Common API used in Malware
Last updated
Last updated
GetAsyncKeyState() -- Key logging
SetWindowsHookEx -- Key logging
GetForeGroundWindow -- Get running window name (or the website from a browser)
LoadLibrary() -- Import library
GetProcAddress() -- Import library
CreateToolhelp32Snapshot() -- List running processes
GetDC() -- Screenshot
BitBlt() -- Screenshot
InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
FindResource(), LoadResource(), LockResource() -- Access resources of the executable
Raw Sockets
WinAPI Sockets
socket()
WSAStratup()
bind()
bind()
listen()
listen()
accept()
accept()
connect()
connect()
read()/recv()
recv()
write()
send()
shutdown()
WSACleanup()
Registry
File
Service
RegCreateKeyEx()
GetTempPath()
OpenSCManager
RegOpenKeyEx()
CopyFile()
CreateService()
RegSetValueEx()
CreateFile()
StartServiceCtrlDispatcher()
RegDeleteKeyEx()
WriteFile()
RegGetValue()
ReadFile()
Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()
Function Name
Assembly Instructions
IsDebuggerPresent()
CPUID()
GetSystemInfo()
IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]
Name
VirtualAlloc
Alloc memory (packers)
VirtualProtect
Change memory permission (packer giving execution permission to a section)
ReadProcessMemory
Injection into external processes
WriteProcessMemoryA/W
Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread
DLL/Process injection...
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W
Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread