You are on page 1of 8

Networking APIs Anti-Reversing/Anti-Debugging APIs

WSAStartup IsDebuggerPresent
socket CheckRemoteDebuggerPresent
bind NTQueryInformationProcess
listen OutputDebugString
accept QueryPerformanceCounter
connect GetTickCount
recv timeGetTime
send NtQueryObject
InternetOpen NtSetInformationThread
InternetOpenUrl ZwSetInformationThread
InternetReadFile ZwClose
CreatePipe DebugActiveProcess
URLDownloadtoFileA
Password dumping/Pass the
Registry APIs Hash APIs
RegOpenKeyEx SamIConnect
RegSetValueEx SamrQueryInformationUser
RegGetValue SamIGetPrivateData
SystemFunction025
Service APIs SystemFunction027
OpenSCManager/W/A LsaEnumerateLogonSessions
CreateService
StartService Obfuscation APIs
CryptAcquireContext
Object/Handle Manipulation APIs
WaitForSingleObject Keylogging APIs
WaitForMultipleObjectsEx GetAsyncKeyState
ReleaseMutex GetKeyState
CreateMutex GetForegroundWindow
OpenMutex
Sleep Shellcode APIs
OleInitialize FindResource
CoInitializeEx LoadResource
CoCreateInstance SizeofResource
DllCanUnloadNow VirtualAllocEx
DllGetClassObject WriteProcesMemory
DllInstall GetProcAddress
DllRegisterServer LoadLibraryA
DllUnregisterServer WinExec
CreateProcess/W/A
CreateThread
CreateRemoteThread
SetThreadContext
ResumeThread

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
Suspicious System APIs UnhookWindowsHookEx
OpenProcessToken ZwUnmapViewOfSection
LookupPrivilegeValueA NtQuerySystemInformation
AdjustTokenPrivileges NtQueryInformationProcess
CreateToolhelp32Snapshot NtQueryInformationThread
Process32First NtQueryInformationFile
Process32Next NtQueryInformationKey
SetWindowsHookEx Any Nt<name> (or Zw)

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
Networking APIs
API(s): WSAStartup
Technical Description: The WSAStartup function initiates use of the Winsock DLL by a
process
DLL: ws2_32.dll
Notes: Berkeley compatible sockets call

API(s): socket, bind, listen, accept, connect, recv, send


Technical Description: Standard networking APIs
DLL: ws2_32.dll
Notes: Berkeley compatible sockets calls

API(s): InternetOpen, InternetOpenUrl, InternetReadFile


Technical Description: Initialize connection to internet, opens the URL, and reads from
the internet previously passed
DLL: Wininet.dll
Notes: WinINet API (higher level API then Berkeley sockets)

API(s): CreatePipe
Technical Description: Creates an anonymous pipe, and returns handles to the read
and write ends of the pipe.
DLL: kernel32.dll
Notes: Can be used to tie together standard output and standard input (think malware
with a thread for reading and writing in its own thread).

API(s): URLDownloadtoFileA
Technical Description: Downloads a file from a URL
DLL: urlmon.dll
Notes:

Registry APIs
API(s): RegOpenKeyEx, RegSetValueEx, RegGetValue
Technical Description: These Windows APIs are used for opening, setting, and getting
the value of a registry key (respectively)
DLL: Advapi32.dll
Notes: Make sure you note which registry key is being used in the file.

Service APIs
API(s): OpenSCManager/W/A
Technical Description: Establishes a connection to the service control manager on the
specified computer and opens the specified service control manager database.
DLL: Advapi32.dll
Notes: Used to interact with services.

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
API(s): CreateService
Technical Description: Creates a service object and adds it to the specified service
control manager database.
DLL: Advapi32.dll
Notes: Creates a new service

API(s): StartService
Technical Description: Starts a service.
DLL: Advapi32.dll
Notes: Manual method for starting a service

Object/Handle Manipulation APIs


API(s): WaitForSingleObject, WaitForMultipleObjectsEx, ReleaseMutex, CreateMutex,
OpenMutex, Sleep
Technical Description: Waits for a mutex to become free, releases control of the mutex,
creates a new mutex to assign control, gets control of an already existing mutex (only
one version at a time)
DLL: Kernel32.dll
Notes:

API(s): OleInitialize, CoInitializeEx


Technical Description: Each thread that uses Microsoft Component Object Model
(COM) needs to call these APIs
DLL: Ole32.dll
Notes:

API(s): CoCreateInstance
Technical Description: Gets access to the COM functionality
DLL: Ole32.dll
Notes:

API(s): DllCanUnloadNow, DllGetClassObject, DllInstall, DllRegisterServer, DllUnregiste


rServer
Technical Description: Used when creating a COM server
DLL: N/A
Notes: These would be exports, not imports.

Anti-Reverse Engineering / Anti-Debugging


API(s): IsDebuggerPresent
Technical Description: Determines whether the calling process is being debugged by a
user-mode debugger.
DLL: Kernel32.dll

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
Notes: Very commonly used for anti-debugging (Ollydbg & Immunity)

API(s): CheckRemoteDebuggerPresent
Technical Description: Determines whether the specified process is being debugged.
DLL: Kernel32.dll
Notes: About the same as IsDebuggerPresent

API(s): NTQueryInformationProcess
Technical Description: Retrieves information about a process
DLL: ntdll.dll
Notes: Can be used to check for ProcessDebugPort, which would detect if a debugger
is being used.

API(s): OutputDebugString
Technical Description: Sends a string to a debugger
DLL: Kernel32.dll
Notes: Can check if a debugger is present. If the debugger is not present this API call
will return an error.

API(s): QueryPerformanceCounter, GetTickCount, timeGetTime


Technical Description: Used to check time in different ways (time difference and time
since last reboot)
DLL: Kernel32.dll
Notes: Can be used to check if a debugger is present (debuggers normally don't run
through the instructions as fast as the normal process execution would)

API(s): NtQueryObject
Technical Description: Retrieves various object information.
DLL: Ntdll.dll
Notes: When called with the ObjectAllTypesInformation, it returns the DebugObjects
which can point to a debugger being present

API(s): NtSetInformationThread/ZwSetInformationThread
Technical Description: If this API is called, can set HideThreadFromDebugger on
thread
DLL:
Notes:

API(s): ZwClose
Technical Description: The ZwClose routine closes an object handle.
DLL:
Notes: When a process is debugged calling ZwClose with an invalid handle will
generate an exception.

API(s): DebugActiveProcess
Technical Description: Enables a debugger to attach to an active process and debug it.

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
DLL: kernel32.dll
Notes: It will generate an error if called on a process that's already being debugged.

Password dumping/Pass the Hash APIs


API(s): SamIConnect, SamrQueryInformationUser, and SamIGetPrivateData
Technical Description: Used to connect to the SAM
DLL: samsrv.dll
Notes: This is commonly used to grab the hashes (SamIGetPrivateData)

API(s): SystemFunction025, SystemFunction027


Technical Description: Decrypts password hashes
DLL: advapi32.dll
Notes: These are non-documented Windows API calls (very rare)

API(s): LsaEnumerateLogonSessions
Technical Description: Obtains a list of locally unique identifiers (contains
usernames/domains for each logon)
DLL: secur32.dll
Notes: Used in pass the hash style attacks

Obfuscation APIs
API(s): CryptAcquireContext
Technical Description: Used to initialize Windows encryption
DLL: Advapi32.dll
Notes: Can be used with encryption

Keylogging APIs
API(s): GetAsyncKeyState / GetKeyState
Technical Description: Poll state of keys and gets the current key
DLL: User32.dll
Notes:

API(s): GetForegroundWindow
Technical Description: Poll which window is active
DLL: User32.dll
Notes: Can be used with a key logger to monitor the window (so it can be logged)

APIs used in shellcode


API(s): FindResource, LoadResource, SizeofResource

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
Technical Description: Used to load a resource and then possibly decrypt or load into
memory
DLL: Kernel32.dll
Notes:

API(s): VirtualAllocEx, WriteProcesMemory


Technical Description: Reserves and writes to memory.
DLL: Kernel32.dll
Notes: Can be used when malware does process injection

API(s): GetProcAddress
Technical Description: Resolves functions addresses
DLL: Kernel32.dll
Notes: This can be used to resolve lots of things Shellcode uses, PTH uses

API(s): LoadLibraryA
Technical Description: Loads the specified module into the address space of the calling
process.
DLL: Kernel32.dll
Notes: Can be used in shellcode to load a dll

API(s): WinExec
Technical Description: Runs the specified application.
DLL: Kernel32.dll
Notes:

API(s): CreateProcess/W/A
Technical Description: Creates a new process and its primary thread. The new process
runs in the security context of the calling process.
DLL: Kernel32.dll
Notes:

API(s): CreateThread
Technical Description: Creates a thread to execute within the virtual address space of
the calling process.
DLL: Kernel32.dll
Notes:

API(s): CreateRemoteThread
Technical Description: Used to launch a new thread
DLL: Kernel32.dll
Notes: After malware is injected into a process it needs to create a new thread so the
process can continue as normal

API(s): SetThreadContext, ResumeThread


Technical Description: Sets the entry point to code and resume the thread

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.
DLL: Kernel32.dll
Notes: After malware is in memory, SetThread will set the point to start it again, then
ResumeThread executes the thread

System APIs
API(s): OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges
Technical Description: Used to adjust the access token
DLL: Advapi32.dll
Notes: Can be used to escalate privileges (or try to)

API(s): CreateToolhelp32Snapshot, Process32First, Process32Next


Technical Description: Used to load the processes currently run and search through
them
DLL: Kernel32.dll
Notes: Used when looking for a specific process (to do process injection on, detect a
process running i.e. a debugger or anti-virus)

API(s): SetWindowsHookEx, UnhookWindowsHookEx


Technical Description: Used to setup hooking and then unhook (must be unhooked if
not things will become unstable)
DLL: User32.dll
Notes: Can be used in user land root kits (if that makes any sense)

API(s): ZwUnmapViewOfSection
Technical Description: Releases memory pointed to by the call.
DLL:
Notes: Can be used to replace process memory to make room for the malware's own
code.

API(s): NtQuerySystemInformation, NtQueryInformationProcess, NtQueryInformationTh


read, NtQueryInformationFile, and NtQueryInformationKey
Technical Description: Retrieves the specified system information.
DLL: Ntdll.dll
Notes:

API(s): Any Nt<name> (or Zw)


Technical Description: These are lower level calls not commonly used by normal
Windows applications.
DLL: ntdll.dll
Notes:

Win APIs for Hackers/Reverse Engineering v.5, July 2013-- binaryXnetworks -- www.bnxnet.com
See http://www.bnxnet.com/windows-api-for-hackers/ for additional information.