HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥 - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
# Generic ## Networking | Raw Sockets | WinAPI Sockets | | ------------- | -------------- | | socket() | WSAStratup() | | bind() | bind() | | listen() | listen() | | accept() | accept() | | connect() | connect() | | read()/recv() | recv() | | write() | send() | | shutdown() | WSACleanup() | ## Persistence | Registry | File | Service | | ---------------- | ------------- | ---------------------------- | | RegCreateKeyEx() | GetTempPath() | OpenSCManager | | RegOpenKeyEx() | CopyFile() | CreateService() | | RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() | | RegDeleteKeyEx() | WriteFile() | | | RegGetValue() | ReadFile() | | ## Encryption | Name | | --------------------- | | WinCrypt | | CryptAcquireContext() | | CryptGenKey() | | CryptDeriveKey() | | CryptDecrypt() | | CryptReleaseContext() | ## Anti-Analysis/VM | Function Name | Assembly Instructions | | --------------------------------------------------------- | --------------------- | | IsDebuggerPresent() | CPUID() | | GetSystemInfo() | IN() | | GlobalMemoryStatusEx() | | | GetVersion() | | | CreateToolhelp32Snapshot \[Check if a process is running] | | | CreateFileW/A \[Check if a file exist] | | ## Stealth | Name | | | ------------------------ | -------------------------------------------------------------------------- | | VirtualAlloc | Alloc memory (packers) | | VirtualProtect | Change memory permission (packer giving execution permission to a section) | | ReadProcessMemory | Injection into external processes | | WriteProcessMemoryA/W | Injection into external processes | | NtWriteVirtualMemory | | | CreateRemoteThread | DLL/Process injection... | | NtUnmapViewOfSection | | | QueueUserAPC | | | CreateProcessInternalA/W | | ## Execution | Function Name | | ---------------- | | CreateProcessA/W | | ShellExecute | | WinExec | | ResumeThread | | NtResumeThread | ## Miscellaneous * GetAsyncKeyState() -- Key logging * SetWindowsHookEx -- Key logging * GetForeGroundWindow -- Get running window name (or the website from a browser) * LoadLibrary() -- Import library * GetProcAddress() -- Import library * CreateToolhelp32Snapshot() -- List running processes * GetDC() -- Screenshot * BitBlt() -- Screenshot * InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet * FindResource(), LoadResource(), LockResource() -- Access resources of the executable # Malware Techniques ## DLL Injection Execute an arbitrary DLL inside another process 1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next 2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess 3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory 4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary Other functions to use: NTCreateThreadEx, RtlCreateUserThread ## Reflective DLL Injection Load a malicious DLL without calling normal Windows API calls.\ The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function. ## Thread Hijacking Find a thread from a process and make it load a malicious DLL 1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next 2. Open the thread: OpenThread 3. Suspend the thread: SuspendThread 4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory 5. Resume the thread loading the library: ResumeThread ## PE Injection Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there. ## Process Hollowing The malware will unmap the legitimate code from memory of the process and load a malicious binary 1. Create a new process: CreateProcess 2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection 3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory 4. Set the entrypoint and execute: SetThreadContext, ResumeThread # Hooking * The **SSDT** (**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions. * A rootkit may modify these pointer to addresses that he controls * **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation) * The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called. * **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs. * **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.
HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch Wed - 18.30(UTC) 🎙️ - 🎥 Youtube 🎥 - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.