1. Process and Thread Activity 내용 분석
Process and Thread Activity의 Operation
- Process/Thread Create : 프로세스/쓰레드 생성
- Process/Thread Start : 프로세스/쓰레드 시작
- Load Image : 이미지를 읽음
2. File System Activity 내용 분석
Operation
- CreateFile:
- 파일을 만들거나 이미 만들어져 있는 파일을 염
- 파일 뿐만 아니라 파이프, 메일 슬롯, 콘솔 등의 오브젝트를 만들거나 열기도 함
- WriteFile : 파일에 데이터를 씀
- ReadFile : 파일에서 데이터를 읽음
- CopyFile : 파일을 복사
- MoveFile : 파일을 이동
- DeleteFile : 파일을 삭제
- CloseFile : 파일을 닫음
- CreateFileMapping:
- MMF(Memory Mapped File) 생성
- 일반적으로 실행파일(EXE, DLL)들이 실행되면 MMF가 됨
- LockFile : 바이트 범위로 지정된 파일 잠금
- UnlockFileSingle : 바이트 범위로 잠금된 파일을 해제(unlock)
- FileSystemControl : 지정된 파일 시스템이나 파일 시스템 필터 드라이버에 직접 제어 코드를 보내어, 해당 드라이버가 지정된 작업을 수행하게 함
- QueryNameInformationFile : 파일 객체에 대한 정보를 반환. 이름의 형식에 대한 자세한 정보를 반환
- QueryStandardInformationFile : 파일 객체에 대한 정보를 반환. 바이트 단위 파일 할당 크기, 바이트 오프셋의 파일 위치의 끝, 파일에 대한 하드링크수, 파일 객체가 디렉토리인지의 정보
- QueryInformationVolume : 특정 파일, 디렉토리, 저장장치 또는 볼륨과 연결된 볼륨에 대한 정보를 검색
- QueryDirectory : 기존 디렉토리를 염. 디렉토리 개체에 쿼리 액세스
3. Registry Operations
RegOpenKey
The process opened the Registry key specified in the Path column.
RegCloseKey
The process closed the Registry key specified in the Path column.
RegQueryValue
The process queried for the value of the Registry value listed in the Path The value retrieved is listed in the Detail column.
RegEnumValue
The process is querying the value names and their data for the key in the Path. You will see repeated RegEnumValue and RegQueryValue operations until all the values under this key have been enumerated.
RegQueryKey
The process queried the Registry key listed in the Path for information about the key. This information, such as the amount of values or subkeys underneath it, is displayed in the Detail column.
RegEnumKey
The process queried the Registry key listed in the Path for information about it’s sub keys. You will see further RegEnumKey entries until there are no more subkeys to enumerate.
RegCreateKey
The process attempted to create the key specified in the Path column.
RegSetValue
The process created or set the data of the value in the Path column with the information from the Detail column.
4. File Operations
QueryBasicInformationFile
The process queried the file in the Path column for one of the following attributes: CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes
QueryStandardInformationFile
The process queried the file in the Path column for one of the following attributes: AllocationSize, EndOfFile, NumberOfLinks, DeletePending, Directory
QueryNameInformationFile
The process queried the file in the Path column for one of the following attributes: FileNameLength, FileName
SetBasicInformationFile
The process changed one of the following attributes in the file in the Path field: CreationTime, LastAccessTime, LastWriteTime, ChangeTime, FileAttributes
QueryOpen
Appears before each CreateFile operation, but do not see what its purpose is. Anyone know?
CreateFile
The process opened or created the file specified in the Path. Whether the file was opened or created can be determined by the Disposition value in the Details column.
CloseFile
The process closed the file specified in the Path.
QueryDirectory
The process queried the contents of the directory listed in the Path. This listing will be found in the Details column.
WriteFile
The process wrote data to the file specified in the Path. The location written to in the file and the amount of data is specified in the Details column.
ReadFile
The process is reading the file specified in the Path statement. The Details column will tell you how many bytes were read during this operation. You will see more ReadFile operations until an End of File (EOF) is reached.
SetEndOfFileInformationFile
The process set the offset which the file’s End of File should be set to. This value is listed in the Details column.
SetRenameFileInformationFile
The process renamed the file or directory in the Path column to the file or directory found in the Details column.
5. Process Operations
Thread Create
The process opened the Registry key specified in the Path column..
Thread Exit
The process closed the Registry key specified in the Path column.
Process Exit
The process queried for the value of the Registry value listed in the Path statement. The value retrieved is listed in the Detail column.
