# Common API used in Malware {{#include ../banners/hacktricks-training.md}} ## Generic ### Networking | Raw Sockets | WinAPI Sockets | | ------------- | -------------- | | socket() | WSAStratup() | | bind() | bind() | | listen() | listen() | | accept() | accept() | | connect() | connect() | | read()/recv() | recv() | | write() | send() | | shutdown() | WSACleanup() | ### Persistence | Registry | File | Service | | ---------------- | ------------- | ---------------------------- | | RegCreateKeyEx() | GetTempPath() | OpenSCManager | | RegOpenKeyEx() | CopyFile() | CreateService() | | RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() | | RegDeleteKeyEx() | WriteFile() | | | RegGetValue() | ReadFile() | | ### Encryption | Name | | --------------------- | | WinCrypt | | CryptAcquireContext() | | CryptGenKey() | | CryptDeriveKey() | | CryptDecrypt() | | CryptReleaseContext() | ### Anti-Analysis/VM | Function Name | Assembly Instructions | | --------------------------------------------------------- | --------------------- | | IsDebuggerPresent() | CPUID() | | GetSystemInfo() | IN() | | GlobalMemoryStatusEx() | | | GetVersion() | | | CreateToolhelp32Snapshot \[Check if a process is running] | | | CreateFileW/A \[Check if a file exist] | | ### Stealth | Name | | | ------------------------ | -------------------------------------------------------------------------- | | VirtualAlloc | Alloc memory (packers) | | VirtualProtect | Change memory permission (packer giving execution permission to a section) | | ReadProcessMemory | Injection into external processes | | WriteProcessMemoryA/W | Injection into external processes | | NtWriteVirtualMemory | | | CreateRemoteThread | DLL/Process injection... | | NtUnmapViewOfSection | | | QueueUserAPC | | | CreateProcessInternalA/W | | ### Execution | Function Name | | ---------------- | | CreateProcessA/W | | ShellExecute | | WinExec | | ResumeThread | | NtResumeThread | ### Miscellaneous - GetAsyncKeyState() -- Key logging - SetWindowsHookEx -- Key logging - GetForeGroundWindow -- Get running window name (or the website from a browser) - LoadLibrary() -- Import library - GetProcAddress() -- Import library - CreateToolhelp32Snapshot() -- List running processes - GetDC() -- Screenshot - BitBlt() -- Screenshot - InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet - FindResource(), LoadResource(), LockResource() -- Access resources of the executable ## Malware Techniques ### DLL Injection Teua DLL isiyo ya kawaida ndani ya mchakato mwingine 1. Tafuta mchakato wa kuingiza DLL mbaya: CreateToolhelp32Snapshot, Process32First, Process32Next 2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess 3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory 4. Unda thread katika mchakato ambayo itapakia DLL mbaya: CreateRemoteThread, LoadLibrary Mifunction mingine ya kutumia: NTCreateThreadEx, RtlCreateUserThread ### Reflective DLL Injection Pakia DLL mbaya bila kuita simu za kawaida za Windows API.\ DLL inachorwa ndani ya mchakato, itatatua anwani za uagizaji, kurekebisha uhamasishaji na kuita kazi ya DllMain. ### Thread Hijacking Pata thread kutoka kwa mchakato na ufanye ipakie DLL mbaya 1. Pata thread lengwa: CreateToolhelp32Snapshot, Thread32First, Thread32Next 2. Fungua thread: OpenThread 3. Suspend thread: SuspendThread 4. Andika njia ya DLL mbaya ndani ya mchakato wa mwathirika: VirtualAllocEx, WriteProcessMemory 5. Anza tena thread ikipakia maktaba: ResumeThread ### PE Injection Uhamasishaji wa Utekelezaji wa Portable: Utekelezaji utaandikwa katika kumbukumbu ya mchakato wa mwathirika na utaanzishwa kutoka hapo. ### Process Hollowing (a.k.a **RunPE**) `Process Hollowing` ni moja ya mbinu maarufu za **kuepuka ulinzi / utekelezaji** zinazotumiwa na malware ya Windows. Wazo ni kuzindua mchakato *halali* katika hali ya **kusimamishwa**, kuondoa (hollow) picha yake ya asili kutoka kwa kumbukumbu na nakala ya **PE isiyo ya kawaida** mahali pake. Wakati thread kuu hatimaye inarejelewa, kiingilio kibaya kinatekelezwa chini ya kivuli cha binary iliyoaminika (mara nyingi imesainiwa na Microsoft). Mchakato wa kawaida: 1. Zindua mwenyeji mzuri (mfano `RegAsm.exe`, `rundll32.exe`, `msbuild.exe`) **kusimamishwa** ili hakuna maagizo yanayoendesha bado. ```c STARTUPINFOA si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); ``` 2. Soma mzigo mbaya katika kumbukumbu na uchambue vichwa vyake vya PE ili kupata `SizeOfImage`, sehemu na `EntryPoint` mpya. 3. **NtUnmapViewOfSection** / **ZwUnmapViewOfSection** – ondoa msingi wa picha ya asili ya mchakato ulio kusimamishwa. 4. **VirtualAllocEx** – hifadhi kumbukumbu ya RWX ya `SizeOfImage` ndani ya mchakato wa mbali. 5. **WriteProcessMemory** – nakala ya `Headers` kwanza, kisha tembea juu ya sehemu ukinakili data zao za ghafi. 6. **SetThreadContext** – pata thamani ya `EAX/RAX` (`RCX` kwenye x64) au `Rip` katika muundo wa muktadha ili `EIP` iangalie kwenye `EntryPoint` ya mzigo. 7. **ResumeThread** – thread inaendelea, ikitekeleza msimbo uliotolewa na mshambuliaji. Mfano wa chini wa uthibitisho wa dhana (x86): ```c void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){ // 1. create suspended process STARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi; CreateProcessA(host, NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi); // 2. read remote PEB to get ImageBaseAddress CONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL; GetThreadContext(pi.hThread,&ctx); PVOID baseAddr; ReadProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL); // 3. unmap original image & allocate new region at same base NtUnmapViewOfSection(pi.hProcess,baseAddr); PVOID newBase = VirtualAllocEx(pi.hProcess,baseAddr,pHdr->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); // 4-5. copy headers & sections … // 6. write new image base into PEB and set Eip WriteProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL); ctx.Eax = (DWORD)(newBase) + pHdr->OptionalHeader.AddressOfEntryPoint; SetThreadContext(pi.hThread,&ctx); // 7. run! ResumeThread(pi.hThread); } ``` Practical notes observed in the **DarkCloud Stealer** campaign: * Loader ilichukua `RegAsm.exe` (sehemu ya .NET Framework) kama mwenyeji – binary iliyosainiwa ambayo haiwezekani kuvuta umakini. * Stealer ya VB6 iliyofichuliwa (`holographies.exe`) *haiangushi* kwenye diski; inakuwepo tu ndani ya mchakato uliohollowed, ikifanya ugunduzi wa statiki kuwa mgumu zaidi. * Nyimbo nyeti (regexes, paths, Telegram credentials) zime **RC4-encrypted** kwa kila nyimbo na zinafichuliwa tu wakati wa wakati wa kukimbia, ikifanya skanning ya kumbukumbu kuwa ngumu zaidi. Detection ideas: * Onyo juu ya mchakato wa `CREATE_SUSPENDED` ambao kamwe hauunda madirisha ya GUI/console kabla ya eneo la kumbukumbu kutolewa kama **RWX** (nadra kwa msimbo mzuri). * Tafuta mfuatano wa wito `NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory` kati ya michakato tofauti. ## Hooking - **SSDT** (**System Service Descriptor Table**) inaelekeza kwenye kazi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi. - Rootkit inaweza kubadilisha viashiria hivi kwa anwani ambazo anadhibiti. - **IRP** (**I/O Request Packets**) hupeleka vipande vya data kutoka sehemu moja hadi nyingine. Karibu kila kitu katika kernel kinatumia IRPs na kila kituo cha kifaa kina jedwali lake la kazi ambalo linaweza kuhooked: DKOM (Direct Kernel Object Manipulation) - **IAT** (**Import Address Table**) ni muhimu kutatua utegemezi. Inawezekana kuhook jedwali hili ili kuiba msimbo ambao utaitwa. - **EAT** (**Export Address Table**) Hooks. Hizi hooks zinaweza kufanywa kutoka **userland**. Lengo ni kuhook kazi zilizotolewa na DLLs. - **Inline Hooks**: Aina hii ni ngumu kufikia. Hii inahusisha kubadilisha msimbo wa kazi yenyewe. Labda kwa kuweka jump mwanzoni mwa hii. ## References - [Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/) {{#include ../banners/hacktricks-training.md}}