1 - Open Security Training
Transcription
1 - Open Security Training
1 2 3 4 5 [References] • Michael Ligh et al., Chapter 9. Dynamic Analysis, Malware Analyst's Cookbook and DVD • AppInit_DLLs in Windows 7 and Windows Server 2008 R2, hMp:// msdn.microsoP.com/en-‐us/library/windows/desktop/dd744762(v=vs.85).aspx 6 [References] • ApplicaXon programming interface, hMp://en.wikipedia.org/wiki/ ApplicaXon_programming_interface 7 8 [References] • ApplicaXon programming interface, hMp://en.wikipedia.org/wiki/ ApplicaXon_programming_interface • strcpy(3) -‐ Linux man page, hMp://linux.die.net/man/3/strcpy 9 [References] • Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis 10 [References] • OpenProcess funcXon, hMp://msdn.microsoP.com/en-‐us/library/windows/ desktop/ms684320(v=vs.85).aspx 11 [References] • VirtualAllocEx funcXon, hMp://msdn.microsoP.com/en-‐us/library/windows/ desktop/aa366890(v=vs.85).aspx 12 [References] • WriteProcessMemory funcXon, hMp://msdn.microsoP.com/en-‐us/library/ windows/desktop/ms681674(v=vs.85).aspx 13 [References] • GetModuleHandle funcXon, hMp://msdn.microsoP.com/en-‐us/library/windows/ desktop/ms683199(v=vs.85).aspx 14 [References] • GetProcAddress funcXon, hMp://msdn.microsoP.com/en-‐us/library/windows/ desktop/ms683212(v=vs.85).aspx 15 [References] • CreateRemoteThread funcXon, hMp://msdn.microsoP.com/en-‐us/library/ windows/desktop/ms682437(v=vs.85).aspx • LPTHREAD_START_ROUTINE FuncXon Pointer, hMp://msdn.microsoP.com/en-‐us/ library/aa964928(v=vs.110).aspx 16 17 18 19 20 21 22 23 24 25 26 27 28 29 [References] • Silberscharz Galvin, Chapter 5 Threads, OperaXng System Concepts 5th EdiXon [Image Sources] • hMp://www.cs.cf.ac.uk/Dave/C/mthread.gif 30 31 32 33 34 [References] • Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis • SetWindowsHookEx funcXon, hMp://msdn.microsoP.com/en-‐us/library/windows/ desktop/ms644990(v=vs.85).aspx 35 36 [References] • Darawk, DLL InjecXon, hMp://www.blizzhackers.cc/viewtopic.php?p=2483118 37 38 [References] • Dynamic-‐Link Library Search Order (Windows), hMp://msdn.microsoP.com/en-‐us/ library/windows/desktop/ms682586(v=vs.85).aspx 39 [References] • Nick Harbour, Malware Persistence without the Windows Registry, hMps:// www.mandiant.com/blog/malware-‐persistence-‐windows-‐registry/ 40 41 [References] • MicrosoP Digital Crimes Unit, OperaXon b70, hMp://blogs.technet.com/cfs-‐ file.ashx/__key/communityserver-‐blogs-‐components-‐weblogfiles/ 00-‐00-‐00-‐80-‐54/3755.MicrosoP-‐Study-‐into-‐b70.pdf • Rex Plantado, MSRT October '12 -‐ Nitol: Counterfeit code isn't such a great deal aPer all, hMp://blogs.technet.com/b/mmpc/archive/2012/10/15/msrt-‐october-‐12-‐ nitol-‐counterfeit-‐code-‐isn-‐t-‐such-‐a-‐great-‐deal-‐aPer-‐all.aspx 42 43 44 [References] • Michael Sikorski et al., Chapter 12. Covert Malware Launching, PracXcal Malware Analysis 45 [References] • Xeno Kovah, Rookits: What they are, and how to find them, hMp:// opensecuritytraining.info/Rootkits.html 46 47 48 [References] • /hotpatch (Create Hotpatchable Image), hMp://msdn.microsoP.com/en-‐us/library/ ms173507.aspx • Greg Hoglund et al., Chapter 4. The Age-‐Old Art of Hooking, Rootkits 49 50 51 52