From d52a21633340baadaa20aa240a60bcea6cc69117 Mon Sep 17 00:00:00 2001 From: Amanda Rousseau Date: Mon, 20 Mar 2017 14:26:32 -0700 Subject: [PATCH] updating tables --- idacheatsheet.html | 136 ++++++++++++++++++++++----------------------- malware.md | 44 +++++++++++---- 2 files changed, 100 insertions(+), 80 deletions(-) diff --git a/idacheatsheet.html b/idacheatsheet.html index d486637..eea3900 100644 --- a/idacheatsheet.html +++ b/idacheatsheet.html @@ -14,86 +14,86 @@ - + - + - - - - - - + + + + + + - - + +

Navigation
Jump to operandEnter
Jump in new windowAlt+Enter
Jump in new windowAlt+Enter
Jump to previous positionEsc
Jump to Next positionCtrl+Enter
Jump to Next positionCtrl+Enter
Jump to addressG
Jump by nameCtrl+L
Jump to functionCtrl+P
Jump to segmentCtrl+S
Jump to segment registerCtrl+G
Jump to problemCtrl+Q
Jump to cross referenceCtrl+X
Jump by nameCtrl+L
Jump to functionCtrl+P
Jump to segmentCtrl+S
Jump to segment registerCtrl+G
Jump to problemCtrl+Q
Jump to cross referenceCtrl+X
Jump to xref to operand X
Jump to entry pointCtrl+E
Mark PositionAlt+M
Jump to entry pointCtrl+E
Mark PositionAlt+M
- - - - - - - - - - - + + + + + + + + + + +

Search

Next codeAlt+C
Next dataCtrl+D
Next exploredCtrl+A
Next unexploredCtrl+U
Immediate valueAlt+I
Next immediate valueCtrl+I
TextAlt+T
Next textCtrl+T
Sequence of bytesAlt+B
Next sequence of bytesCtrl+B
Not functionAlt+U
Next codeAlt+C
Next dataCtrl+D
Next exploredCtrl+A
Next unexploredCtrl+U
Immediate valueAlt+I
Next immediate valueCtrl+I
TextAlt+T
Next textCtrl+T
Sequence of bytesAlt+B
Next sequence of bytesCtrl+B
Not functionAlt+U
- +

Graphing
Flow chartF12
Function callsCtrl+F12
Function callsCtrl+F12
- + - - + +

Comments

Enter commentShift+;
Enter commentShift+;
Enter repeatable comment;
Enter anterior linesIns
Enter posterior linesShift+Ins
Insert predefined commentShift+F1
Enter posterior linesShift+Ins
Insert predefined commentShift+F1
- - + +

Data Format Options

ASCII strings styleAlt+A
Setup data typesAlt+D
ASCII strings styleAlt+A
Setup data typesAlt+D
- - - - - - - - - + + + + + + + + +

Open Subviews

NamesShift+F4
FunctionsShift+F3
StringsShift+F12
SegmentsShift+F7
Segment registersShift+F8
SignaturesShift+F5
Type librariesShift+F11
StructuresShift+F9
EnumerationsShift+F10
NamesShift+F4
FunctionsShift+F3
StringsShift+F12
SegmentsShift+F7
Segment registersShift+F8
SignaturesShift+F5
Type librariesShift+F11
StructuresShift+F9
EnumerationsShift+F10
- - - + + +

File Operations

Parse C header fileCtrl+F9
Create ASM fileAlt+F10
Save databaseCtrl+W
Parse C header fileCtrl+F9
Create ASM fileAlt+F10
Save databaseCtrl+W
- + - + - +

Debugger
Star processF9
Terminate processCtrl+F2
Terminate processCtrl+F2
Step intoF7
Step overF8
Run until returnCtrl+F7
Run until returnCtrl+F7
Run to cursorF4
Breakpoints
Breakpoint listCtrl+Alt+B
Breakpoint listCtrl+Alt+B
@@ -103,29 +103,29 @@
- +

Tracing

Stack traceCtrl+Alt+S
Stack traceCtrl+Alt+S
- - - - - - + + + + + +

Miscellaneous

CalculatorShift+/
Cycle through open viewsCtrl+Tab
Select tabAlt + [1…N]
Close current viewCtrl+F4
ExitAlt+X
IDC CommandShift+F2
CalculatorShift+/
Cycle through open viewsCtrl+Tab
Select tabAlt + [1…N]
Close current viewCtrl+F4
ExitAlt+X
IDC CommandShift+F2
- - - + + + - + @@ -136,11 +136,11 @@

Edit (Data Types – etc)

CopyCtrl+Ins
Begin selectionAlt+L
Manual instructionAlt+F2
CopyCtrl+Ins
Begin selectionAlt+L
Manual instructionAlt+F2
CodeC
DataD
Struct variableAlt+Q
Struct variableAlt+Q
ASCII stringA
ArrayNum *
UndefineU
- - - + + + - + @@ -148,32 +148,32 @@ - - - + + +

Operand Type
Offset (data segment)O
Offset (current segment)Ctrl+O
Offset by (any segment)Alt+R
Offset (user-defined)Ctrl+R
Offset (current segment)Ctrl+O
Offset by (any segment)Alt+R
Offset (user-defined)Ctrl+R
Offset (struct)T
Number (default)Shift+3
Number (default)Shift+3
HexadecimalQ
DecimalH
BinaryB
SegmentS
Enum memberM
Stack variableK
Change signShift+-
Bitwise negate Shift+`
ManualAlt+F1
Change signShift+-
Bitwise negate Shift+`
ManualAlt+F1
- - + +

Segments

Edit segmentAlt+S
Change segment register valueAlt+G
Edit segmentAlt+S
Change segment register valueAlt+G
- - - + + +

Structs

Struct varAlt+Q
Force zero offset fieldCtrl+Z
Select union memberAlt+Y
Struct varAlt+Q
Force zero offset fieldCtrl+Z
Select union memberAlt+Y
- + - - + +

Functions
Create functionP
Edit functionAlt+P
Edit functionAlt+P
Set function endE
Stack variablesCtrl+K
Change stack pointerAlt+K
Stack variablesCtrl+K
Change stack pointerAlt+K
Rename registerV
Set function typeY
diff --git a/malware.md b/malware.md index efc1946..2987038 100644 --- a/malware.md +++ b/malware.md @@ -14,18 +14,12 @@ title: Malware Techniques | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ![alt text](https://securedorg.github.io/images/rightarrow.png) | ## Techniques Overview ## -* [Compression](#compression) -* [Obfuscation](#obfuscation) -* [Persistence](#persistence) -* [Privilege Escalation](#privilege-escalation) -* [Defense Evasion](#defense-evasion) -* [Credential Theft](#credential-theft) -* [Reconnaissance](#recon) -* [Lateral Movement](#lateral-movement) -* [Execution](#execution) -* [Collection](#collection) -* [Exfiltration](#exfiltration) -* [Command and Control](#command-and-control) +| [Compression](#compression) | [Obfuscation](#obfuscation) | [Persistence](#persistence) | +| [Privilege Escalation](#privilege-escalation) | [Defense Evasion](#defense-evasion) | [Credential Theft](#credential-theft) | +| [Reconnaissance](#recon) | [Lateral Movement](#lateral-movement) | [Execution](#execution) | +| [Collection](#collection) | [Exfiltration](#exfiltration) | [Command and Control](#command-and-control) | + +--- ## Compression @@ -59,6 +53,8 @@ title: Malware Techniques * [XComp/XPack](http://soft-lab.de/JoKo)
[Top^](#techniques-overview)
+ +--- ## Obfuscation @@ -70,6 +66,8 @@ title: Malware Techniques ![alt text](https://securedorg.github.io/images/CodeObfuscation.gif "CodeObfuscation") +--- + ## Persistence * Once malware gains access to a system, it often looks to be there for a long time. @@ -77,6 +75,8 @@ title: Malware Techniques ![alt text](https://securedorg.github.io/images/Persistence.png "Persistence") +--- + ## Privilege Escalation * Exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. @@ -94,6 +94,9 @@ title: Malware Techniques Example: Dll Search Order Hijacking ![alt text](https://securedorg.github.io/images/DLLload.gif "Dll loading") +--- + + ## Defense Evasion * Evading detection or avoiding defenses. * Common Techniques: @@ -105,6 +108,8 @@ Example: Dll Search Order Hijacking * Masquerading * Process Hallowing +--- + ## Credential Theft * Going after password storage @@ -114,28 +119,43 @@ Example: Dll Search Order Hijacking Example: Mimikatz credential theft ![alt text](https://securedorg.github.io/images/mimikatzElevate.png "Mimkatz Elevating") +--- + ## Reconnaissance * Gain knowledge about the system and internal network. +--- + ## Lateral Movement * Enable an adversary to access and control remote systems on a network and could +--- + ## Execution * Techniques that result in execution of adversary-controlled code on a local or remote system * scripts * post-exploitation +--- + + ## Collection * Identify and gather information, such as sensitive files, from a target network prior to exfiltration +--- + + ## Exfiltration * Removing files and information +--- + + ## Command and Control * Communicate with systems under their control