Digital forensics

Windows Functions in Malware Analysis - Cheat Sheet - Part 2

Security Ninja
June 1, 2015 by
Security Ninja

In the Part 1 of the series, we discuss about windows functions that analysts commonly encounter during malware analysis. In this part, we will conclude the cheat sheet with some more commonly found windows functions.

Windows Functions

  • IsNTAdmin: This function checks if the user has administrator privileges.
  • IsWoW64Process: This function is used by a 32-bit process to determine if it is running on a 64-bit operating system.
  • LdrLoadDll: This is a low-level function to load a DLL into a process, just like LoadLibrary. Normal programs use LoadLibrary, and the presence of this import may indicate a program that is attempting to be stealthy.
  • LoadResource: This function loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files.
  • LsaEnumerateLogonSessions: This function is used to enumerate through logon sessions on the current system, which can be used as part of a credential stealer.
  • MapViewOfFile: This function is used to map a file into memory and makes the contents of the file accessible via memory addresses. Launchers, loaders, and injectors use this function to read and modify PE files. By using MapViewOfFile, the malware can avoid using WriteFile to modify the contents of a file.
  • MapVirtualKey: This function is used to translate a virtual-key code into a character value. It is often used by keylogging malware.
  • Module32First/Module32Next: This function is used to enumerate through modules loaded into a process. Injectors use this function to determine where to inject code.
  • NetScheduleJobAdd: This function submits a request for a program to be run at a specified date and time. Malware can use NetScheduleJobAdd to run a different program. This is an important indicator to see the program that is scheduled to run at future time.
  • NetShareEnum: This function is used to enumerate network shares.
  • NtQueryDirectoryFile: This function returns information about files in a directory. Rootkits commonly hook this function in order to hide files.
  • NtQueryInformationProcess: This function is used to return various information about a specified process. This function is sometimes used as an anti-debugging technique because it can return the same information as CheckRemoteDebuggerPresent.
  • NtSetInformationProcess: This function is used to change the privilege level of a program or to bypass Data Execution Prevention (DEP).
  • OpenMutex: This function opens a handle to a mutual exclusion object that can be used by malware to ensure that only a single instance of malware is running on a system at any given time. Malware often uses fixed names for mutexes, which can be good host-based indicators.
  • OpenProcess: This function is used to open a handle to another process running on the system. This handle can be used to read and write to the other process memory or to inject code into the other process.
  • OutputDebugString: This function is used to output a string to a debugger if one is attached. This can be used as an anti-debugging technique.
  • PeekNamedPipe: This function is used to copy data from a named pipe without removing data from the pipe. This function is popular with reverse shells.
  • Process32First/Process32Next: This function is used to begin enumerating processes from a previous call to CreateToolhelp32Snapshot. Malware often enumerates through processes to find a process into which to inject.
  • QueueUserAPC: This function is used to execute code for a different thread. Malware sometimes uses QueueUserAPC to inject code into another process.
  • ReadProcessMemory: This function is used to read the memory of a remote process.
  • Recv: This function is used to receive data from a remote machine. Malware often uses this function to receive data from a remote command-and-control server.
  • RegisterHotKey: This function is used to register a handler to be notified anytime a user enters a particular key combination (like CTRL-ALT-J), regardless of which window is active when the user presses the key combination. This function is sometimes used by spyware that remains hidden from the user until the key combination is pressed.
  • RegOpenKey: This function is used to open a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.
  • ResumeThread: This function is used to resume a previously suspended thread. ResumeThread is used as part of several injection techniques.
  • RtlCreateRegistryKey: This function is used to create a registry from kernel-mode code.
  • RtlWriteRegistryValue: This function is used to write a value to the registry from kernel-mode code.
  • SamIConnect: This function is used to connect to the Security Account Manager (SAM) in order to make future calls that access credential information. Hash-dumping programs access the SAM database in order to retrieve the hash of users' login passwords.
  • SamIGetPrivateData: This function is used to query the private information about a specific user from the Security Account Manager (SAM) database. Hash-dumping programs access the SAM database in order to retrieve the hash of users' login passwords.
  • SamQueryInformationUse: This function is used to query information about a specific user in the Security Account Manager (SAM) database. Hash-dumping programs access the SAM database in order to retrieve the hash of users' login passwords.
  • Send: This function is used to send data to a remote machine. It is often used by malwares to send data to a remote command-and-control server.
  • SetFileTime: This function is used to modify the creation, access, or last modified time of a file. Malware often uses this function to conceal malicious activity.
  • SetThreadContext: This function is used to modify the context of a given thread. Some injection techniques use SetThreadContext.
  • SetWindowsHookEx: This function is used to set a hook function to be called whenever a certain event is called. Commonly used with keyloggers and spyware, this function also provides an easy way to load a DLL into all GUI processes on the system. This function is sometimes added by the compiler.
  • SfcTerminateWatcherThread: This function is used to disable Windows file protection and modify files that otherwise would be protected.
  • ShellExecute: This function is used to execute another program.
  • StartServiceCtrlDispatcher: This function is used by a service to connect the main thread of the process to the service control manager. Any process that runs as a service must call this function within 30 seconds of startup. Locating this function in malware will tell that the function should be run as a service.
  • SuspendThread: This function is used to suspend a thread so that it stops running. Malware will sometimes suspend a thread in order to modify it by performing code injection.
  • System: This function is used to run another program provided by some C runtime libraries. On Windows, this function serves as a wrapper function to CreateProcess.
  • Thread32First/Thread32Next: This function is used to iterate through the threads of a process. Injectors use these functions to find an appropriate thread into which to inject.
  • Toolhelp32ReadProcessMemory: This function is used to read the memory of a remote process.
  • URLDownloadToFile: This function is used to download a file from a web server and save it to disk. This function is popular with downloaders because it implements all the functionality of a downloader in one function call.
  • VirtualAllocEx: This function is a memory-allocation routine that can allocate memory in a remote process. Malware sometimes uses VirtualAllocEx as part of process injection.
  • VirtualProtectEx: This function is used to change the protection on a region of memory. Malware may use this function to change a read-only section of memory to an executable.
  • WideCharToMultiByte: This function is used to convert a Unicode string into an ASCII string.
  • WinExec: This function is used to execute another program.
  • WriteProcessMemory: This function is used to write data to a remote process. Malware uses WriteProcessMemory as part of process injection.
  • WSAStartup: This function is used to initialize low-level network functionality. Finding calls to WSAStartup can often be an easy way to locate the start of network related functionality.

This concludes with the common windows functions that are usually encountered during malware analysis.

Security Ninja
Security Ninja