1 - Open Security Training

1 2 3 4 5 [References] •  Michael Ligh et al., Chapter 9. Dynamic Analysis, Malware Analyst's Cookbook and DVD •  AppInit_DLLs in Windows 7 and Windows Server 2008 R2, hMp://
msdn.microsoP.com/en-­‐us/library/windows/desktop/dd744762(v=vs.85).aspx 6 [References] •  ApplicaXon programming interface, hMp://en.wikipedia.org/wiki/
ApplicaXon_programming_interface 7 8 [References] •  ApplicaXon programming interface, hMp://en.wikipedia.org/wiki/
ApplicaXon_programming_interface •  strcpy(3) -­‐ Linux man page, hMp://linux.die.net/man/3/strcpy 9 [References] •  Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis 10 [References] •  OpenProcess funcXon, hMp://msdn.microsoP.com/en-­‐us/library/windows/
desktop/ms684320(v=vs.85).aspx 11 [References] •  VirtualAllocEx funcXon, hMp://msdn.microsoP.com/en-­‐us/library/windows/
desktop/aa366890(v=vs.85).aspx 12 [References] •  WriteProcessMemory funcXon, hMp://msdn.microsoP.com/en-­‐us/library/
windows/desktop/ms681674(v=vs.85).aspx 13 [References] •  GetModuleHandle funcXon, hMp://msdn.microsoP.com/en-­‐us/library/windows/
desktop/ms683199(v=vs.85).aspx 14 [References] •  GetProcAddress funcXon, hMp://msdn.microsoP.com/en-­‐us/library/windows/
desktop/ms683212(v=vs.85).aspx 15 [References] •  CreateRemoteThread funcXon, hMp://msdn.microsoP.com/en-­‐us/library/
windows/desktop/ms682437(v=vs.85).aspx •  LPTHREAD_START_ROUTINE FuncXon Pointer, hMp://msdn.microsoP.com/en-­‐us/
library/aa964928(v=vs.110).aspx 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [References] •  Silberscharz Galvin, Chapter 5 Threads, OperaXng System Concepts 5th EdiXon [Image Sources] •  hMp://www.cs.cf.ac.uk/Dave/C/mthread.gif 30 31 32 33 34 [References] •  Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis •  SetWindowsHookEx funcXon, hMp://msdn.microsoP.com/en-­‐us/library/windows/
desktop/ms644990(v=vs.85).aspx 35 36 [References] •  Darawk, DLL InjecXon, hMp://www.blizzhackers.cc/viewtopic.php?p=2483118 37 38 [References] •  Dynamic-­‐Link Library Search Order (Windows), hMp://msdn.microsoP.com/en-­‐us/
library/windows/desktop/ms682586(v=vs.85).aspx 39 [References] •  Nick Harbour, Malware Persistence without the Windows Registry, hMps://
www.mandiant.com/blog/malware-­‐persistence-­‐windows-­‐registry/ 40 41 [References] •  MicrosoP Digital Crimes Unit, OperaXon b70, hMp://blogs.technet.com/cfs-­‐
file.ashx/__key/communityserver-­‐blogs-­‐components-­‐weblogfiles/
00-­‐00-­‐00-­‐80-­‐54/3755.MicrosoP-­‐Study-­‐into-­‐b70.pdf •  Rex Plantado, MSRT October '12 -­‐ Nitol: Counterfeit code isn't such a great deal aPer all, hMp://blogs.technet.com/b/mmpc/archive/2012/10/15/msrt-­‐october-­‐12-­‐
nitol-­‐counterfeit-­‐code-­‐isn-­‐t-­‐such-­‐a-­‐great-­‐deal-­‐aPer-­‐all.aspx 42 43 44 [References] •  Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis 45 [References] •  Xeno Kovah, Rookits: What they are, and how to find them, hMp://
opensecuritytraining.info/Rootkits.html 46 47 48 [References] •  /hotpatch (Create Hotpatchable Image), hMp://msdn.microsoP.com/en-­‐us/library/
ms173507.aspx •  Greg Hoglund et al., Chapter 4. The Age-­‐Old Art of Hooking, Rootkits 49 50 51 52