NO-MERCY Posted June 10, 2015 Report Posted June 10, 2015 The Windows API for Hackers and Reverse EngineersThe Windows API is one of the “must know” areas for most reverse engineers and exploit writers. It’s an area than the more I use the APIs the more that I find myself looking up speific APIs and wishing that I would have known what I know now about these sometimes vague and/or mysterious functions.Why should someone who’s in the INFOSEC community care about these APIs? Well to put it shortly, they can make your life considerably easier. If you do incident response, are just getting starting writing exploits, or anything related, then you’ve likely seen these APIs mentioned before. They’re a crucial part of everything from shellcode design to malware analysis.One of the most common places you’ll run into these APIs is in malware analysis. The Windows APIs are crucial to nearly every piece of software that runs on Windows. Without these APIs malware authors would be left writing a considerable amount more code, which few malware authors want to do. Knowing that these are going to be the malware’s link to Windows itself, just examining the APIs can give you great clues about what the malware is trying to do. (Note: malware authors could statically compile their code, which would not need to import the APIs, this is not common and would leave the malware sample significantly larger)There are endless tools which will show you which APIs are being imported. Some of the most common tools are OllyDbg, Immunity Debugger, IDA Pro, MASTIFF, and countless other tools and scripts. Let’s take a look at a malware sample’s imports.kernel32.dll DeleteCriticalSection 0x4090dc kernel32.dll LeaveCriticalSection 0x4090e0 kernel32.dll EnterCriticalSection 0x4090e4 kernel32.dll VirtualFree 0x4090e8 kernel32.dll LocalFree 0x4090ec kernel32.dll GetCurrentThreadId 0x4090f0 kernel32.dll GetStartupInfoA 0x4090f4 kernel32.dll GetCommandLineA 0x4090f8 kernel32.dll FreeLibrary 0x4090fc kernel32.dll ExitProcess 0x409100 kernel32.dll WriteFile 0x409104 kernel32.dll UnhandledExceptionFilter 0x409108 kernel32.dll RtlUnwind 0x40910c kernel32.dll RaiseException 0x409110 kernel32.dll GetStdHandle 0x409114 user32.dll GetKeyboardType 0x40911c user32.dll MessageBoxA 0x409120 advapi32.dll RegQueryValueExA 0x409128 advapi32.dll RegOpenKeyExA 0x40912c advapi32.dll RegCloseKey 0x409130 kernel32.dll TlsSetValue 0x409138 kernel32.dll TlsGetValue 0x40913c kernel32.dll TlsFree 0x409140 kernel32.dll TlsAlloc 0x409144 kernel32.dll LocalFree 0x409148 kernel32.dll LocalAlloc 0x40914c wsock32.dll closesocket 0x409154 wsock32.dll WSACleanup 0x409158 wsock32.dll recv 0x40915c wsock32.dll send 0x409160 wsock32.dll connect 0x409164 wsock32.dll htons 0x409168 wsock32.dll socket 0x40916c wsock32.dll WSAStartup 0x409170 wsock32.dll gethostbyname 0x409174 advapi32.dll RegSetValueExA 0x40917c advapi32.dll RegCreateKeyA 0x409180 advapi32.dll RegCloseKey 0x409184 advapi32.dll AdjustTokenPrivileges 0x409188 advapi32.dll LookupPrivilegeValueA 0x40918c advapi32.dll OpenProcessToken 0x409190 user32.dll GetForegroundWindow 0x409198 user32.dll wvsprintfA 0x40919c kernel32.dll CloseHandle 0x4091a4 kernel32.dll RtlMoveMemory 0x4091a8 kernel32.dll RtlZeroMemory 0x4091ac kernel32.dll WriteProcessMemory 0x4091b0 kernel32.dll ReadProcessMemory 0x4091b4 kernel32.dll VirtualProtect 0x4091b8 kernel32.dll Sleep 0x4091bc kernel32.dll GetTickCount 0x4091c0 kernel32.dll MoveFileExA 0x4091c4 kernel32.dll ReadFile 0x4091c8 kernel32.dll WriteFile 0x4091cc kernel32.dll SetFilePointer 0x4091d0 kernel32.dll FindClose 0x4091d4 kernel32.dll FindFirstFileA 0x4091d8 kernel32.dll DeleteFileA 0x4091dc kernel32.dll CreateFileA 0x4091e0 kernel32.dll GetPrivateProfileIntA 0x4091e4 kernel32.dll GetPrivateProfileStringA 0x4091e8 kernel32.dll WritePrivateProfileStringA 0x4091ec kernel32.dll SetFileAttributesA 0x4091f0 kernel32.dll GetCurrentProcessId 0x4091f4 kernel32.dll GetCurrentProcess 0x4091f8 kernel32.dll Process32Next 0x4091fc kernel32.dll Process32First 0x409200 kernel32.dll Module32Next 0x409204 kernel32.dll Module32First 0x409208 kernel32.dll CreateToolhelp32Snapshot 0x40920c kernel32.dll WinExec 0x409210 kernel32.dll lstrcpyA 0x409214 kernel32.dll lstrcatA 0x409218 kernel32.dll lstrcmpiA 0x40921c kernel32.dll lstrcmpA 0x409220 kernel32.dll lstrlenA 0x409224 kernel32.dll lstrlenA 0x40922c kernel32.dll lstrcpyA 0x409230 kernel32.dll lstrcmpiA 0x409234 kernel32.dll lstrcmpA 0x409238 kernel32.dll lstrcatA 0x40923c kernel32.dll WriteProcessMemory 0x409240 kernel32.dll VirtualProtect 0x409244 kernel32.dll TerminateThread 0x409248 kernel32.dll TerminateProcess 0x40924c kernel32.dll Sleep 0x409250 kernel32.dll OpenProcess 0x409254 kernel32.dll GetWindowsDirectoryA 0x409258 kernel32.dll GetTickCount 0x40925c kernel32.dll GetSystemDirectoryA 0x409260 kernel32.dll GetModuleHandleA 0x409264 kernel32.dll GetCurrentProcessId 0x409268 kernel32.dll GetCurrentProcess 0x40926c kernel32.dll GetComputerNameA 0x409270 kernel32.dll ExitProcess 0x409274 kernel32.dll CreateThread 0x409278 user32.dll wvsprintfA 0x409280 user32.dll UnhookWindowsHookEx 0x409284 user32.dll SetWindowsHookExA 0x409288 user32.dll GetWindowThreadProcessId 0x40928c user32.dll GetWindowTextA 0x409290 user32.dll GetForegroundWindow 0x409294 user32.dll GetClassNameA 0x409298 user32.dll CallNextHookEx 0x40929cLooking over these imported API functions may at first seem useless to the untrained analyst. However, if you begin to dissect what some of the APIs can be used for you can begin to make assumptions about the function of this malware. For example GetTickCount is a very common API for detecting debuggers. AdjustTokenPrivileges and LookupPrivilegeValueA are both commonly used in accessing the Windows security tokens. RegSetValueExA, RegCreateKeyA, and RegCloseKey are used when accessing and altering a registry key. Taking just these APIs into consideration you could begin to make some interesting hypothesis about the capabilities of this specific sample.I’ve noticed that analysts who don’t totally understand these API function will typically ignore them. For that fact I’m creating a “cheat sheet” for the Windows API functions. The “pre-final” release is attached below.Please don’t forget that Microsoft did not build these APIs for malicious use and are very commonly used by Windows programmers (unless it’s an undocumented API). Thus analyzing just the imported APIs may not tell you if a sample is malicious or not (but is very useful if you already know a sample is malicious).Over the past month I’ve also been working on analyzing what is now over 5TB of malware to gather the most frequently used Windows APIs. This data will likely continue to process for close to another month. Once this is done I’ll work on completing this cheat sheet based on those findings and write another post about my discoveries. Keeping that in mind this list is not final and if you have any feedback, comments, questions, or recommendations please make them!In the course of developing the current list I used multiple resources, I’d just like to highlight a few. These are also great resources if you’re looking to learn more.Resources:Practical Malware Analysis – great book on reverse engineering malwareMSDN – where to go if you’re curious about a specific Windows APIWindows PE File Details – Great article that describes the fundamentals of the PE file and more details surrounding PE file importsCheat Sheet Version .5 :DownloadSource : https://www.bnxnet.com/windows-api-for-hackers/ Quote