Computer Security

Windows API

Eng. Mahmoud Al-Hoby 1

Windows API
• The common name of a set of Application Programming Interfaces
(APIs), that are provided with the Microsoft® Windows® Operating
System.

• It’s the most direct way to build applications that integrate with the
Windows®

• The complete list of Windows API functions include thousands of

functions, most of them are documented, but many are not..

Eng. Mahmoud Al-Hoby 2

Windows API
• Formerly, it was called “Win32 API”, which was used on 32-bit
Windows.

• However, the term “Windows API”, is broader, since it provides

support for 16-bit up to 64-bit Windows

• With each version of Windows, the API gets updated and/or modified,
to enable the use of new features of the System

Eng. Mahmoud Al-Hoby 3

Dynamic Link Libraries (DLLs)
• An executable file that acts as a shared library of functions.

• They provide a way for processes to call a function that is not part of its
executable code (external).

• The executable code for the function is located in a DLL file, which contains
one or more functions that are separate from the processes that use them.

• They also facilitate the sharing of data and resources. Multiple applications
can simultaneously access the contents of a single copy of a DLL in memory.
Eng. Mahmoud Al-Hoby 4
Dynamic Link Libraries (DLLs)
• Dynamic Linking differs from Static Linking:
• Dynamic Liking allows the application to include only the information needed
at run time to locate the executable code for a DLL function.

• Static Linking will let the application gets all the referenced functions from the
static link library.

• Using DLLs makes the size of the executable file smaller.

• If several applications use the same DLL, this can be a big savings in disk space
and memory.

Eng. Mahmoud Al-Hoby 5

Managed and Unmanaged Code
• Managed Code refers to the Actual .NET code, that the developer is in
full control of (and can manage it as needed), and that is compiled
into .NET CIL (Common Intermediate Language)

• Unmanaged Code, refers to the external code that compiles to direct

machine code, without the need for any intermediate language like
.NET

Eng. Mahmoud Al-Hoby 6

Windows API and DLLs
• The Set of Windows APIs are distributed in a set of DLLs that are
provided with the Windows Operating System, Mainly in the following
DLLs
• User32.dll
• Windows management functions for message handling, timers, menus, and
communications.
• Kernel32.dll
• Low-level operating system functions for memory management and resource handling.
• GDI32.dll
• Graphics Device Interface (GDI) functions for device output, such as those for drawing
and font management.

Eng. Mahmoud Al-Hoby 7

Windows API and DLLs
• We can use tools like (DLL Export Viewer) to list the functions in a
specific DLL, and that are possible to use (exported functions)
• Exported Functions: Those functions that are available to programmers to use
outside the DLL
• Import Functions: Those functions that are only used internally, and cannot be
used by other applications or DLLs.

Eng. Mahmoud Al-Hoby 8

Eng. Mahmoud Al-Hoby 9
Advantages of using Windows API
• Besides the advantages of using the DLLs, Developers will gain a major
advantage of using DLLs that are Known to exist in Windows.

• This is desired when developers wish to increase the compatibility of

their products with different versions of Windows.

Eng. Mahmoud Al-Hoby 10

Naming Convention
• Much Windows API functions use their own Names to represent the
native data-types,
• WORD and DWORD represent 16-bit and 32-bit unsigned integers.
• Standard data-types types like int, short, and unsigned int are not normally
used.

• Windows generally uses Hungarian Notation.. Which allows the

identification of the data-type directly from the variable name

Eng. Mahmoud Al-Hoby 11

Hungarian Notation
Data-Type Description Example
WORD (w) A 16-bit unsigned value. wLength
DWORD (dw) Double-word (32-bit unsigned value) dwLength
A Reference to an Object. The actual data that
Handles (H)
is referenced by a Handle, must be interpreted HWND, HDATA
(HModule, HInstance, Hkey)
by the Windows API only
Long Pointer (LP)
A pointer to another type. lpLength
(LPByte, LPCSTR)

Eng. Mahmoud Al-Hoby 12

The Native API
• The Native API is a lower-level interface for interacting with Windows.
• Rarely used by application developers, but is popular among malware writers.

• Calling functions in the Native API bypasses the normal Windows API.

• A Typical Windows API call is usually performed via the Native API.

• Since Native API is not intended for use outside the Windows
Environment, they’re well not documented.
Eng. Mahmoud Al-Hoby 13
The Native API
• Some of the important data structures are stored in the kernel, which
is not accessible by code outside the kernel.

• This led Microsoft to create a process to allow users to access those

structure
• Applications are given access to user APIs such as kernel32.dll
• Kernell32.dll would call ntdll.dll
• The processor then switches to kernel mode and execute a function in the
kernel

Eng. Mahmoud Al-Hoby 14

The Native API

Eng. Mahmoud Al-Hoby 15

The Native API
• Native API functions are usually preceded with Nt.

• Examples
• Windows API Functions:
• ReadFile, WriteFile
• Native API Functions:
• NtReadFile, NtWriteFile

Eng. Mahmoud Al-Hoby 16

Windows API and Computer Security
• Windows API are part of the Operating System, and include
thousands of functions that “anyone” can use..

• This is why its constantly used by malware writers to:

• Minimize the size of their malware
• Ensuring that the malware can run on the desired target system

Eng. Mahmoud Al-Hoby 17

Windows API and Computer Security
• Most malware uses the basic Windows DLLs found on every system.

• The way that a malicious program uses the Windows DLLs often offers
tremendous insight to when analyzing/understanding the malware

• More on that later in chapters

Eng. Mahmoud Al-Hoby 18

Exploring API Functions
• Microsoft provides multiple ways of exploring the API functions, and
to determine which ones would be favorable to use.
• https://msdn.microsoft.com/en-us/library/aa383749(VS.85).aspx

• Functions can be explored by:

• Alphabetical Order
• Category
• Release
• Compatibility with 16-bit Windows

Eng. Mahmoud Al-Hoby 19

Using the Windows API using C#
• Before using WinAPI functions in a C# application, we must first
understand the datatypes that are commonly used with the APIs.

• The Native Windows API are programmed using C/C++ and are
unmanaged pieces of code.
• The data-types they use can be mapped to C# and used accordingly

Eng. Mahmoud Al-Hoby 20

 Windows API DataType C# Equivalent
DWORD UInt32, uint
UINT UInt32, uint
HWND IntPtr
 BOOL bool, [MarshalAsUnmanagedType.Bool)]
 pointers as function parameters  Use keywords ref or out
 WORD  ushort
 LPVOID  IntPtr
 DWORD_PTR  IntPtr
 ULONG  UInt32, uint
 HANDLE (= PVOID)  IntPtr
LPCStr string

Eng. Mahmoud Al-Hoby 21

Pointers,
• A Pointer is a special variable that doesn’t contain the value of the
variable, but rather its memory address.

• Pointers were dangerous, because they allow developers to directly

manipulate the memory

Eng. Mahmoud Al-Hoby 22

Pointers in C/C++

Eng. Mahmoud Al-Hoby 23

Pointers and C#
• In C#, a Pointer can be “managed” by an IntPtr Object

• A Null Pointer, that refers to nothing, is Equivalent to “IntPtr.Zero”

• Its very common to use IntPtrs when working in C# with Windows

API

Eng. Mahmoud Al-Hoby 24

Pointers and C#
• To read the actual data that the C# IntPtr refernces in Memory, we
can use a special function provided by the .NET Framework
Marshal.Copy(IntPtr pointer, byte[] data, int startIndex, int length);

• This will enable the developer to read the memory, starting from the
address specified by the pointer value, and then store those values in
the data array, starting from the startIndex and up to (length) of data.
• If the length of data exceeds the actual size of the data array, the process will
fail.
Eng. Mahmoud Al-Hoby 25
Using the Windows API using C#
• First, we need to include a reference to InteropServices namespace:
using System.Runtime.InteropServices;

• Second, Use
[DllImport("User32.dll")]

• Then, define the API fuction

public static extern bool SetForegroundWindow(IntPtr hWnd);

Eng. Mahmoud Al-Hoby 26

Using the Windows API using C#
• InteropServices:
• A Special namespace that provides the mechanisms needed to interoperate
with unmanaged code.

• [DllImport]
• This method is used to include the dll file that contains the function (or
functions) that will be used.
• The function must be declared after the [DllImport], and its signature is
usually “public static extern” (extrn because it’s a reference to an external
unmanaged function)

Eng. Mahmoud Al-Hoby 27

Using the Windows API using C#

• C#
public static extern bool SetForegroundWindow(IntPtr hWnd);

Eng. Mahmoud Al-Hoby 28

Practice

Eng. Mahmoud Al-Hoby 29

Understanding Pointers
using System;
using System.Runtime.InteropServices;
namespace WinAPI3{
class Program {
static void Main(string[] args) {
IntPtr strPtr = Marshal.StringToHGlobalUni("Hello World!");
char[] data = new char[10];
for(int i=0; i<data.Length; i++) {
data[i] = (char)1;
}

Marshal.Copy(strPtr, data, 2, 5);

foreach (char x in data) {
Console.WriteLine("{0},\t{1}", x, (int)x);
}
}
}
}
Eng. Mahmoud Al-Hoby 30
Eng. Mahmoud Al-Hoby 31
MessageBeep Function
using System.Runtime.InteropServices;

namespace WinAPI2
{
class Program
{
[DllImport("USER32.DLL")]
public static extern bool MessageBeep(uint uType);

static void Main(string[] args)

{
MessageBeep(0xFFFFFFFF);
}
}
}

Eng. Mahmoud Al-Hoby 32

Eng. Mahmoud Al-Hoby 33
Eng. Mahmoud Al-Hoby 34
class Program{
[DllImport("User32.dll")]
public static extern IntPtr FindWindow(string lpClassName, string lpWindowName);

[DllImport("User32.dll")]
public static extern bool SetForegroundWindow(IntPtr hWnd);

static void Main(string[] args)

{
IntPtr h= FindWindow("notepad", null);
if (h == IntPtr.Zero) {
Console.WriteLine("App is not running.");
}
else{
SetForegroundWindow(h);
}
}
}

Eng. Mahmoud Al-Hoby 35

Eng. Mahmoud Al-Hoby 36
OpenClipboard Function
using System;
using System.Runtime.InteropServices;

namespace WinAPI2
{
class OpenClipboardEx
{
[DllImport("User32.dll")]
public static extern bool OpenClipboard(IntPtr hWndNewOwner);

static void Mail(string[] args)

{
OpenClipboard(IntPtr.Zero);
while (true) { }
}
}
}

Eng. Mahmoud Al-Hoby 37