8.8 KiB
Common API used in Malware
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
Generic
Networking
Raw Sockets | WinAPI Sockets |
---|---|
socket() | WSAStratup() |
bind() | bind() |
listen() | listen() |
accept() | accept() |
connect() | connect() |
read()/recv() | recv() |
write() | send() |
shutdown() | WSACleanup() |
Persistence
Registry | File | Service |
---|---|---|
RegCreateKeyEx() | GetTempPath() | OpenSCManager |
RegOpenKeyEx() | CopyFile() | CreateService() |
RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
RegDeleteKeyEx() | WriteFile() | |
RegGetValue() | ReadFile() |
Encryption
Name |
---|
WinCrypt |
CryptAcquireContext() |
CryptGenKey() |
CryptDeriveKey() |
CryptDecrypt() |
CryptReleaseContext() |
Anti-Analysis/VM
Function Name | Assembly Instructions |
---|---|
IsDebuggerPresent() | CPUID() |
GetSystemInfo() | IN() |
GlobalMemoryStatusEx() | |
GetVersion() | |
CreateToolhelp32Snapshot [Check if a process is running] | |
CreateFileW/A [Check if a file exist] |
Stealth
Name | |
---|---|
VirtualAlloc | Alloc memory (packers) |
VirtualProtect | Change memory permission (packer giving execution permission to a section) |
ReadProcessMemory | Injection into external processes |
WriteProcessMemoryA/W | Injection into external processes |
NtWriteVirtualMemory | |
CreateRemoteThread | DLL/Process injection... |
NtUnmapViewOfSection | |
QueueUserAPC | |
CreateProcessInternalA/W |
Execution
Function Name |
---|
CreateProcessA/W |
ShellExecute |
WinExec |
ResumeThread |
NtResumeThread |
Miscellaneous
- GetAsyncKeyState() -- Key logging
- SetWindowsHookEx -- Key logging
- GetForeGroundWindow -- Get running window name (or the website from a browser)
- LoadLibrary() -- Import library
- GetProcAddress() -- Import library
- CreateToolhelp32Snapshot() -- List running processes
- GetDC() -- Screenshot
- BitBlt() -- Screenshot
- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
- FindResource(), LoadResource(), LockResource() -- Access resources of the executable
Malware Techniques
DLL Injection
Execute an arbitrary DLL inside another process
- Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
- Open the process: GetModuleHandle, GetProcAddress, OpenProcess
- Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
- Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
Reflective DLL Injection
Load a malicious DLL without calling normal Windows API calls.
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
Thread Hijacking
Find a thread from a process and make it load a malicious DLL
- Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
- Open the thread: OpenThread
- Suspend the thread: SuspendThread
- Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
- Resume the thread loading the library: ResumeThread
PE Injection
Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
Process Hollowing
The malware will unmap the legitimate code from memory of the process and load a malicious binary
- Create a new process: CreateProcess
- Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
- Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
- Set the entrypoint and execute: SetThreadContext, ResumeThread
Hooking
- The SSDT (System Service Descriptor Table) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
- A rootkit may modify these pointer to addresses that he controls
- IRP (I/O Request Packets) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
- The IAT (Import Address Table) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
- EAT (Export Address Table) Hooks. This hooks can be done from userland. The goal is to hook exported functions by DLLs.
- Inline Hooks: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.