Common API used in Malware

Networking

Raw Sockets

WinAPI Sockets

socket()

WSAStratup()

bind()

bind()

listen()

listen()

accept()

accept()

connect()

connect()

read()/recv()

recv()

write()

send()

shutdown()

WSACleanup()

Persistence

Registry

File

Service

RegCreateKeyEx()

GetTempPath()

OpenSCManager

RegOpenKeyEx()

CopyFile()

CreateService()

RegSetValueEx()

CreateFile()

StartServiceCtrlDispatcher()

RegDeleteKeyEx()

WriteFile()

RegGetValue()

ReadFile()

Encryption

Name

WinCrypt

CryptAcquireContext()

CryptGenKey()

CryptDeriveKey()

CryptDecrypt()

CryptReleaseContext()

Anti-Analysis/VM

Function Name

Assembly Instructions

IsDebuggerPresent()

CPUID()

GetSystemInfo()

IN()

GlobalMemoryStatusEx()

GetVersion()

CreateToolhelp32Snapshot [Check if a process is running]

CreateFileW/A [Check if a file exist]

Stealth

Name

VirtualAlloc

Alloc memory (packers)

VirtualProtect

Change memory permission (packer giving execution permission to a section)

ReadProcessMemory

Injection into external processes

WriteProcessMemoryA/W

Injection into external processes

NtWriteVirtualMemory

CreateRemoteThread

DLL/Process injection...

NtUnmapViewOfSection

QueueUserAPC

CreateProcessInternalA/W

Execution

Function Name

CreateProcessA/W

ShellExecute

WinExec

ResumeThread

NtResumeThread

Miscellaneous

  • GetAsyncKeyState() -- Key logging

  • SetWindowsHookEx -- Key logging

  • GetForeGroundWindow -- Get running window name (or the website from a browser)

  • LoadLibrary() -- Import library

  • GetProcAddress() -- Import library

  • CreateToolhelp32Snapshot() -- List running processes

  • GetDC() -- Screenshot

  • BitBlt() -- Screenshot

  • InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet

  • FindResource(), LoadResource(), LockResource() -- Access resources of the executable

Last updated