewOfSection | |
| QueueUserAPC | |
| CreateProcessInternalA/W | |
2020-12-03 18:00:02 +00:00
2024-03-09 13:19:32 +00:00
### Utekelezaji
2020-12-03 18:00:02 +00:00
2024-02-11 02:13:58 +00:00
| Jina la Kazi |
2024-03-26 15:53:40 +00:00
| --------------- |
2020-12-09 00:31:50 +00:00
| CreateProcessA/W |
2024-03-24 12:32:36 +00:00
| ShellExecute |
| WinExec |
| ResumeThread |
| NtResumeThread |
2020-12-03 18:00:02 +00:00
2024-03-09 13:19:32 +00:00
### Mbalimbali
2021-09-07 00:15:14 +00:00
2024-03-26 15:53:40 +00:00
* GetAsyncKeyState() -- Udukuzi wa funguo
* SetWindowsHookEx -- Udukuzi wa funguo
2024-03-24 13:37:52 +00:00
* GetForeGroundWindow -- Pata jina la dirisha linaloendesha (au tovuti kutoka kwa kivinjari)
2024-02-11 02:13:58 +00:00
* LoadLibrary() -- Ingiza maktaba
* GetProcAddress() -- Ingiza maktaba
2024-03-24 13:37:52 +00:00
* CreateToolhelp32Snapshot() -- Orodhesha michakato inayoendesha
2024-03-09 13:19:32 +00:00
* GetDC() -- Piga skrini
* BitBlt() -- Piga skrini
2024-02-11 02:13:58 +00:00
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Fikia Mtandao
2024-03-09 13:19:32 +00:00
* FindResource(), LoadResource(), LockResource() -- Fikia rasilimali za kutekelezeka
2021-09-07 00:15:14 +00:00
2024-03-14 23:40:07 +00:00
## Mbinu za Programu Hasidi
2021-09-07 00:15:14 +00:00
2024-03-09 13:19:32 +00:00
### Uingizaji wa DLL
2021-09-07 00:15:14 +00:00
2024-02-11 02:13:58 +00:00
Tekeleza DLL isiyojulikana ndani ya mchakato mwingine
2021-09-07 00:15:14 +00:00
2024-03-09 13:19:32 +00:00
1. Tafuta mchakato wa kuingiza DLL hasidi: CreateToolhelp32Snapshot, Process32First, Process32Next
2024-02-11 02:13:58 +00:00
2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
2024-03-09 13:19:32 +00:00
4. Unda mnyororo katika mchakato ambao utapakia DLL hasidi: CreateRemoteThread, LoadLibrary
2021-09-07 00:15:14 +00:00
2024-02-11 02:13:58 +00:00
Vipengele vingine vya kutumia: NTCreateThreadEx, RtlCreateUserThread
2021-09-07 00:15:14 +00:00
2024-03-26 15:53:40 +00:00
### Uingizaji wa DLL wa Kielekezi
2024-03-09 13:19:32 +00:00
Pakia DLL hasidi bila kuita simu za kawaida za API za Windows.\
DLL inaorodheshwa ndani ya mchakato, itatatua anwani za uingizaji, kurekebisha mahali na kuita kazi ya DllMain.
### Utekapishaji wa Mnyororo
Pata mnyororo kutoka kwa mchakato na ufanye upakie DLL hasidi
1. Pata mnyororo wa lengo: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Fungua mnyororo: OpenThread
3. Sitishe mnyororo: SuspendThread
4. Andika njia ya DLL hasidi ndani ya mchakato wa mwathiriwa: VirtualAllocEx, WriteProcessMemory
2024-03-26 15:53:40 +00:00
5. Rudisha mnyororo wa kuanzisha maktaba: ResumeThread
2024-03-09 13:19:32 +00:00
### Uingizaji wa PE
Uingizaji wa Utekelezaji wa Portable: Programu itaandikwa kwenye kumbukumbu ya mchakato wa mwathiriwa na itatekelezwa kutoka hapo.
2022-05-01 16:32:23 +00:00
2024-03-09 13:19:32 +00:00
### Ufyonzaji wa Mchakato
2022-05-01 16:32:23 +00:00
2024-03-14 23:40:07 +00:00
Programu hasidi itafuta msimbo halali kutoka kumbukumbu ya mchakato na kupakia faili hasidi
2024-03-09 13:19:32 +00:00
1. Unda mchakato mpya: CreateProcess
2. Futa kumbukumbu: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Andika faili hasidi kwenye kumbukumbu ya mchakato: VirtualAllocEc, WriteProcessMemory
4. Weka kuingia na tekeleza: SetThreadContext, ResumeThread
## Kufunga
* **SSDT** (**System Service Descriptor Table**) inaelekeza kwa kazi za msingi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
2024-03-26 15:53:40 +00:00
* Rootkit inaweza kurekebisha alama hizi kwa anwani anazodhibiti
* **IRP** (**I/O Request Packets**) hupitisha vipande vya data kutoka kwa sehemu moja hadi nyingine. Karibu kila kitu katika kernel hutumia IRPs na kila kifaa kina kichupo chake cha kazi ambacho kinaweza kufungwa: DKOM (Udukuzi wa Moja kwa Moja wa Vitu vya Kernel)
2024-03-09 13:19:32 +00:00
* **IAT** (**Import Address Table**) ni muhimu kwa kutatua mahitaji. Inawezekana kufunga kichupo hiki ili kuteka kificho kitakachoitwa.
2024-03-26 15:53:40 +00:00
* **EAT** (**Export Address Table**) Kufunga. Kufunga hii inaweza kufanywa kutoka kwa **userland** . Lengo ni kufunga kazi zilizoagizwa na DLLs.
* **Kufunga ya Ndani**: Aina hii ni ngumu kufikia. Hii inahusisha kurekebisha msimbo wa kazi yenyewe. Labda kwa kuweka kuruka mwanzoni mwa hii.
2024-03-14 23:40:07 +00:00
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) na [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repos za github.
2024-03-09 13:19:32 +00:00
< / details >
