| Uploader: | Mattm6 |
| Date Added: | 11.01.2021 |
| File Size: | 24.50 Mb |
| Operating Systems: | Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X |
| Downloads: | 21709 |
| Price: | Free* [*Free Regsitration Required] |
Concise Windows Functions in Malware Analysis List · GitHub
We would like to show you a description here but the site won’t allow blogger.comg: download This function loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files. LsaEnumerateLogonSessions. This function is used to enumerate through logon sessions on the current system, which can be used as part of a credential stealer. MapViewOfFile Malware Samples. This repository is intended to provide access to a wide variety of malicious files and other artifacts. All of the samples are in a password protected ZIP archive using a password of: infected. Malware Analysis Exercises. In addition to providing artifacts from samples, I will regularly post malware anlaysis exercises
Malware pe files free download in github
From InfoSec Institute, part 1 and part 2. Skip to content. Sign in Sign up. Instantly share code, notes, and snippets. Last active Apr 27, Code Revisions 6. Embed What would you like to do? Embed Embed this gist in your website. Share Copy sharable link for this gist. Learn more about clone URLs. Download ZIP. Concise Windows Functions in Malware Analysis List. Windows Malware Functions Python, JS, This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below.
To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters. This function indicates that the program will listen for incoming connections on a socket, malware pe files free download in github.
It is mostly used by malware to communicate with their Command and Communication server. AdjustTokenPrivileges Top This function is used to enable or disable specific access privileges. In a process injection attack, this function is used by malware to gain additional permissions. AttachThreadInput Top This function attaches the input processing from one thread to another so that the second thread receives input events such as keyboard and mouse events.
Keyloggers and other spyware use this function. Bind Top This function is used to associate a local address to a socket in order to listen for incoming connections. BitBlt Top This function is used to copy graphic data from one device to another. Spyware sometimes uses this function to capture screenshots. CertOpenSystemStore Top This function is used to access the certificates stored on the local system. Connect Top This function is used to connect to a remote socket. Malware often uses low-level functionality to connect to a command-and-control server.
ConnectNamedPipe Top This function is used to create a server pipe for interprocess communication that will wait for a client pipe to connect. Backdoors and reverse shells sometimes use ConnectNamedPipe to simplify connectivity to a command-and-control server. ControlService Top This function is used to start, stop, modify, or send a signal to a running service.
If malware is using its own malicious service, code needs to be analyzed that implements the service in order to determine the purpose of the call. CreateFile Top Creates a new file or opens an existing file. CreateFileMapping Top This function is used to create a handle to a file mapping that loads a file into malware pe files free download in github and makes it accessible via memory addresses.
Launchers, loaders, malware pe files free download in github, and injectors use this function to read and modify PE files. CreateMutex Top This function creates a mutual exclusion object that can be used by malware to ensure that only a single instance of the malware is running on a system at any given time. Malware often uses fixed names for mutexes, which can be good host-based indicators to detect additional installations of the malware. CreateProcess Top This function creates and launches a new process.
If malware creates a new process, new process needs to be analyzed as well. CreateRemoteThread Top This function is used to start a thread in a remote process. Launchers and stealth malware use CreateRemoteThread to inject code into a different process. CreateService Top This function is used to create a service that can be started at boot time. Malware uses CreateService for persistence, stealth, or to load kernel drivers.
CreateToolhelp32Snapshot Top This function is used to create a snapshot of processes, heaps, threads, and modules. Malware often uses this function as part of code that iterates through processes or threads. CryptAcquireContext Top This function is often the first function used by malware to initialize the use of Windows encryption. DeviceIoControl Top This function sends a control message from user space to a device driver. Kernel malware that needs to pass information between user space and kernel space often use this function.
EnableExecuteProtectionSupport Top This function is used to modify the Data Execution Protection DEP settings of the host, making it more susceptible to attack. EnumProcesses Malware pe files free download in github This function is used to enumerate through running processes on the system. Malware often enumerates through processes to find a process into which to inject.
EnumProcessModules Top This function is used to enumerate the loaded modules executables and DLLs for malware pe files free download in github given process. Malware enumerates through modules when doing an injection. FindResource Top This function is used to find a resource in an executable or loaded DLL.
Malware sometimes uses resources to store strings, configuration information, or other malicious files. Malware pe files free download in github this function is used, then check for malware pe files free download in github. FindWindow Top This function is used to search for an open window on the desktop.
Sometimes this function is used as an anti-debugging technique to search for OllyDbg windows. FtpPutFile Top This function is used to upload a file to remote FTP server. GetAdaptersInfo Top This function is used to obtain information about the network adapters on the system. Backdoors sometimes call GetAdaptersInfo in the information-gathering phase to gather information about infected machines.
GetAsyncKeyState Top This function is used to determine whether a particular key is being pressed. Malware sometimes uses this function to implement a keylogger.
GetDC Top This function returns a handle to a device context for a window or the whole screen. Spyware that takes screen captures often uses this function. GetForegroundWindow Top This function returns a handle to the window currently in the foreground of the desktop. Keyloggers commonly use this function to determine in which window the user is entering his keystrokes.
Gethostbyname Top This function is used to perform a DNS lookup on a particular hostname prior to making an IP connection to a remote host. Hostnames that serve as command and- control servers often make good network-based signatures. Gethostname Top This function is used to retrieve the hostname of the computer. Backdoors sometimes use gethostname in information gathering phase of the victim machine.
GetKeyState Top This function is used by keyloggers to obtain the status of a particular key on the keyboard. GetModuleFilename Top This function returns the filename of a module that is loaded in the current process. Malware can use this function to modify or copy files in the currently running process. GetModuleHandle Top This function is used to obtain a handle to an already loaded module.
Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code. GetProcAddress Top This function is used to retrieve the address of a function in a DLL loaded into memory. This is used to import functions from other DLLs in addition to the functions imported in the PE file header. GetStartupInfo Top This function is used to retrieve a structure containing malware pe files free download in github about how the current process was configured to run, such as where the standard handles are directed.
GetSystemDefaultLangId Top This function returns the default language settings for the system. These are used by malwares by specifically designed for region-based attacks. GetTempPath Top This function returns the temporary file path. If malware call this function, check whether it reads or writes any files in the temporary file path. GetThreadContext Top This function returns the context structure of a given thread. The context for a thread stores all the thread information, such as the register values and current state.
GetVersionEx Top This function returns information about which version of Windows is currently running. This can be used as part of a victim survey, or to select between different offsets for undocumented structures that have changed between different versions of Windows. Malware sometimes uses this call to determine into which directory to install additional malicious programs.
The string specified can sometimes be used as a network-based signature. InternetOpen Top This function initializes the high-level Internet access functions from WinINet, such as InternetOpenUrl and InternetReadFile. Searching for InternetOpen is a good way to find the start of Internet access functionality. One of the parameters to InternetOpen is the User-Agent, which can sometimes make a good network-based signature. InternetOpenUrl Top This function opens a specific URL for a connection using FTP, HTTP, or HTTPS.
URLs, if fixed, malware pe files free download in github, can often be good network-based signatures. InternetReadFile Top This function reads data from a previously opened URL. InternetWriteFile Top This function writes data to a previously opened URL. IsNTAdmin Top This function checks if the user has administrator privileges.
IsWoW64Process Top This function is used by a bit process to determine if it is running on a bit operating system. LdrLoadDll Top This is a low-level function to load a DLL into a process, malware pe files free download in github, just like LoadLibrary.
How to Code (Download) or Clone Something From GitHub
, time: 5:45Malware pe files free download in github
This function loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files. LsaEnumerateLogonSessions. This function is used to enumerate through logon sessions on the current system, which can be used as part of a credential stealer. MapViewOfFile Jan 31, · A repository full of malware samples. Contribute to Da2dalus/The-MALWARE-Repo development by creating an account on blogger.comg: download We would like to show you a description here but the site won’t allow blogger.comg: download
No comments:
Post a Comment