· Abhinav Kumar · Malware Analysis · 2 min read
Windows API Calls for Malware Analysis
Windows API Calls that can help with Malware Analysis
Its is very essential to know and understand Windows API calls that can be utilized by malwares. Knowing these help with:-
- Understand the flow of program/malware.
- Understand capabilities of a program/malware.
- Know where to set breakpoints when performing Reverse Engineering over app/malware.
I have only curated this, the references will be at bottom of post to the original authors and blogs.
| Name | Brief | Stages | Sample Code |
|---|---|---|---|
| NtVirtualAllocX | Important API for memory allocation | Memory Management | VirtualAllocEx(); |
| NtCreateFile | Important API for file creation | File Operations | CreateFile(); |
| NtReadFile | Important API for reading files | File Operations | ReadFile(); |
| NtTerminateProcess | Important API for ending processes | Process Management | TerminateProcess(); |
| NtOpenProcess | Important API for accessing processes | Process Management | OpenProcess(); |
| NtQuerySystemInformation | Important API for system info retrieval | System Monitoring | GetSystemInfo(); |
| NtQueryDirectoryFile | Important API for directory queries | File Operations | FindFirstFile(); |
| NtOpenThread | Important API for accessing threads | Thread Management | OpenThread(); |
| NtSetInformationFile | Important API for file info modification | File Operations | SetFileInformationByHandle(); |
| NtQueryInformationProcess | Important API for process info retrieval | Process Monitoring | GetProcessInformation(); |
| NtAllocateVirtualMemory | Important API for virtual memory allocation | Memory Management | VirtualAlloc(); |
| NtFreeVirtualMemory | Important API for virtual memory release | Memory Management | VirtualFree(); |
| NtWriteFile | Important API for writing to files | File Operations | WriteFile(); |
| NtClose | Important API for closing handles | Handle Management | CloseHandle(); |
| NtDelayExecution | Important API for thread delays | Thread Management | Sleep(); |
| NtQueryKey | Important API for querying registry keys | Registry Operations | RegQueryValueEx(); |
| NtSetValueKey | Important API for setting registry values | Registry Operations | RegSetValueEx(); |
| NtOpenKey | Important API for opening registry keys | Registry Operations | RegOpenKeyEx(); |
| NtQueryValueKey | Important API for querying registry values | Registry Operations | RegQueryValueEx(); |
| NtEnumerateValueKey | Important API for enumerating registry values | Registry Operations | RegEnumValue(); |
| NtProtectVirtualMemory | Important API for memory protection | Memory Management | VirtualProtect(); |
| NtDuplicateObject | Important API for duplicating handles | Handle Management | DuplicateHandle(); |
| NtAdjustPrivilegesToken | Important API for adjusting token privileges | Security Management | AdjustTokenPrivileges(); |
| NtLoadDriver | Important API for loading device drivers | Driver Operations | LoadDriver(); |
| NtUnloadDriver | Important API for unloading device drivers | Driver Operations | UnloadDriver(); |
| NtMapViewOfSection | Important API for mapping view of a section | Memory Management | MapViewOfFile(); |
| NtUnmapViewOfSection | Important API for unmapping view of a section | Memory Management | UnmapViewOfFile(); |
| NtQueryVolumeInformationFile | Important API for querying volume information | File Operations | GetVolumeInformation(); |
| NtDeviceIoControlFile | Important API for device I/O control | Device Operations | DeviceIoControl(); |
| NtWaitForSingleObject | Important API for waiting on an object | Synchronization | WaitForSingleObject(); |
| NtWaitForMultipleObjects | Important API for waiting on multiple objects | Synchronization | WaitForMultipleObjects(); |
| NtSetEvent | Important API for setting an event | Synchronization | SetEvent(); |
| NtResetEvent | Important API for resetting an event | Synchronization | ResetEvent(); |
| NtCreateMutant | Important API for creating a mutex | Synchronization | CreateMutex(); |
| NtReleaseMutant | Important API for releasing a mutex | Synchronization | ReleaseMutex(); |
| NtSuspendThread | Important API for suspending threads | Thread Management | SuspendThread(); |
| NtResumeThread | Important API for resuming threads | Thread Management | ResumeThread(); |
| NtSetInformationThread | Important API for setting thread information | Thread Management | SetThreadInformation(); |
| NtQueryPerformanceCounter | Important API for performance counter queries | Performance Monitoring | QueryPerformanceCounter(); |
| NtQuerySemaphore | Important API for querying semaphore | Synchronization | QuerySemaphore(); |
| NtSetTimer | Important API for setting timers | Timer Operations | SetWaitableTimer(); |
| NtCancelTimer | Important API for canceling timers | Timer Operations | CancelWaitableTimer(); |
References
- Hadees Blog [Original Source of this article]
Share:
