Common API used in Malware
Networking
Raw Sockets | WinAPI Sockets |
socket() | WSAStratup() |
bind() | bind() |
listen() | listen() |
accept() | accept() |
connect() | connect() |
read()/recv() | recv() |
write() | send() |
shutdown() | WSACleanup() |
Persistence
Registry | File | Service |
RegCreateKeyEx() | GetTempPath() | OpenSCManager |
RegOpenKeyEx() | CopyFile() | CreateService() |
RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
RegDeleteKeyEx() | WriteFile() | |
RegGetValue() | ReadFile() |
Encryption
Name |
WinCrypt |
CryptAcquireContext() |
CryptGenKey() |
CryptDeriveKey() |
CryptDecrypt() |
CryptReleaseContext() |
Anti-Analysis/VM
Function Name | Assembly Instructions |
IsDebuggerPresent() | CPUID() |
GetSystemInfo() | IN() |
GlobalMemoryStatusEx() | |
GetVersion() | |
CreateToolhelp32Snapshot [Check if a process is running] | |
CreateFileW/A [Check if a file exist] |
Stealth
Name | |
VirtualAlloc | Alloc memory (packers) |
VirtualProtect | Change memory permission (packer giving execution permission to a section) |
ReadProcessMemory | Injection into external processes |
WriteProcessMemoryA/W | Injection into external processes |
NtWriteVirtualMemory | |
CreateRemoteThread | DLL/Process injection... |
NtUnmapViewOfSection | |
QueueUserAPC | |
CreateProcessInternalA/W |
Execution
Function Name |
CreateProcessA/W |
ShellExecute |
WinExec |
ResumeThread |
NtResumeThread |
Miscellaneous
GetAsyncKeyState() -- Key logging
SetWindowsHookEx -- Key logging
GetForeGroundWindow -- Get running window name (or the website from a browser)
LoadLibrary() -- Import library
GetProcAddress() -- Import library
CreateToolhelp32Snapshot() -- List running processes
GetDC() -- Screenshot
BitBlt() -- Screenshot
InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
FindResource(), LoadResource(), LockResource() -- Access resources of the executable
Last updated