Windows APIs
WIP - WINDOWS COMPONENTS: API / COM OBJECTS/ DEVELOPMENT COMPONENTS .. long article discussing windows components and how they are exploited in the wild.
Most malware targets Windows platforms and interacts closely with the OS. A solid understanding of basic Windows coding concepts will allow you to identify host-based indicators of malware, follow malware as it uses the OS to execute code without a jump or call instruction, and determine the malware’s purpose.
[Practical Malware Analysis]
File System Functions
-> CreateFileA | CreateFileW; Creates or opens an file or any other I/O device (pipes / streams ..etc). Returning a Handle to the Client end pipe to access it.
CreateFileA for ANSI with a limited file name specified by MAX_PATH. With the Unicode version of the function CreateFileW filenames has no MAX_PATH limitation and supports longer file names -extending this limit to 32,767 wide characters-
//NOTE: CreateFileTransacted
HANDLE CreateFileW|CreateFileA(
LPCWSTR lpFileName, // either using / or \
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
// parameter specifies wether to create / open an existing file
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);-> ReadFile | ReadFileEx; Both for reading data from a giving hfile (handle to the file with the giving READ permission), though ReadFileEX is only used to read asynchronously and signals the completion of the read operation by dispatching an APC (Asynchronous Procedure Call).
//fileapi.h
// Both use the NtReadFile API, so both are almost identical.
BOOL ReadFile(
HANDLE hFile,
LPVOID lpBuffer,
DWORD nNumberOfBytesToRead,
LPDWORD lpNumberOfBytesRead,
LPOVERLAPPED lpOverlapped
);
BOOL ReadFileEx(
HANDLE hFile,
LPVOID lpBuffer,
DWORD nNumberOfBytesToRead,
LPOVERLAPPED lpOverlapped,
LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
);-> WriteFile | WriteFileEx; For File Writing operations, giving a handle to a file with write permission.
BOOL WriteFile(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);-> CreateFileMappingW; Returns a handle to the file mapping object, that is later used by MapViewOfFile() to create a view of the file or a portion of the file. Creating a view of the file is used to map data from a file to the virtual memory of a process.
hfile -> handle to the file needed to create a file mapping object.
flProtect -> Fill them with the hex
//memoryapi.h
HANDLE CreateFileMappingW(
HANDLE hFile,
LPSECURITY_ATTRIBUTES lpFileMappingAttributes,
DWORD flProtect,
DWORD dwMaximumSizeHigh,
DWORD dwMaximumSizeLow,
LPCWSTR lpName
);-> MapViewOfFile | MapViewOfFileEx; Returns a pointer to the base address of the file view/mapping for reading and writing. Writing to the file view is reflected on the Mapping object, and for system performance data written to the File Mapping Object is not transferred instantly to the file on disk, a call to FlushViewOfFile() is needed to override this behavior and perform disk transactions immediately.
// OS chooses the address where the mapping begins in the process
LPVOID MapViewOfFile(
HANDLE hFileMappingObject,
DWORD dwDesiredAccess,
DWORD dwFileOffsetHigh,
DWORD dwFileOffsetLow,
SIZE_T dwNumberOfBytesToMap
);
// lpBaseAddress can be used to specify this address with the need to query the system info to get a safe address (GetSystemInfo)
LPVOID MapViewOfFileEx(
HANDLE hFileMappingObject,
DWORD dwDesiredAccess,
DWORD dwFileOffsetHigh,
DWORD dwFileOffsetLow,
SIZE_T dwNumberOfBytesToMap,
LPVOID lpBaseAddress
);//NOTE: this is used to load Malicious Shellcode by the malware as if its loaded by the OSLoader, and makes it easy to parse the PE file because you can jump anywhere using offsets to the returned base address of the file map (if using MapViewOfFile).
File mappings are commonly used to replicate the functionality of the Windows loader. After obtaining a map of the file, the malware can parse the PE header and make all necessary changes to the file in memory, thereby causing the PE file to be executed as if it had been loaded by the OS loader.
[Practical Malware Analysis]
//NOTE: SYSTEMINFOAPI
Registry Related Functions (APIs)
-> RegCreateKey; Creates a specified registry key, if exists it open it.
LSTATUS RegCreateKeyExA(
HKEY hKey,
LPCSTR lpSubKey,
DWORD Reserved,
LPSTR lpClass,
DWORD dwOptions,
REGSAM samDesired,
const LPSECURITY_ATTRIBUTES lpSecurityAttributes,
PHKEY phkResult,
LPDWORD lpdwDisposition
);-> RegOpenKey; Opens a specified registry key (hkey as handle to root key, lpSubKey (long pointer to an address of a string containing the SubKey String))
Returns a non-zero value if failed
//winreg.h
LSTATUS RegOpenKeyExA(
HKEY hKey,
LPCSTR lpSubKey,
DWORD ulOptions,
REGSAM samDesired,
PHKEY phkResult
);-> RegQueryInfoKey; Retrieves info about the specified key.
LSTATUS RegQueryInfoKeyA(
HKEY hKey,
LPSTR lpClass,
LPDWORD lpcchClass,
LPDWORD lpReserved,
LPDWORD lpcSubKeys,
LPDWORD lpcbMaxSubKeyLen,
LPDWORD lpcbMaxClassLen,
LPDWORD lpcValues,
LPDWORD lpcbMaxValueNameLen,
LPDWORD lpcbMaxValueLen,
LPDWORD lpcbSecurityDescriptor,
PFILETIME lpftLastWriteTime
);-> RegSetKeyValue; Writes/Sets Data to an open registry key that must have been opened with the KEY_SET_VALUE access right (hkey -> handle to an open root key that is returned by RegCreateKey | RegOpenKey) .
LSTATUS RegSetKeyValueA(
HKEY hKey,
LPCSTR lpSubKey,
LPCSTR lpValueName,
DWORD dwType,
LPCVOID lpData,
DWORD cbData
);//EX: persistence thru the RUN registry key.
Networking API
Last updated