2020-12-03 18:00:02 +00:00
|
|
|
# Common API used in Malware
|
|
|
|
|
|
2020-12-03 23:03:00 +00:00
|
|
|
## Networking
|
2020-12-03 18:00:02 +00:00
|
|
|
|
|
|
|
|
| Raw Sockets | WinAPI Sockets |
|
|
|
|
|
| :--- | :--- |
|
|
|
|
|
| socket\(\) | WSAStratup\(\) |
|
|
|
|
|
| bind\(\) | bind\(\) |
|
|
|
|
|
| listen\(\) | listen\(\) |
|
|
|
|
|
| accept\(\) | accept\(\) |
|
|
|
|
|
| connect\(\) | connect\(\) |
|
|
|
|
|
| read\(\)/recv\(\) | recv\(\) |
|
|
|
|
|
| write\(\) | send\(\) |
|
|
|
|
|
| shutdown\(\) | WSACleanup\(\) |
|
|
|
|
|
|
|
|
|
|
## Persistence
|
|
|
|
|
|
|
|
|
|
| Registry | File | Service |
|
|
|
|
|
| :--- | :--- | :--- |
|
|
|
|
|
| RegCreateKeyEx\(\) | GetTempPath\(\) | OpenSCManager |
|
|
|
|
|
| RegOpenKeyEx\(\) | CopyFile\(\) | CreateService\(\) |
|
|
|
|
|
| RegSetValueEx\(\) | CreateFile\(\) | StartServiceCtrlDispatcher\(\) |
|
|
|
|
|
| RegDeleteKeyEx\(\) | WriteFile\(\) | |
|
|
|
|
|
| RegGetValue\(\) | ReadFile\(\) | |
|
|
|
|
|
|
|
|
|
|
## Encryption
|
|
|
|
|
|
|
|
|
|
| Name |
|
|
|
|
|
| :--- |
|
|
|
|
|
| WinCrypt |
|
|
|
|
|
| CryptAcquireContext\(\) |
|
|
|
|
|
| CryptGenKey\(\) |
|
|
|
|
|
| CryptDeriveKey\(\) |
|
|
|
|
|
| CryptDecrypt\(\) |
|
|
|
|
|
| CryptReleaseContext\(\) |
|
|
|
|
|
|
|
|
|
|
## Anti-Analysis/VM
|
|
|
|
|
|
|
|
|
|
| Function Name | Assembly Instructions |
|
|
|
|
|
| :--- | :--- |
|
|
|
|
|
| IsDebuggerPresent\(\) | CPUID\(\) |
|
|
|
|
|
| GetSystemInfo\(\) | IN\(\) |
|
|
|
|
|
| GlobalMemoryStatusEx\(\) | |
|
|
|
|
|
| GetVersion\(\) | |
|
2020-12-05 16:19:46 +00:00
|
|
|
| CreateToolhelp32Snapshot \[Check if a process is running\] | |
|
|
|
|
|
| CreateFileW/A \[Check if a file exist\] | |
|
2020-12-03 18:00:02 +00:00
|
|
|
|
|
|
|
|
## Stealth
|
|
|
|
|
|
|
|
|
|
| Name | |
|
|
|
|
|
| :--- | :--- |
|
2020-12-09 00:31:50 +00:00
|
|
|
| VirtualAlloc | Alloc memory \(packers\) |
|
|
|
|
|
| VirtualProtect | Change memory permission \(packer giving execution permission to a section\) |
|
|
|
|
|
| ReadProcessMemory | Injection into external processes |
|
|
|
|
|
| WriteProcessMemoryA/W | Injection into external processes |
|
2020-12-05 16:21:42 +00:00
|
|
|
| NtWriteVirtualMemory | |
|
2020-12-09 00:31:50 +00:00
|
|
|
| CreateRemoteThread | DLL/Process injection... |
|
|
|
|
|
| NtUnmapViewOfSection | |
|
|
|
|
|
| QueueUserAPC | |
|
|
|
|
|
| CreateProcessInternalA/W | |
|
2020-12-03 18:00:02 +00:00
|
|
|
|
|
|
|
|
## Execution
|
|
|
|
|
|
|
|
|
|
| Function Name |
|
|
|
|
|
| :--- |
|
2020-12-09 00:31:50 +00:00
|
|
|
| CreateProcessA/W |
|
|
|
|
|
| ShellExecute |
|
|
|
|
|
| WinExec |
|
|
|
|
|
| ResumeThread |
|
2020-12-05 16:21:42 +00:00
|
|
|
| NtResumeThread |
|
2020-12-03 18:00:02 +00:00
|
|
|
|
|
|
|
|
## Miscellaneous
|
|
|
|
|
|
|
|
|
|
* GetAsyncKeyState\(\) -- Key logging
|
|
|
|
|
* SetWindowsHookEx -- Key logging
|
|
|
|
|
* GetForeGroundWindow -- Get running window name \(or the website from a browser\)
|
|
|
|
|
* LoadLibrary\(\) -- Import library
|
|
|
|
|
* GetProcAddress\(\) -- Import library
|
|
|
|
|
* CreateToolhelp32Snapshot\(\) -- List running processes
|
|
|
|
|
* GetDC\(\) -- Screenshot
|
|
|
|
|
* BitBlt\(\) -- Screenshot
|
|
|
|
|
* InternetOpen\(\), InternetOpenUrl\(\), InternetReadFile\(\), InternetWriteFile\(\) -- Access the Internet
|
|
|
|
|
* FindResource\(\), LoadResource\(\), LockResource\(\) -- Access resources of the executable
|
|
|
|
|
|
