Common API used in Malware

Networking

Raw Sockets WinAPI Sockets
socket() WSAStratup()
bind() bind()
listen() listen()
accept() accept()
connect() connect()
read()/recv() recv()
write() send()
shutdown() WSACleanup()

Persistence

Registry File Service
RegCreateKeyEx() GetTempPath() OpenSCManager
RegOpenKeyEx() CopyFile() CreateService()
RegSetValueEx() CreateFile() StartServiceCtrlDispatcher()
RegDeleteKeyEx() WriteFile()
RegGetValue() ReadFile()

Encryption

Name
WinCrypt
CryptAcquireContext()
CryptGenKey()
CryptDeriveKey()
CryptDecrypt()
CryptReleaseContext()

Anti-Analysis/VM

Function Name Assembly Instructions
IsDebuggerPresent() CPUID()
GetSystemInfo() IN()
GlobalMemoryStatusEx()
GetVersion()
CreateToolhelp32Snapshot [Check if a process is running]
CreateFileW/A [Check if a file exist]

Stealth

Name
VirtualAlloc Alloc memory (packers)
VirtualProtect Change memory permission (packer giving execution permission to a section)
ReadProcessMemory Injection into external processes
WriteProcessMemoryA/W Injection into external processes
NtWriteVirtualMemory
CreateRemoteThread DLL/Process injection…
NtUnmapViewOfSection
QueueUserAPC
CreateProcessInternalA/W

Execution

Function Name
CreateProcessA/W
ShellExecute
WinExec
ResumeThread
NtResumeThread

Miscellaneous

  • GetAsyncKeyState() – Key logging
  • SetWindowsHookEx – Key logging
  • GetForeGroundWindow – Get running window name (or the website from a browser)
  • LoadLibrary() – Import library
  • GetProcAddress() – Import library
  • CreateToolhelp32Snapshot() – List running processes
  • GetDC() – Screenshot
  • BitBlt() – Screenshot
  • InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() – Access the Internet
  • FindResource(), LoadResource(), LockResource() – Access resources of the executable