tmxklab
다양한 인젝션 기술 본문
1) DLL Injection
Dropper 3-1(DLL Injection)
0. 목차 0. 목차 1. DLL Injection이란 2. DLL Injection 유형 분석 2.1 분석환경 2.2 예제 소스 코드 및 컴파일 3. 분석 3.1 정적 분석 1) sub_4010F0((int)"explorer.exe") 2) CreateToolhelp32Snapshot() 3) su..
rninche01.tistory.com
2) Process Hollowing
Dropper 3-2(Process Hollowing)
0. 목차 0. 목차 1. Process Hollowing이란 2. Process Hollowing 유형 분석 2.1 분석 환경 2.2 예제 소스 코드 및 컴파일 3. 분석 3.1 정적 분석 1) CreateProcessA() 2) CreateFileA(ExeName, 0x80000000, 1, 0,..
rninche01.tistory.com
+) Process Hollowing 탐지 관련
Detecting Deceptive Process Hollowing Techniques Using HollowFind Volatility Plugin - Cysinfo
In this blog post we will look at different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis. I also present a Volatility plugin hollowfind to detect these different types of process hollow
cysinfo.com
3) PE Injection
Dropper 3-3(PE Injection)
0. 목차 Contents 0. 목차 1. PE Injection이란 2. PE Injection 유형 분석 2.1 분석 환경 2.2 예제 소스 코드 3. 분석 3.1 정적 분석 start() doit() 1) lpAddress = GetModuleHandleA(0); 2) dwProcessId = find..
rninche01.tistory.com
4) Thread Injection
Dropper 3-4(Thread Injection)
0. 목차 Contents 0. 목차 1. Thread Injection이란 2. Thread Injection 유형 분석 2.1 분석 환경 2.2 예제 소스 코드 및 컴파일 3. 분석 3.1 정적 분석 start() 1) ProcessHandle = (HANDLE)OpenProcess(0x42A,..
rninche01.tistory.com
5) Reflective DLL Injection
Reflective DLL Injection
0. 목차 Contents 0. 목차 1. Reflective DLL Injection 1.1 배경 1.2 DLL Injection과 Reflective DLL Injection 1) DLL Injection 2) Reflective DLL Injection 1.3 차이점 2. Reflective DLL Injection 유형 분..
rninche01.tistory.com
6) APC Injection
APC Injection
0. 목차 Contents 0. 목차 1. APC Injection이란 비동기 프로시저 호출 (APC) Alertable State란? QueueUserAPC 2. 동작 과정 3. APC DLL Injection 디버깅 msg.dll - 인젝션되는 DLL 4. 참고자료 1. APC Injectio..
rninche01.tistory.com
7) SetWindowsHookEx DLL Injection
SetWindowsHookEx DLL Injection
1. SetWindowsHookEx() MS에서는 프로세스간에 주고 받는 메시지를 후킹할 수 있는 함수를 제공해주는 데 그것이 바로 SetWindowsHookEx() 라는 함수이다. idHook 후킹하고자 하는 메시지의 ID(메시지 유형은 ms
rninche01.tistory.com
8) shim DLL Injection
새롭게 추가된 인젝션 기술 → 앞으로 이것도 분석하면서 추가할 것
원자 폭탄(Atom bomb)
AtomBombing – A New Code Injection Attack
www.enisa.europa.eu
프라파게이트(PROPagate)
Hexacorn | Blog PROPagate – a new code injection trick
October 26, 2017 in Anti-*, Code Injection, Compromise Detection, EDR, Incident Response, Malware Analysis, Reversing, Sandboxing Executing code inside a different process space is typically achieved via an injected DLL /system-wide hooks, sideloading, etc
www.hexacorn.com
프로세스 도플갱어
www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
고스트 훅(Ghost Hook)
GhostHook – Bypassing PatchGuard with Processor Trace Based Hooking
The GhostHook technique we discovered can provide malicious actors or information security products with the ability to hook almost any piece of code running on the machine.
www.cyberark.com
가고일(Gargoyle)
gargoyle, a memory scanning evasion technique
gargoyle is a technique for hiding all of a program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up–and with some ROP trickery–mark itself executable and do some work: The technique is demonstrat
lospi.net
'Security > 07 Malware Technique' 카테고리의 다른 글
| Hooking (악성코드 관련) (0) | 2021.04.22 |
|---|---|
| DLL Injection using shim (0) | 2021.04.22 |
| SetWindowsHookEx DLL Injection (0) | 2021.04.20 |
| APC Injection (4) | 2021.04.19 |
| 악성코드 기능 (0) | 2021.04.18 |