hacktricks/reversing/common-api-used-in-malware.md

Common API used in Malware

Networking

Raw Sockets	WinAPI Sockets
socket()	WSAStratup()
bind()	bind()
listen()	listen()
accept()	accept()
connect()	connect()
read()/recv()	recv()
write()	send()
shutdown()	WSACleanup()

Persistence

Registry	File	Service
RegCreateKeyEx()	GetTempPath()	OpenSCManager
RegOpenKeyEx()	CopyFile()	CreateService()
RegSetValueEx()	CreateFile()	StartServiceCtrlDispatcher()
RegDeleteKeyEx()	WriteFile()
RegGetValue()	ReadFile()

Encryption

Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()

Anti-Analysis/VM

Function Name	Assembly Instructions
IsDebuggerPresent()	CPUID()
GetSystemInfo()	IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]

Stealth

Name
VirtualAlloc	Alloc memory packers
VirtualProtect	Change memory permission packer giving execution permission to a section
ReadProcessMemory	Injection into external processes
WriteProcessMemoryA/W	Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread	DLL/Process injection...
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W

Execution

Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread

Miscellaneous

• GetAsyncKeyState() -- Key logging
• SetWindowsHookEx -- Key logging
• GetForeGroundWindow -- Get running window name or the website from a browser
• LoadLibrary() -- Import library
• GetProcAddress() -- Import library
• CreateToolhelp32Snapshot() -- List running processes
• GetDC() -- Screenshot
• BitBlt() -- Screenshot
• InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
• FindResource(), LoadResource(), LockResource() -- Access resources of the executable