Jump to content
Sign in to follow this  
NO-MERCY

The Windows API for Hackers and Reverse Engineers

Recommended Posts

The Windows API for Hackers and Reverse Engineers

The Windows API is one of the “must know” areas for most reverse engineers and exploit writers. It’s an area than the more I use the APIs the more that I find myself looking up speific APIs and wishing that I would have known what I know now about these sometimes vague and/or mysterious functions.

Why should someone who’s in the INFOSEC community care about these APIs? Well to put it shortly, they can make your life considerably easier. If you do incident response, are just getting starting writing exploits, or anything related, then you’ve likely seen these APIs mentioned before. They’re a crucial part of everything from shellcode design to malware analysis.

One of the most common places you’ll run into these APIs is in malware analysis. The Windows APIs are crucial to nearly every piece of software that runs on Windows. Without these APIs malware authors would be left writing a considerable amount more code, which few malware authors want to do. Knowing that these are going to be the malware’s link to Windows itself, just examining the APIs can give you great clues about what the malware is trying to do. (Note: malware authors could statically compile their code, which would not need to import the APIs, this is not common and would leave the malware sample significantly larger)

There are endless tools which will show you which APIs are being imported. Some of the most common tools are OllyDbg, Immunity Debugger, IDA Pro, MASTIFF, and countless other tools and scripts. Let’s take a look at a malware sample’s imports.

kernel32.dll        	DeleteCriticalSection         0x4090dc  
kernel32.dll LeaveCriticalSection 0x4090e0
kernel32.dll EnterCriticalSection 0x4090e4
kernel32.dll VirtualFree 0x4090e8
kernel32.dll LocalFree 0x4090ec
kernel32.dll GetCurrentThreadId 0x4090f0
kernel32.dll GetStartupInfoA 0x4090f4
kernel32.dll GetCommandLineA 0x4090f8
kernel32.dll FreeLibrary 0x4090fc
kernel32.dll ExitProcess 0x409100
kernel32.dll WriteFile 0x409104
kernel32.dll UnhandledExceptionFilter 0x409108
kernel32.dll RtlUnwind 0x40910c
kernel32.dll RaiseException 0x409110
kernel32.dll GetStdHandle 0x409114
user32.dll GetKeyboardType 0x40911c
user32.dll MessageBoxA 0x409120
advapi32.dll RegQueryValueExA 0x409128
advapi32.dll RegOpenKeyExA 0x40912c
advapi32.dll RegCloseKey 0x409130
kernel32.dll TlsSetValue 0x409138
kernel32.dll TlsGetValue 0x40913c
kernel32.dll TlsFree 0x409140
kernel32.dll TlsAlloc 0x409144
kernel32.dll LocalFree 0x409148
kernel32.dll LocalAlloc 0x40914c
wsock32.dll closesocket 0x409154
wsock32.dll WSACleanup 0x409158
wsock32.dll recv 0x40915c
wsock32.dll send 0x409160
wsock32.dll connect 0x409164
wsock32.dll htons 0x409168
wsock32.dll socket 0x40916c
wsock32.dll WSAStartup 0x409170
wsock32.dll gethostbyname 0x409174
advapi32.dll RegSetValueExA 0x40917c
advapi32.dll RegCreateKeyA 0x409180
advapi32.dll RegCloseKey 0x409184
advapi32.dll AdjustTokenPrivileges 0x409188
advapi32.dll LookupPrivilegeValueA 0x40918c
advapi32.dll OpenProcessToken 0x409190
user32.dll GetForegroundWindow 0x409198
user32.dll wvsprintfA 0x40919c
kernel32.dll CloseHandle 0x4091a4
kernel32.dll RtlMoveMemory 0x4091a8
kernel32.dll RtlZeroMemory 0x4091ac
kernel32.dll WriteProcessMemory 0x4091b0
kernel32.dll ReadProcessMemory 0x4091b4
kernel32.dll VirtualProtect 0x4091b8
kernel32.dll Sleep 0x4091bc
kernel32.dll GetTickCount 0x4091c0
kernel32.dll MoveFileExA 0x4091c4
kernel32.dll ReadFile 0x4091c8
kernel32.dll WriteFile 0x4091cc
kernel32.dll SetFilePointer 0x4091d0
kernel32.dll FindClose 0x4091d4
kernel32.dll FindFirstFileA 0x4091d8
kernel32.dll DeleteFileA 0x4091dc
kernel32.dll CreateFileA 0x4091e0
kernel32.dll GetPrivateProfileIntA 0x4091e4
kernel32.dll GetPrivateProfileStringA 0x4091e8
kernel32.dll WritePrivateProfileStringA 0x4091ec
kernel32.dll SetFileAttributesA 0x4091f0
kernel32.dll GetCurrentProcessId 0x4091f4
kernel32.dll GetCurrentProcess 0x4091f8
kernel32.dll Process32Next 0x4091fc
kernel32.dll Process32First 0x409200
kernel32.dll Module32Next 0x409204
kernel32.dll Module32First 0x409208
kernel32.dll CreateToolhelp32Snapshot 0x40920c
kernel32.dll WinExec 0x409210
kernel32.dll lstrcpyA 0x409214
kernel32.dll lstrcatA 0x409218
kernel32.dll lstrcmpiA 0x40921c
kernel32.dll lstrcmpA 0x409220
kernel32.dll lstrlenA 0x409224
kernel32.dll lstrlenA 0x40922c
kernel32.dll lstrcpyA 0x409230
kernel32.dll lstrcmpiA 0x409234
kernel32.dll lstrcmpA 0x409238
kernel32.dll lstrcatA 0x40923c
kernel32.dll WriteProcessMemory 0x409240
kernel32.dll VirtualProtect 0x409244
kernel32.dll TerminateThread 0x409248
kernel32.dll TerminateProcess 0x40924c
kernel32.dll Sleep 0x409250
kernel32.dll OpenProcess 0x409254
kernel32.dll GetWindowsDirectoryA 0x409258
kernel32.dll GetTickCount 0x40925c
kernel32.dll GetSystemDirectoryA 0x409260
kernel32.dll GetModuleHandleA 0x409264
kernel32.dll GetCurrentProcessId 0x409268
kernel32.dll GetCurrentProcess 0x40926c
kernel32.dll GetComputerNameA 0x409270
kernel32.dll ExitProcess 0x409274
kernel32.dll CreateThread 0x409278
user32.dll wvsprintfA 0x409280
user32.dll UnhookWindowsHookEx 0x409284
user32.dll SetWindowsHookExA 0x409288
user32.dll GetWindowThreadProcessId 0x40928c
user32.dll GetWindowTextA 0x409290
user32.dll GetForegroundWindow 0x409294
user32.dll GetClassNameA 0x409298
user32.dll CallNextHookEx 0x40929c

Looking over these imported API functions may at first seem useless to the untrained analyst. However, if you begin to dissect what some of the APIs can be used for you can begin to make assumptions about the function of this malware. For example GetTickCount is a very common API for detecting debuggers. AdjustTokenPrivileges and LookupPrivilegeValueA are both commonly used in accessing the Windows security tokens. RegSetValueExA, RegCreateKeyA, and RegCloseKey are used when accessing and altering a registry key. Taking just these APIs into consideration you could begin to make some interesting hypothesis about the capabilities of this specific sample.

I’ve noticed that analysts who don’t totally understand these API function will typically ignore them. For that fact I’m creating a “cheat sheet” for the Windows API functions. The “pre-final” release is attached below.

Please don’t forget that Microsoft did not build these APIs for malicious use and are very commonly used by Windows programmers (unless it’s an undocumented API). Thus analyzing just the imported APIs may not tell you if a sample is malicious or not (but is very useful if you already know a sample is malicious).

Over the past month I’ve also been working on analyzing what is now over 5TB of malware to gather the most frequently used Windows APIs. This data will likely continue to process for close to another month. Once this is done I’ll work on completing this cheat sheet based on those findings and write another post about my discoveries. Keeping that in mind this list is not final and if you have any feedback, comments, questions, or recommendations please make them!

In the course of developing the current list I used multiple resources, I’d just like to highlight a few. These are also great resources if you’re looking to learn more.

Resources:

Practical Malware Analysis – great book on reverse engineering malware

MSDN – where to go if you’re curious about a specific Windows API

Windows PE File Details – Great article that describes the fundamentals of the PE file and more details surrounding PE file imports

Cheat Sheet Version .5 :

Download

Source : https://www.bnxnet.com/windows-api-for-hackers/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...