Friday, May 2, 2014

Windows API's used by Malware

Below Windows API's are frequently used by Malware, though this is not an exhaustive list.

Anti-debugging Techniques
kerne32.CloseHandle
kernel32.GetTickCount
the byte at offset 0x02(IsDebugged) in the PEB is set(debugged) or not
Check for the NtGlobalFlags at offset 0x68 in the PEB

kernel32.GetProcAdddress
kernel32.LoadLibraryA
kernel32.OpenProcess - get handle of a given process
kernel32.VirutalAllocEx - reserves within the virtual address space of a process
kernel32.CreateRemoteThread - create Thread (inside a process)

FindResource
LockResource
ShellExecute
GetThreadContext
CreateProcessA
ReadProcessMemory
WriteProcessMemory
NtQueueApcThread
CreateToolhelp32Snapshot
Thread32First
Thread32Next
SetWindowsHookEx
NtSetSystemInformation
CreateFile

File handling functions
Registry handling function
Network communication API's

Tutorial for learning Malware analysis
https://noppa.aalto.fi/noppa/kurssi/t-110.6220/luennot