hacktricks/reversing/common-api-used-in-malware.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# Generic

## Networking

| Raw Sockets   | WinAPI Sockets |
| ------------- | -------------- |
| socket()      | WSAStratup()   |
| bind()        | bind()         |
| listen()      | listen()       |
| accept()      | accept()       |
| connect()     | connect()      |
| read()/recv() | recv()         |
| write()       | send()         |
| shutdown()    | WSACleanup()   |

## Persistence

| Registry         | File          | Service                      |
| ---------------- | ------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager                |
| RegOpenKeyEx()   | CopyFile()    | CreateService()              |
| RegSetValueEx()  | CreateFile()  | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile()   |                              |
| RegGetValue()    | ReadFile()    |                              |

## Encryption

| Name                  |
| --------------------- |
| WinCrypt              |
| CryptAcquireContext() |
| CryptGenKey()         |
| CryptDeriveKey()      |
| CryptDecrypt()        |
| CryptReleaseContext() |

## Anti-Analysis/VM

| Function Name                                             | Assembly Instructions |
| --------------------------------------------------------- | --------------------- |
| IsDebuggerPresent()                                       | CPUID()               |
| GetSystemInfo()                                           | IN()                  |
| GlobalMemoryStatusEx()                                    |                       |
| GetVersion()                                              |                       |
| CreateToolhelp32Snapshot \[Check if a process is running] |                       |
| CreateFileW/A \[Check if a file exist]                    |                       |

## Stealth

| Name                     |                                                                            |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc             | Alloc memory (packers)                                                     |
| VirtualProtect           | Change memory permission (packer giving execution permission to a section) |
| ReadProcessMemory        | Injection into external processes                                          |
| WriteProcessMemoryA/W    | Injection into external processes                                          |
| NtWriteVirtualMemory     |                                                                            |
| CreateRemoteThread       | DLL/Process injection...                                                   |
| NtUnmapViewOfSection     |                                                                            |
| QueueUserAPC             |                                                                            |
| CreateProcessInternalA/W |                                                                            |

## Execution

| Function Name    |
| ---------------- |
| CreateProcessA/W |
| ShellExecute     |
| WinExec          |
| ResumeThread     |
| NtResumeThread   |

## Miscellaneous

* GetAsyncKeyState() -- Key logging
* SetWindowsHookEx -- Key logging
* GetForeGroundWindow -- Get running window name (or the website from a browser)
* LoadLibrary() -- Import library
* GetProcAddress() -- Import library
* CreateToolhelp32Snapshot() -- List running processes
* GetDC() -- Screenshot
* BitBlt() -- Screenshot
* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
* FindResource(), LoadResource(), LockResource() -- Access resources of the executable

# Malware Techniques

## DLL Injection

Execute an arbitrary DLL inside another process

1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary

Other functions to use: NTCreateThreadEx, RtlCreateUserThread

## Reflective DLL Injection

Load a malicious DLL without calling normal Windows API calls.\
The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.

## Thread Hijacking

Find a thread from a process and make it load a malicious DLL

1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Open the thread: OpenThread
3. Suspend the thread: SuspendThread
4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
5. Resume the thread loading the library: ResumeThread

## PE Injection

Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.

## Process Hollowing

The malware will unmap the legitimate code from memory of the process and load a malicious binary

1. Create a new process: CreateProcess
2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
4. Set the entrypoint and execute: SetThreadContext, ResumeThread

# Hooking

* The **SSDT** (**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
  * A rootkit may modify these pointer to addresses that he controls
* **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
* The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
* **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
* **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Generic`

			`## Networking`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Raw Sockets \| WinAPI Sockets \|`
			`\| ------------- \| -------------- \|`
			`\| socket() \| WSAStratup() \|`
			`\| bind() \| bind() \|`
			`\| listen() \| listen() \|`
			`\| accept() \| accept() \|`
			`\| connect() \| connect() \|`
			`\| read()/recv() \| recv() \|`
			`\| write() \| send() \|`
			`\| shutdown() \| WSACleanup() \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Persistence`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Registry \| File \| Service \|`
			`\| ---------------- \| ------------- \| ---------------------------- \|`
			`\| RegCreateKeyEx() \| GetTempPath() \| OpenSCManager \|`
			`\| RegOpenKeyEx() \| CopyFile() \| CreateService() \|`
			`\| RegSetValueEx() \| CreateFile() \| StartServiceCtrlDispatcher() \|`
			`\| RegDeleteKeyEx() \| WriteFile() \| \|`
			`\| RegGetValue() \| ReadFile() \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Encryption`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Name \|`
			`\| --------------------- \|`
			`\| WinCrypt \|`
			`\| CryptAcquireContext() \|`
			`\| CryptGenKey() \|`
			`\| CryptDeriveKey() \|`
			`\| CryptDecrypt() \|`
			`\| CryptReleaseContext() \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Anti-Analysis/VM`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Function Name \| Assembly Instructions \|`
			`\| --------------------------------------------------------- \| --------------------- \|`
			`\| IsDebuggerPresent() \| CPUID() \|`
			`\| GetSystemInfo() \| IN() \|`
			`\| GlobalMemoryStatusEx() \| \|`
			`\| GetVersion() \| \|`
			`\| CreateToolhelp32Snapshot \[Check if a process is running] \| \|`
			`\| CreateFileW/A \[Check if a file exist] \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Stealth`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Name \| \|`
			`\| ------------------------ \| -------------------------------------------------------------------------- \|`
			`\| VirtualAlloc \| Alloc memory (packers) \|`
			`\| VirtualProtect \| Change memory permission (packer giving execution permission to a section) \|`
			`\| ReadProcessMemory \| Injection into external processes \|`
			`\| WriteProcessMemoryA/W \| Injection into external processes \|`
			`\| NtWriteVirtualMemory \| \|`
			`\| CreateRemoteThread \| DLL/Process injection... \|`
			`\| NtUnmapViewOfSection \| \|`
			`\| QueueUserAPC \| \|`
			`\| CreateProcessInternalA/W \| \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Execution`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| Function Name \|`
			`\| ---------------- \|`
GitBook: [master] 411 pages modified 2020-12-09 00:31:50 +00:00			`\| CreateProcessA/W \|`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`\| ShellExecute \|`
			`\| WinExec \|`
			`\| ResumeThread \|`
			`\| NtResumeThread \|`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Miscellaneous`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* GetAsyncKeyState() -- Key logging`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00			`* SetWindowsHookEx -- Key logging`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* GetForeGroundWindow -- Get running window name (or the website from a browser)`
			`* LoadLibrary() -- Import library`
			`* GetProcAddress() -- Import library`
			`* CreateToolhelp32Snapshot() -- List running processes`
			`* GetDC() -- Screenshot`
			`* BitBlt() -- Screenshot`
			`* InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet`
			`* FindResource(), LoadResource(), LockResource() -- Access resources of the executable`
GitBook: [master] 2 pages modified 2020-12-03 18:00:02 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Malware Techniques`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## DLL Injection`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
			`Execute an arbitrary DLL inside another process`

			`1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next`
			`2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess`
			`3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory`
			`4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary`

			`Other functions to use: NTCreateThreadEx, RtlCreateUserThread`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Reflective DLL Injection`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Load a malicious DLL without calling normal Windows API calls.\`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00			`The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Thread Hijacking`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
			`Find a thread from a process and make it load a malicious DLL`

			`1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next`
			`2. Open the thread: OpenThread`
			`3. Suspend the thread: SuspendThread`
			`4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory`
			`5. Resume the thread loading the library: ResumeThread`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## PE Injection`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
			`Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`## Process Hollowing`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
			`The malware will unmap the legitimate code from memory of the process and load a malicious binary`

			`1. Create a new process: CreateProcess`
			`2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection`
			`3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory`
			`4. Set the entrypoint and execute: SetThreadContext, ResumeThread`

GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00			`# Hooking`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* The SSDT (System Service Descriptor Table) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00			`* A rootkit may modify these pointer to addresses that he controls`
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`* IRP (I/O Request Packets) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)`
			`* The IAT (Import Address Table) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.`
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`* EAT (Export Address Table) Hooks. This hooks can be done from userland. The goal is to hook exported functions by DLLs.`
GitBook: [master] one page modified 2021-09-07 00:15:14 +00:00			`* Inline Hooks: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the begging of this.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`
GitBook: [#3165] No subject 2022-05-01 16:32:23 +00:00