{"blog_title":"tom\u306e\u65e5\u8a18","provider_name":"Hatena Blog","title":"Code Injection\u306e\u89e3\u6790\u306b\u95a2\u3059\u308b\u30e1\u30e2","author_url":"https://blog.hatena.ne.jp/ikutom/","height":"190","published":"2013-05-06 06:51:17","provider_url":"https://hatena.blog","url":"https://ikutom.hatenadiary.org/entry/20130506/1367790677","type":"rich","categories":["Malware Analysis"],"blog_url":"https://ikutom.hatenadiary.org/","width":"100%","version":"1.0","description":"CreateProcess => WriteProcessMemory Injection\u306e\u624b\u9806\u4f8b CreateProcessA (Suspend) NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory \u4f5c\u6210\u3057\u305f\u30d7\u30ed\u30bb\u30b9\u306eEntryPoint\u5909\u66f4 GetThreadContext(\u30b9\u30ec\u30c3\u30c9\u30cf\u30f3\u30c9\u30e9\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u683c\u7d0d\u5834\u6240\u306e\u30a2\u30c9\u30ec\u30b9) [\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u683c\u7d0d\u5834\u6240\u306e\u30a2\u30c9\u30ec\u30b9 + 0xB0] = \u65b0\u3057\u3044Entry Point SetThreadContext(\u30b9\u30ec\u30c3\u30c9\u30cf\u30f3\u30c9\u30e9\u3001\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u683c\u7d0d\u5834\u6240\u306e\u30a2\u30c9\u30ec\u30b9) ResumeThread [\u53c2\u8003\u30da\u30fc\u30b8 \u2026","author_name":"ikutom","html":"<iframe src=\"https://hatenablog-parts.com/embed?url=https%3A%2F%2Fikutom.hatenadiary.org%2Fentry%2F20130506%2F1367790677\" title=\"Code Injection\u306e\u89e3\u6790\u306b\u95a2\u3059\u308b\u30e1\u30e2 - tom\u306e\u65e5\u8a18\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\"></iframe>","image_url":null}