Nội dung text Malware development.pdf
xaloman a. Giới thiệu................................................................................................................73 b. IPv4/IPv6Fuscation................................................................................................ 73 c. IPv4/IPv6Defuscation............................................................................................. 78 2. MACFucscation............................................................................................................83 a. MACFuscation........................................................................................................83 b. Deobfuscating MACFuscation................................................................................84 3. UUIDFuscation.............................................................................................................87 a. Giới thiệu................................................................................................................87 b. UUIDFuscation....................................................................................................... 88 c. UUID Deobfuscation...............................................................................................89 4. HellShell....................................................................................................................... 92 VI. Local Payload Execution - DLL..................................................................................... 93 1. Tạo DLL........................................................................................................................93 2. Load dll.........................................................................................................................95 3. Phân tích process.........................................................................................................96 VII. Local Payload Execution - Shellcode.......................................................................... 97 1. Giới thiệu......................................................................................................................97 2. Obfuscating Payload.................................................................................................... 97 a. VirtualAlloc..............................................................................................................97 b. Writing Payload...................................................................................................... 98 c. Modifying Memory Protection................................................................................. 98 d. Thực thi payloads...................................................................................................99 e. Chờ cho thread thực thi....................................................................................... 100 f. Deallocating Memory.............................................................................................101 g. Debug...................................................................................................................101 3. Process Injection - DLL Injection................................................................................102 a. CreateToolhelp32Snapshot.................................................................................. 102 b. DLL Injection........................................................................................................ 103 4. Shellcode Injection..................................................................................................... 108 VIII. Staging.........................................................................................................................113 1. Giới thiệu.................................................................................................................... 113 2. Web server staging.....................................................................................................114 a. Lấy payload từ server...........................................................................................114 b. InternetOpenW..................................................................................................... 114 c. InternetOpenUrlW.................................................................................................115 d. Đọc data............................................................................................................... 115 e. InternetCloseHandle.............................................................................................116 f. Đóng http/https Connections................................................................................. 116 g. Demo.................................................................................................................... 116 h. Dynamic payload size...........................................................................................119 i. Demo 2 - Get dynamic payload............................................................................. 119 3. Windows Registry staging..........................................................................................123 a. Giới thiệu..............................................................................................................123 b. Conditional Compilation....................................................................................... 123 4
English