{"id":706,"date":"2015-08-29T10:49:57","date_gmt":"2015-08-29T07:49:57","guid":{"rendered":"https:\/\/furkansandal.com\/malware-analizinde-sikca-karsilasilan-windows-apileri-2\/"},"modified":"2015-08-29T10:49:57","modified_gmt":"2015-08-29T07:49:57","slug":"malware-analizinde-sikca-karsilasilan-windows-apileri-2","status":"publish","type":"post","link":"https:\/\/furkansandal.com\/malware-analizinde-sikca-karsilasilan-windows-apileri-2\/","title":{"rendered":"Malware Analizinde S\u0131k\u00e7a Kar\u015f\u0131la\u015f\u0131lan Windows API\u2019leri \u2013 2"},"content":{"rendered":"
\n

Bir \u00f6nceki makalemizde temel manada Windows API\u2019lerinin kullan\u0131m amac\u0131ndan bahsetmi\u015f ve zararl\u0131 kod (malware) geli\u015ftiricileri taraf\u0131ndan da bu API\u2019lerin s\u0131kl\u0131kla kullan\u0131ld\u0131\u011f\u0131na de\u011finmi\u015ftik. Bu makale dizisinin ilk yaz\u0131s\u0131na\u00a0 adresinden ula\u015fabilirsiniz. Biz zararl\u0131 kod analistleri (malware analyst) de Windows\u2019un API\u2019leri hakk\u0131nda yeterli bilgiye sahip oldu\u011fumuz durumda ger\u00e7ekle\u015ftirece\u011fimiz zararl\u0131 kod analizlerinde ilgili kodun temel yeteneklerinin neler olabilece\u011fi sonucuna daha h\u0131zl\u0131 varabiliriz. Bu ba\u011flamda her bir API\u2019n\u0131n ne ama\u00e7la kullan\u0131ld\u0131\u011f\u0131n\u0131 ve parametre olarak neleri kabul etti\u011fini bilmek analiz s\u00fcrecimizi olduk\u00e7a h\u0131zland\u0131racakt\u0131r. Serinin ilk makalesinde Dosya Sistemi, Registry ve Network seviyesinde kullan\u0131lan API\u2019lerden s\u0131k\u00e7a kullan\u0131lanlar\u0131na de\u011finmi\u015ftik. \u015eimdi di\u011fer i\u015flemleri i\u00e7in kullan\u0131lan API\u2019lerin detaylar\u0131 ile devam edelim.<\/p>\n

WinINet<\/b> Fonksiyonlar\u0131<\/b><\/p>\n

Winsock haricinde daha \u00fcst d\u00fczey protokollere ili\u015fkin \u00f6rne\u011fin HTTP, FTP vb gibi protokollere ili\u015fkin oturum a\u00e7ma, dosya transfer etme vb gibi fonksiyonlara ihtiya\u00e7 duyuldu\u011funa WinINet<\/b> i\u00e7indeki fonksiyonlar \u00e7a\u011f\u0131r\u0131l\u0131r.Bu fonksiyonlar\u0131n yer ald\u0131\u011f\u0131 k\u00fct\u00fcphane dosyas\u0131 Wininet.dll<\/b>\u2019dir. Bu k\u00fct\u00fcphane i\u00e7inde en \u00e7ok kar\u015f\u0131m\u0131za \u00e7\u0131kan fonksiyonlar ise \u015funlard\u0131r;<\/p>\n\n\n\n\n\n\n\n
Fonksiyon Ad\u0131<\/strong><\/td>\nA\u00e7\u0131klama<\/strong><\/td>\n<\/tr>\n
InternetOpen<\/td>\nBir \u0130nternet ba\u011flant\u0131s\u0131 ger\u00e7ekle\u015ftirilmek istendi\u011finde ilk olarak \u00e7a\u011fr\u0131lan fonksiyondur.<\/td>\n<\/tr>\n
InternetOpenUrl<\/td>\nHTTP \u00fczerinden bir URI \u00e7a\u011fr\u0131lmak istendi\u011finde ya da bir FTP kayna\u011f\u0131na eri\u015fim ger\u00e7ekle\u015ftirilmek istendi\u011finde kullan\u0131lan fonksiyondur.<\/td>\n<\/tr>\n
InternetReadFile<\/td>\nInternet \u00fczerinden indirilen dosyay\u0131 okumak i\u00e7in kullan\u0131lan fonksiyondur.<\/td>\n<\/tr>\n
InternetWriteFile<\/td>\nBir \u00f6nceki istekte a\u00e7\u0131lan URL\u2019e veri yazmak i\u00e7in kullan\u0131lan fonksiyondur.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Bu API\u2019lerden\u00a0InternetOpenUrl API\u2019sinin kullan\u0131m\u0131na ili\u015fkin bir \u00f6rnek a\u015fa\u011f\u0131da yer almaktad\u0131r. G\u00f6r\u00fclebilece\u011fi \u00fczere \u00f6ncelikle stack yap\u0131s\u0131 haz\u0131rlanm\u0131\u015f ve API\u2019nin parametreleri stack\u2019e g\u00f6nderilmi\u015f ve sonras\u0131nda\u00a0InternetOpenUrl \u00e7a\u011fr\u0131larak lpszUrl<\/strong> de\u011fi\u015fkenine atanm\u0131\u015f URL\u2019e istekten bulunulacak \u00e7a\u011fr\u0131 (call) ger\u00e7ekle\u015ftirilmi\u015ftir. InternetOpenUrl API\u2019si ile ilgili detayl\u0131 bilgiye\u00a0 adresinden ula\u015fabilirsiniz.<\/span><\/p>\n

\u00a0<\/p>\n

\"WinINet01\"<\/p>\n

\u00a0<\/p>\n

\u00a0<\/p>\n

Proses Komutlar\u0131<\/b><\/p>\n

Zararl\u0131 kod bula\u015ft\u0131\u011f\u0131 sistem \u00fczerinde e\u011fer bir uygulama \u00e7al\u0131\u015ft\u0131racaksa bu durumda genellikle CreateProcess<\/b>A<\/b> fonksiyonu kullan\u0131l\u0131r.\u00a0Bu fonksiyon kullan\u0131larak zararl\u0131 kod taraf\u0131ndan yeni bir uygulama ba\u015flat\u0131labilir veya Internet Explorer gibi bir prosesin instance\u2019\u0131 olu\u015fturulabilir.\u00a0Thread<\/b> ise, bir uygulama i\u00e7inde CPU taraf\u0131ndan birbirinden ba\u011f\u0131ms\u0131z \u015fekilde \u00e7al\u0131\u015ft\u0131r\u0131lan kod par\u00e7ac\u0131klar\u0131na verilen isimdir. Bir uygulama i\u00e7indeki threadler ayn\u0131 haf\u0131za alan\u0131n\u0131 kullan\u0131rlar.\u00a0CreateThread<\/b> fonksiyonu kullan\u0131larak yeni bir thread olu\u015fturulur. \u0130nceleyece\u011finiz zararl\u0131 kodlarda bu iki y\u00f6ntemi de g\u00f6rmeniz m\u00fcmk\u00fcnd\u00fcr.<\/p>\n

A\u015fa\u011f\u0131daki \u00f6rnek kodda\u00a0CreateProcess<\/b>A <\/b>fonksiyonunun nas\u0131l kullan\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6rebilirsiniz. \u0130lgili fonksiyon \u00e7a\u011f\u0131r\u0131lmadan \u00f6nce yine stack yap\u0131s\u0131 haz\u0131rlanm\u0131\u015f (Function prologue \u2013\u00a0 ve ard\u0131ndan CreateProcess<\/b>A\u00a0<\/b>fonksiyonu \u00e7a\u011f\u0131r\u0131lm\u0131\u015ft\u0131r. Bu API hakk\u0131ndaki detayl\u0131 bilgiye ise\u00a0 adresinden ula\u015fabilirsiniz.<\/p>\n

\"CreateProcessA\"<\/p>\n

CreateThread<\/b>\u00a0fonksiyonun \u00f6rnek kullan\u0131m\u0131na ili\u015fkin kod k\u0131sm\u0131 ise a\u015fa\u011f\u0131da g\u00f6sterilmi\u015ftir. Yine\u00a0g\u00f6r\u00fclebilece\u011fi \u00fczere \u00f6ncelikle fonksiyonun prolog k\u0131sm\u0131 ve ard\u0131ndan\u00a0CreateThread\u00a0<\/b>\u00e7a\u011fr\u0131s\u0131 yer almaktad\u0131r. Bu fonksiyondaki dwCreationFlags\u2019e atanacak de\u011ferler ile threadin hemen mi ba\u015flayaca\u011f\u0131 yoksa ask\u0131ya al\u0131nm\u0131\u015f \u015fekilde (CREATE_SUSPENDED)<\/strong> mi ba\u015flayaca\u011fa\u0131 gibi tan\u0131mlar yap\u0131lmaktad\u0131r. Bu API\u2019nin detaylar\u0131na da\u00a0 adresinden ula\u015fabilirsiniz.<\/p>\n

\"CreateThread\"<\/p>\n

Servis Komutlar\u0131<\/b><\/p>\n

Zararl\u0131 kodlar bula\u015ft\u0131klar\u0131 sisteme kendilerini servis olarak ekleyip, bilgisayar her a\u00e7\u0131ld\u0131\u011f\u0131nda otomatik olarak \u00e7al\u0131\u015fmay\u0131 garanti alt\u0131na almak isterler.\u00a0Bu durumda genellikle kulland\u0131klar\u0131 fonksiyonlar \u015funlard\u0131r;<\/p>\n

    \n
  • OpenSCManager<\/b>: Bu fonksiyon servislerle ilgili daha sonradan yap\u0131lacak i\u015flemler i\u00e7in kullan\u0131lacak servis kontrol y\u00f6neticisi (service control manager)\u2019\u0131n handle\u2019\u0131n\u0131 d\u00f6ner.<\/li>\n
  • CreateService<\/b>: Servis kontrol y\u00f6neticisine yeni servis eklemek i\u00e7in kullan\u0131lan fonksiyondur. Bunun yan\u0131nda olu\u015fturulan yeni servisin sistem ba\u015flang\u0131c\u0131nda otomatik olarak m\u0131 yoksa manuel olarak m\u0131 ba\u015flat\u0131laca\u011f\u0131n\u0131 belirler.<\/li>\n
  • StartService<\/b>: Manuel \u015fekilde ba\u015flat\u0131lacak modda ayarlanm\u0131\u015f servisleri ba\u015flatmak i\u00e7in kullan\u0131lan fonksiyondur.<\/li>\n<\/ul>\n

    Bu API\u2019lerin kullan\u0131m\u0131na ili\u015fkin \u00f6rnek bir kod k\u0131sm\u0131 a\u015fa\u011f\u0131da g\u00f6sterilmi\u015ftir. G\u00f6r\u00fclebilece\u011fi \u00fczere ilgili kod par\u00e7ac\u0131\u011f\u0131 sistemde \u00a0Malservice isimli bir servis olu\u015fturmaya yar\u0131yor. Windows\u2019daki servis\u00a0API\u2019leri \u00a0hakk\u0131nda detayl\u0131 bilgiye\u00a0 adresinden ula\u015fabilirsiniz.<\/p>\n

    \u00a0<\/p>\n

    \"CreateServiceA\"<\/p>\n

    \u00a0<\/p>\n

    Bir sonraki yaz\u0131m\u0131zda ise zararl\u0131 kodlar taraf\u0131ndan kullan\u0131lan di\u011fer Windows API\u2019lerine g\u00f6z at\u0131p ard\u0131ndan \u00f6rnek zararl\u0131 kodlar \u00fczerinde yapaca\u011f\u0131m\u0131z analizler ile yaz\u0131 dizimize devam edece\u011fiz.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

    Bir \u00f6nceki makalemizde temel manada Windows API\u2019lerinin kullan\u0131m amac\u0131ndan bahsetmi\u015f ve zararl\u0131 kod (malware) geli\u015ftiricileri taraf\u0131ndan da bu API\u2019lerin s\u0131kl\u0131kla…<\/p>\n","protected":false},"author":1,"featured_media":479,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,3,7,4],"tags":[78,76,88,89,26,83,81,79,82,77,80,84,85,87,86],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/08\/https.jpg?fit=840%2C420&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-bo","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/706"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=706"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/706\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/479"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}