mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
2.1 KiB
2.1 KiB
Common API used in Malware
nNetworking
| Raw Sockets | WinAPI Sockets |
|---|---|
| socket() | WSAStratup() |
| bind() | bind() |
| listen() | listen() |
| accept() | accept() |
| connect() | connect() |
| read()/recv() | recv() |
| write() | send() |
| shutdown() | WSACleanup() |
Persistence
| Registry | File | Service |
|---|---|---|
| RegCreateKeyEx() | GetTempPath() | OpenSCManager |
| RegOpenKeyEx() | CopyFile() | CreateService() |
| RegSetValueEx() | CreateFile() | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile() | |
| RegGetValue() | ReadFile() |
Encryption
| Name |
|---|
| WinCrypt |
| CryptAcquireContext() |
| CryptGenKey() |
| CryptDeriveKey() |
| CryptDecrypt() |
| CryptReleaseContext() |
Anti-Analysis/VM
| Function Name | Assembly Instructions |
|---|---|
| IsDebuggerPresent() | CPUID() |
| GetSystemInfo() | IN() |
| GlobalMemoryStatusEx() | |
| GetVersion() |
Stealth
| Name | |
|---|---|
| VirtualAlloc() | Alloc memory packers |
| VirtualProtect() | Change memory permission packer giving execution permission to a section |
| ReadProcessMemory() | Injection into external processes |
| WriteProcessMemory() | Injection into external processes |
| CreateRemoteThread() | DLL/Process injection... |
| NtUnmapViewOfSection() | |
| QueueUserAPC() |
Execution
| Function Name |
|---|
| CreateProcess() |
| ShellExecute() |
| WinExec() |
| ResumeThread() |
Miscellaneous
- GetAsyncKeyState() -- Key logging
- SetWindowsHookEx -- Key logging
- GetForeGroundWindow -- Get running window name
or the website from a browser - LoadLibrary() -- Import library
- GetProcAddress() -- Import library
- CreateToolhelp32Snapshot() -- List running processes
- GetDC() -- Screenshot
- BitBlt() -- Screenshot
- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
- FindResource(), LoadResource(), LockResource() -- Access resources of the executable