Common API used in Malware
Networking
Raw Sockets
WinAPI Sockets
socket()
WSAStratup()
bind()
bind()
listen()
listen()
accept()
accept()
connect()
connect()
read()/recv()
recv()
write()
send()
shutdown()
WSACleanup()
Persistence
Registry
File
Service
RegCreateKeyEx()
GetTempPath()
OpenSCManager
RegOpenKeyEx()
CopyFile()
CreateService()
RegSetValueEx()
CreateFile()
StartServiceCtrlDispatcher()
RegDeleteKeyEx()
WriteFile()
RegGetValue()
ReadFile()
Encryption
Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()
Anti-Analysis/VM
Function Name
Assembly Instructions
IsDebuggerPresent()
CPUID()
GetSystemInfo()
IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]
Stealth
Name
VirtualAlloc
Alloc memory (packers)
VirtualProtect
Change memory permission (packer giving execution permission to a section)
ReadProcessMemory
Injection into external processes
WriteProcessMemoryA/W
Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread
DLL/Process injection...
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W
Execution
Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread
Miscellaneous
GetAsyncKeyState() -- Key logging
SetWindowsHookEx -- Key logging
GetForeGroundWindow -- Get running window name (or the website from a browser)
LoadLibrary() -- Import library
GetProcAddress() -- Import library
CreateToolhelp32Snapshot() -- List running processes
GetDC() -- Screenshot
BitBlt() -- Screenshot
InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
FindResource(), LoadResource(), LockResource() -- Access resources of the executable
Last updated