Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/reversing/common-api-used-in-malware.md
CPol 890a467590
GitBook: [master] one page modified
2021-09-07 00:15:14 +00:00

136 lines
4.8 KiB
Markdown
Raw Blame History

# Common API used in Malware
## Generic
### Networking
| Raw Sockets | WinAPI Sockets |
| :--- | :--- |
| socket\(\) | WSAStratup\(\) |
| bind\(\) | bind\(\) |
| listen\(\) | listen\(\) |
| accept\(\) | accept\(\) |
| connect\(\) | connect\(\) |
| read\(\)/recv\(\) | recv\(\) |
| write\(\) | send\(\) |
| shutdown\(\) | WSACleanup\(\) |
### Persistence
| Registry | File | Service |
| :--- | :--- | :--- |
| RegCreateKeyEx\(\) | GetTempPath\(\) | OpenSCManager |
| RegOpenKeyEx\(\) | CopyFile\(\) | CreateService\(\) |
| RegSetValueEx\(\) | CreateFile\(\) | StartServiceCtrlDispatcher\(\) |
| RegDeleteKeyEx\(\) | WriteFile\(\) | |
| RegGetValue\(\) | ReadFile\(\) | |
### Encryption
| Name |
| :--- |
| WinCrypt |
| CryptAcquireContext\(\) |
| CryptGenKey\(\) |
| CryptDeriveKey\(\) |
| CryptDecrypt\(\) |
| CryptReleaseContext\(\) |
### Anti-Analysis/VM
| Function Name | Assembly Instructions |
| :--- | :--- |
| IsDebuggerPresent\(\) | CPUID\(\) |
| GetSystemInfo\(\) | IN\(\) |
| GlobalMemoryStatusEx\(\) | |
| GetVersion\(\) | |
| CreateToolhelp32Snapshot \[Check if a process is running\] | |
| CreateFileW/A \[Check if a file exist\] | |
### Stealth
| Name | |
| :--- | :--- |
| VirtualAlloc | Alloc memory \(packers\) |
| VirtualProtect | Change memory permission \(packer giving execution permission to a section\) |
| ReadProcessMemory | Injection into external processes |
| WriteProcessMemoryA/W | Injection into external processes |
| NtWriteVirtualMemory | |
| CreateRemoteThread | DLL/Process injection... |
| NtUnmapViewOfSection | |
| QueueUserAPC | |
| CreateProcessInternalA/W | |
### Execution
| Function Name |
| :--- |
| CreateProcessA/W |
| ShellExecute |
| WinExec |
| ResumeThread |
| NtResumeThread |
### Miscellaneous
* GetAsyncKeyState\(\) -- Key logging
* SetWindowsHookEx -- Key logging
* GetForeGroundWindow -- Get running window name \(or the website from a browser\)
* LoadLibrary\(\) -- Import library
* GetProcAddress\(\) -- Import library
* CreateToolhelp32Snapshot\(\) -- List running processes
* GetDC\(\) -- Screenshot
* BitBlt\(\) -- Screenshot
* InternetOpen\(\), InternetOpenUrl\(\), InternetReadFile\(\), InternetWriteFile\(\) -- Access the Internet
* FindResource\(\), LoadResource\(\), LockResource\(\) -- Access resources of the executable
## Malware Techniques
### DLL Injection
Execute an arbitrary DLL inside another process
1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary
Other functions to use: NTCreateThreadEx, RtlCreateUserThread
### Reflective DLL Injection
Load a malicious DLL without calling normal Windows API calls.
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
### Thread Hijacking
Find a thread from a process and make it load a malicious DLL
1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Open the thread: OpenThread
3. Suspend the thread: SuspendThread
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
5. Resume the thread loading the library: ResumeThread
### PE Injection
Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
### Process Hollowing
The malware will unmap the legitimate code from memory of the process and load a malicious binary
1. Create a new process: CreateProcess
2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
4. Set the entrypoint and execute: SetThreadContext, ResumeThread
## Hooking
* The **SSDT** \(**System Service Descriptor Table**\) points to kernel functions \(ntoskrnl.exe\) or GUI driver \(win32k.sys\) so user processes can call these functions.
* A rootkit may modify these pointer to addresses that he controls
* **IRP** \(**I/O Request Packets**\) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM \(Direct Kernel Object Manipulation\)
* The **IAT** \(**Import Address Table**\) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
* **EAT** \(**Export Address Table**\) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.
Reference in a new issue View git blame Copy permalink