Professional Documents
Culture Documents
Computer Security: Windows API
Computer Security: Windows API
Windows API
• It’s the most direct way to build applications that integrate with the
Windows®
• With each version of Windows, the API gets updated and/or modified,
to enable the use of new features of the System
• They provide a way for processes to call a function that is not part of its
executable code (external).
• The executable code for the function is located in a DLL file, which contains
one or more functions that are separate from the processes that use them.
• They also facilitate the sharing of data and resources. Multiple applications
can simultaneously access the contents of a single copy of a DLL in memory.
Eng. Mahmoud Al-Hoby 4
Dynamic Link Libraries (DLLs)
• Dynamic Linking differs from Static Linking:
• Dynamic Liking allows the application to include only the information needed
at run time to locate the executable code for a DLL function.
• Static Linking will let the application gets all the referenced functions from the
static link library.
• Calling functions in the Native API bypasses the normal Windows API.
• A Typical Windows API call is usually performed via the Native API.
• Since Native API is not intended for use outside the Windows
Environment, they’re well not documented.
Eng. Mahmoud Al-Hoby 13
The Native API
• Some of the important data structures are stored in the kernel, which
is not accessible by code outside the kernel.
• Examples
• Windows API Functions:
• ReadFile, WriteFile
• Native API Functions:
• NtReadFile, NtWriteFile
• The way that a malicious program uses the Windows DLLs often offers
tremendous insight to when analyzing/understanding the malware
• The Native Windows API are programmed using C/C++ and are
unmanaged pieces of code.
• The data-types they use can be mapped to C# and used accordingly
• This will enable the developer to read the memory, starting from the
address specified by the pointer value, and then store those values in
the data array, starting from the startIndex and up to (length) of data.
• If the length of data exceeds the actual size of the data array, the process will
fail.
Eng. Mahmoud Al-Hoby 25
Using the Windows API using C#
• First, we need to include a reference to InteropServices namespace:
using System.Runtime.InteropServices;
• Second, Use
[DllImport("User32.dll")]
• [DllImport]
• This method is used to include the dll file that contains the function (or
functions) that will be used.
• The function must be declared after the [DllImport], and its signature is
usually “public static extern” (extrn because it’s a reference to an external
unmanaged function)
• C#
public static extern bool SetForegroundWindow(IntPtr hWnd);
namespace WinAPI2
{
class Program
{
[DllImport("USER32.DLL")]
public static extern bool MessageBeep(uint uType);
[DllImport("User32.dll")]
public static extern bool SetForegroundWindow(IntPtr hWnd);
namespace WinAPI2
{
class OpenClipboardEx
{
[DllImport("User32.dll")]
public static extern bool OpenClipboard(IntPtr hWndNewOwner);