Windows APIs

WIP - WINDOWS COMPONENTS: API / COM OBJECTS/ DEVELOPMENT COMPONENTS .. long article discussing windows components and how they are exploited in the wild.

Most malware targets Windows platforms and interacts closely with the OS. A solid understanding of basic Windows coding concepts will allow you to identify host-based indicators of malware, follow malware as it uses the OS to execute code without a jump or call instruction, and determine the malware’s purpose.

[Practical Malware Analysis]

File System Functions

-> CreateFileA | CreateFileW; Creates or opens an file or any other I/O device (pipes / streams ..etc). Returning a Handle to the Client end pipe to access it.

CreateFileA for ANSI with a limited file name specified by MAX_PATH. With the Unicode version of the function CreateFileW filenames has no MAX_PATH limitation and supports longer file names -extending this limit to 32,767 wide characters-

//NOTE: CreateFileTransacted

HANDLE CreateFileW|CreateFileA(
  LPCWSTR               lpFileName, // either using / or \
  DWORD                 dwDesiredAccess,
  DWORD                 dwShareMode,
  LPSECURITY_ATTRIBUTES lpSecurityAttributes,

// parameter specifies wether to create / open an existing file
  DWORD                 dwCreationDisposition,  
  DWORD                 dwFlagsAndAttributes,
  HANDLE                hTemplateFile

-> ReadFile | ReadFileEx; Both for reading data from a giving hfile (handle to the file with the giving READ permission), though ReadFileEX is only used to read asynchronously and signals the completion of the read operation by dispatching an APC (Asynchronous Procedure Call).

// Both use the NtReadFile API, so both are almost identical.

BOOL ReadFile(
  HANDLE       hFile, 
  LPVOID       lpBuffer,
  DWORD        nNumberOfBytesToRead,
  LPDWORD      lpNumberOfBytesRead,
  LPOVERLAPPED lpOverlapped

BOOL ReadFileEx(
  HANDLE                          hFile,
  LPVOID                          lpBuffer,
  DWORD                           nNumberOfBytesToRead,
  LPOVERLAPPED                    lpOverlapped,

-> WriteFile | WriteFileEx; For File Writing operations, giving a handle to a file with write permission.

BOOL WriteFile(
  HANDLE       hFile,
  LPCVOID      lpBuffer,
  DWORD        nNumberOfBytesToWrite,
  LPDWORD      lpNumberOfBytesWritten,
  LPOVERLAPPED lpOverlapped

-> CreateFileMappingW; Returns a handle to the file mapping object, that is later used by MapViewOfFile() to create a view of the file or a portion of the file. Creating a view of the file is used to map data from a file to the virtual memory of a process.

hfile -> handle to the file needed to create a file mapping object.

flProtect -> Fill them with the hex


HANDLE CreateFileMappingW(
  HANDLE                hFile,
  LPSECURITY_ATTRIBUTES lpFileMappingAttributes,
  DWORD                 flProtect,
  DWORD                 dwMaximumSizeHigh,
  DWORD                 dwMaximumSizeLow,
  LPCWSTR               lpName

-> MapViewOfFile | MapViewOfFileEx; Returns a pointer to the base address of the file view/mapping for reading and writing. Writing to the file view is reflected on the Mapping object, and for system performance data written to the File Mapping Object is not transferred instantly to the file on disk, a call to FlushViewOfFile() is needed to override this behavior and perform disk transactions immediately.

// OS chooses the address where the mapping begins in the process

LPVOID MapViewOfFile(
  HANDLE hFileMappingObject,
  DWORD  dwDesiredAccess,
  DWORD  dwFileOffsetHigh,
  DWORD  dwFileOffsetLow,
  SIZE_T dwNumberOfBytesToMap

// lpBaseAddress can be used to specify this address with the need to query the system info to get a safe address (GetSystemInfo)

LPVOID MapViewOfFileEx(
  HANDLE hFileMappingObject,
  DWORD  dwDesiredAccess,
  DWORD  dwFileOffsetHigh,
  DWORD  dwFileOffsetLow,
  SIZE_T dwNumberOfBytesToMap,
  LPVOID lpBaseAddress

//NOTE: this is used to load Malicious Shellcode by the malware as if its loaded by the OSLoader, and makes it easy to parse the PE file because you can jump anywhere using offsets to the returned base address of the file map (if using MapViewOfFile).

File mappings are commonly used to replicate the functionality of the Windows loader. After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader.

[Practical Malware Analysis]


-> RegCreateKey; Creates a specified registry key, if exists it open it.

LSTATUS RegCreateKeyExA(
  HKEY                        hKey,
  LPCSTR                      lpSubKey,
  DWORD                       Reserved,
  LPSTR                       lpClass,
  DWORD                       dwOptions,
  REGSAM                      samDesired,
  const LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  PHKEY                       phkResult,
  LPDWORD                     lpdwDisposition

-> RegOpenKey; Opens a specified registry key (hkey as handle to root key, lpSubKey (long pointer to an address of a string containing the SubKey String))

Returns a non-zero value if failed


  HKEY   hKey,
  LPCSTR lpSubKey,
  DWORD  ulOptions,
  REGSAM samDesired,
  PHKEY  phkResult

-> RegQueryInfoKey; Retrieves info about the specified key.

LSTATUS RegQueryInfoKeyA(
  HKEY      hKey,
  LPSTR     lpClass,
  LPDWORD   lpcchClass,
  LPDWORD   lpReserved,
  LPDWORD   lpcSubKeys,
  LPDWORD   lpcbMaxSubKeyLen,
  LPDWORD   lpcbMaxClassLen,
  LPDWORD   lpcValues,
  LPDWORD   lpcbMaxValueNameLen,
  LPDWORD   lpcbMaxValueLen,
  LPDWORD   lpcbSecurityDescriptor,
  PFILETIME lpftLastWriteTime

-> RegSetKeyValue; Writes/Sets Data to an open registry key that must have been opened with the KEY_SET_VALUE access right (hkey -> handle to an open root key that is returned by RegCreateKey | RegOpenKey) .

LSTATUS RegSetKeyValueA(
  HKEY    hKey,
  LPCSTR  lpSubKey,
  LPCSTR  lpValueName,
  DWORD   dwType,
  LPCVOID lpData,
  DWORD   cbData

//EX: persistence thru the RUN registry key.

Networking API

Last updated