Malware Analysis
API used in Malware
Networking
socket()Raw Socket bind()listen()accept()read()recv()write()shutdown()[closes the connection]
Windows WinAPI Sockets
WSAStartup()socket()bind()listen()accept()connect()send()recv()WSACleanup() closes the connection
Persistence Registry Persistence
RegCreateKeyEx()RegOpenKeyEx()RegSetValueEx()RegDeleteKeyEx()RegGetValue()
File Persistence
GetTempPath() [gets path to %temp%]CopyFile()CreateFile()WriteFile()ReadFile()
Service Persistence
OpenSCManager()CreateService()StartServiceCtrlDispatcher()
Encryption WinCrypt API
CryptAcquireContext()must be called to initialise the WinCryptAPICryptGenKey()CryptDestroyKey()CryptDeriveKey()CryptEncrypt()CryptDecrypt()CryptReleaseContext()called at the end to clean up
Anti-Analysis/VM
IsDebuggerPresent()to check if debugger attached to current processGetSystemInfo()GlobalMemoryStatus()get amount physical memory of machineGetVersion()
Assembly Instructions
CPUID()IN()returns ‘vmware’ when running on VMware
Stealth
VirtualAlloc()used for unpackingVirtualProtect()used for unpacking (and changes permissions)ReadProcessMemory()used to inject into external processesWriteProcessMemory()used to inject into external processesCreateRemoteThread()used for DLL injectionsNtUnmapViewOfSection()used for injectionsQueueUserAPC()used for APC injections
Execution
CreateProcess()ShellExecute()WinExec()ResumeThread()
Misc
GetAsyncKeyState()is often used in keyloggersSetWindowsHookEx()is often used in keyloggersGetForeGroundWindow()reads status of current windowLoadLibrary(), GetProcAddress()CreateToolhelp32Snapshot()gets a list of running processesGetDC(), BitBlt()screenshot APIInternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile()communicates with Internet via Port 80FindResource(), LoadResource(), LockResource()used to get any attached resources
MessageBoxA: Displays a modal dialog box that contains a system icon, a set of buttons, and a brief application-specific message, such as status or error information. The message box returns an integer value that indicates which button the user clicked.
FindNextFileA: Continues a file search from a previous call to the FindFirstFile, FindFirstFileEx, or FindFirstFileTransacted functions.
WriteFile: Writes data to the specified file or input/output (I/O) device.
WinExec: This function is provided only for compatibility with 16-bit Windows. Applications should use the CreateProcess function. > Creates a new process and its primary thread. The new process runs in the security context of the calling process.
SetCurrentDirectoryA: Changes the current directory for the current process.
MoveFileA: Moves an existing file or a directory, including its children.
GetSystemTime: Retrieves system timing information. On a multiprocessor system, the values returned are the sum of the designated times across all processors.
GetFileSize: Retrieves the size of the specified file, in bytes.
GetCurrentDirectoryA: Retrieves the current directory for the current process.
GetCommandLineA: Retrieves the command-line string for the current process.
FindFirstFileA: Searches a directory for a file or subdirectory with a name that matches a specific name (or partial name if wildcards are used).
FindClose: Closes a file search handle opened by the FindFirstFile, FindFirstFileEx, FindFirstFileNameW, FindFirstFileNameTransactedW, FindFirstFileTransacted, FindFirstStreamTransactedW, or FindFirstStreamW functions.
CloseHandle: Closes an open object handle.
Debugging Breakpoints
bp VirtualAllocatebp CreateProcessInternalWbp CreateFileWbp CreateToolhelp32Snapshotbp WriteProcessMemorybp NtWriteVirtualMemorybp NtResumeThread
IDAPro Cheat Sheet
Navigation
Jump to operand
Enter
Jump in new window
+
Jump to previous position
Esc
Jump to Next position
+
Jump to address
G
Jump by name
+L
Jump to function
+P
Jump to segment
+S
Jump to segment register
+G
Jump to problem
+Q
Jump to cross reference
+X
Jump to xref to operand
X
Jump to entry point
+E
Mark Position
+M
Search
Next code
+C
Next data
+D
Next explored
+A
Next unexplored
+U
Immediate value
+I
Next immediate value
+I
Text
+T
Next text
+T
Sequence of bytes
+B
Next sequence of bytes
+B
Not function
+U
Graphing
Flow chart
F12
Function calls
+F12
Comments
Enter comment
+;
Enter repeatable comment
;
Enter anterior lines
Ins
Enter posterior lines
+Ins
Insert predefined comment
+F1
Data Format Options
ASCII strings style
+A
Setup data types
+D
Open Subviews
Names
+F4
Functions
+F3
Strings
+F12
Segments
+F7
Segment registers
+F8
Signatures
+F5
Type libraries
+F11
Structures
+F9
Enumerations
+F10
File Operations
Parse C header file
+F9
Create ASM file
+F10
Save database
+W
Debugger
Star process
F9
Terminate process
+F2
Step into
F7
Step over
F8
Run until return
+F7
Run to cursor
F4
Breakpoints
Breakpoint list
+ +B
Watches
Delete watch
Del
Tracing
Stack trace
+ +S
Miscellaneous
Calculator
+/
Cycle through open views
+Tab
Select tab
+ [1…N]
Close current view
+F4
Exit
+X
IDC Command
+F2
Edit (Data Types – etc)
Copy
+Ins
Begin selection
+L
Manual instruction
+F2
Code
C
Data
D
Struct variable
+Q
ASCII string
A
Array
Num *
Undefine
U
Rename
N
Operand Type
Offset (data segment)
O
Offset (current segment)
+O
Offset by (any segment)
+R
Offset (user-defined)
+R
Offset (struct)
T
Number (default)
+3
Hexadecimal
Q
Decimal
H
Binary
B
Character
R
Segment
S
Enum member
M
Stack variable
K
Change sign
+-
Bitwise negate
+`
Manual
+F1
Segments
Edit segment
+S
Change segment register value
+G
Structs
Struct var
+Q
Force zero offset field
+Z
Select union member
+Y
Functions
Create function
P
Edit function
+P
Set function end
E
Stack variables
+K
Change stack pointer
+K
Rename register
V
Set function type
Y
x86 Assembly
Stack
EBP = Base Pointer pointing to the base of the stack
ESP = Stack Pointer pointing to top of the stack
EIP = Instruction Pointer (Address of next instruction to exec)
EBX = Base (Pointer to Data)
EAX = Accumulator
ECX = Counter (Shift/Rotate instructions + loops)
EDX = Data (Arithmetic + I/O)
ESI = Source Index (Pointer of Source in stream operations)
EDI = Destination Index (Pointer to Destination in stream operations)
EFLAGS Register
CF = Carry Flag (Set when the result of an operation is too large for the destination operand)
ZF = Zero Flag (Set when the result of an operation is equal to zero) SF Sign Flag (Set if the result of an operation is negative)
TF = Trap Flag (Set if step by step debugging - only one instruction will be executed at a time)
Data Transfer Instructions
mov = Move (mov dest, src)
movzx = Move-Zero-Extended (movzx dest, src)
lea = Load Effective Address (lea dest, src)
xchg = Exchange/Swap (xchg dest, src)
Control Flow (Functions) Instructions
call = Execute function (call function)
push = Push value to stack (push value)
pop = Pop value off stack (pop register)
ret = Return from function (ret)
Control Flow (Jumps) Instructions
jmp = Unconditional Jump (jmp address)
je = Jump if equal (ZF = 1)
jnz = Jump if not equal (ZF = 0)
jnb = Jump if not below (CF = 0)
Arithmetic Instructions
add = Add src to dst
sub = Subtract src from dst
imul = Multiply src by val and store in dst
inc = Increment register by 1
Logic Instructions
xor = Performs bitwise XOR (xor dest, src)
shl = Shift dst left by src bits (shl dest, src)
and = Performs Bitwise AND (and dest, src)
ror = Rotate dest right by src bits (ror dest, src)
Test and Compares
test = Performs a bitwise AND on the two operands. If result is 0, ZF is set (test arg1, arg2)
cmp = Compares first operand with second operand by subtraction (cmp arg1, arg2)
Tools:
pestudio https://www.winitor.com/download
process hacker https://processhacker.sourceforge.io/downloads.php
CFF explorer https://ntcore.com/?page_id=345
Last updated