Common APIs used in malware

A none exhaustive list of common API’s used in malware (from my badly written notes). This documentation will be added to and updated as I learn more. :3

Stealth API’s

Just a few common stealth API’s used in malware. If you are analysing an app and you dont know what it does, you can put a few breakpoints on these functions to get an idea of whats running. For example if it executes another svchost process and injects into that process and you want to figure out how, you can put a breakpoint on any of these and it will lead you to the technique that is being used in the malware. For example if it hits the breakpoint at QueueUserAPC() you can have high confidence that it is about to do APC injection, and so on. All of the following API’s can be found online and are heavily document injection techniques that you can read on.

  • VirtualAlloc()
  • VirtualProtect()

Note: VirtualAlloc allocates memory. VirtualProtect changes the protection of memory. These API’s are used in most crypters/packers.

  • ReadProcessMemory()
  • WriteProcessMemory()
  • NtWriteVirtualMemory()

Note - These Read and Write APIs are commonly used for injecting into external processes (explorer.exe/svchost etc). These are good things to put a breakpoint on so you can view what is being written into the virtual memory of the target process.

  • CreateRemoteThread()

Note - CreateRemoteThread is used ALOT for DLL injection and process injection. It executes the injected code in the remote target process.

  • NtUnmapViewOfSection() - Another injection technique.
  • QueueUserAPC() - APC injection technique.

Anti-Analysis/Anti-VM

  • IsDebuggerPresent() - Checks to see if a debugger is attached to the running process.
  • GetSystemInfo() - Used to determine OS info.
  • GlobalMemoryStatusEx() - Used to get the physical memory of the machine.

Note: Some samples actually check to make sure that the memory is over 8GB / 4GB memory to rule out that it is running in a sandbox or VM. Sandbox’s have a limited amount of memory (e.g 2GB). If in a sandbox it will exit or change behaviour.

  • GetVersion()

There are two assembly instructions used frequently to get an idea of whether something is running in a VM:

  • CPUID() - Most common.
  • IN()

Networking

There are two different types of Sockets commonly found in malware, Raw Sockets and Win32 Sockets.

Raw Sockets: Raw sockets use the base API. They make a simple TCP connection. These aren’t used commonly in most sophisticated malware. Typically raw sockets are used over LAN networks and are not suitable for over the internet.

  • socket() - Call socket to initialise it.
  • Server - In a server you will see the following calls:
    • bind()
    • listen()
    • accept()
  • Client - In a client you will see the following calls:
    • connect()
    • read()/recv()
    • write()
    • shutdown()

WinAPI Sockets:

  • WSAStartup() - Required initialiser for WinAPI sockets.
  • Server
    • bind()
    • listen()
    • accept()
  • Client
    • connect()
    • send()
    • recv()
    • WSACleanup()

There are some similarities between raw sockets and the WinAPI, such as win32 send and recv instead of read and recv, and WSACleanup is called at the end instead of shutdown.

Important: The most important thing to lookout for is WSAStartup because WinAPI sockets can’t be initialised without calling it.

Persistence

Registry Persistence:

Note: These are the most common registry API’s that allow you to create registry keys, there are alot more though. The “Ex” at the end is just an updated WinAPI and the functions can be used without Ex.

  • RegCreateKeyEx()
  • RegOpenKeyEx()
  • RegSetValueEx()
  • RegDeleteKeyEx()
  • RegGetValue()

File Persistence:

  • GetTempPath() - Gets path to temporary folder.
  • CopyFile() - Copies a file from a different directory.
  • CreateFile() - Can be used to create a file OR open a file.
  • WriteFile()
  • ReadFile()

Service Persistence:

Note: Persistence through creating services on the machine. To use the following requires admin or a UAC bypass.

  • OpenSCManager()
  • CreateService()
  • StartServiceCtrlDispatcher()

Encryption

WinCrypt API

  • CryptAcquireContext() - This must be called in order to initialise the wincrypt API.
  • CryptGenKey() - Generates a key.
  • CryptDestroyKey - Destroys the key so you can’t find it in memory.
  • CryptDeriveKey - Derives a key from a given string or hash.
  • CryptEncrypt() - Encrypts data.
  • CryptDecrypt() - Decrypts data.
  • CryptReleaseContext() - Called at the end as cleanup.

Execution

The following are all used to execute processes or resume threads inside of executable processes.

  • CreateProcess()
  • ShellExecute()
  • WinExec()
  • ResumeThread()

Miscellaneous

  • GetAsyncKeyState()
  • SetWindowsHookEx()

Note: Both of the above are commonly used for keylogging. SetWindowsHookEx can be used for other things but its typically used for keylogging.

  • GetForeGroundWindow() - Threat actors will use this to track the current window.

  • LoadLibrary()

  • GetProcAddress()

Note: LoadLibrary and GetProcAddress are used for dynamically importing libraries. If a malware sample only has 3 imports, you can put a breakpoint on these two and its inevitable that it will import more stuff such as SetWindowsHookEx().

  • CreateToolhelp32Snapshot() - Used to get a list of running processes.

  • GetDC(), Bitblt() - These are used for getting screenshots, the screenshot api.

  • InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() - All internet functions that allow the malware to interact with the internet i.e download something from a url.

  • FindResource(), LoadResource(), LockResource() - Used to get attached resources from within the malware executable itself.