hacktricks/src/reversing/common-api-used-in-malware.md

# Common API used in Malware

{{#include ../banners/hacktricks-training.md}}

## Generic

### Networking

| Raw Sockets   | WinAPI Sockets |
| ------------- | -------------- |
| socket()      | WSAStratup()   |
| bind()        | bind()         |
| listen()      | listen()       |
| accept()      | accept()       |
| connect()     | connect()      |
| read()/recv() | recv()         |
| write()       | send()         |
| shutdown()    | WSACleanup()   |

### Persistence

| Registry         | File          | Service                      |
| ---------------- | ------------- | ---------------------------- |
| RegCreateKeyEx() | GetTempPath() | OpenSCManager                |
| RegOpenKeyEx()   | CopyFile()    | CreateService()              |
| RegSetValueEx()  | CreateFile()  | StartServiceCtrlDispatcher() |
| RegDeleteKeyEx() | WriteFile()   |                              |
| RegGetValue()    | ReadFile()    |                              |

### Encryption

| Name                  |
| --------------------- |
| WinCrypt              |
| CryptAcquireContext() |
| CryptGenKey()         |
| CryptDeriveKey()      |
| CryptDecrypt()        |
| CryptReleaseContext() |

### Anti-Analysis/VM

| Function Name                                             | Assembly Instructions |
| --------------------------------------------------------- | --------------------- |
| IsDebuggerPresent()                                       | CPUID()               |
| GetSystemInfo()                                           | IN()                  |
| GlobalMemoryStatusEx()                                    |                       |
| GetVersion()                                              |                       |
| CreateToolhelp32Snapshot \[Check if a process is running] |                       |
| CreateFileW/A \[Check if a file exist]                    |                       |

### Stealth

| Name                     |                                                                            |
| ------------------------ | -------------------------------------------------------------------------- |
| VirtualAlloc             | Alloc memory (packers)                                                     |
| VirtualProtect           | Change memory permission (packer giving execution permission to a section) |
| ReadProcessMemory        | Injection into external processes                                          |
| WriteProcessMemoryA/W    | Injection into external processes                                          |
| NtWriteVirtualMemory     |                                                                            |
| CreateRemoteThread       | DLL/Process injection...                                                   |
| NtUnmapViewOfSection     |                                                                            |
| QueueUserAPC             |                                                                            |
| CreateProcessInternalA/W |                                                                            |

### Execution

| Function Name    |
| ---------------- |
| CreateProcessA/W |
| ShellExecute     |
| WinExec          |
| ResumeThread     |
| NtResumeThread   |

### Miscellaneous

- GetAsyncKeyState() -- Key logging
- SetWindowsHookEx -- Key logging
- GetForeGroundWindow -- Get running window name (or the website from a browser)
- LoadLibrary() -- Import library
- GetProcAddress() -- Import library
- CreateToolhelp32Snapshot() -- List running processes
- GetDC() -- Screenshot
- BitBlt() -- Screenshot
- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
- FindResource(), LoadResource(), LockResource() -- Access resources of the executable

## Malware Techniques

### DLL Injection

Teua DLL isiyo ya kawaida ndani ya mchakato mwingine

1. Tafuta mchakato wa kuingiza DLL mbaya: CreateToolhelp32Snapshot, Process32First, Process32Next
2. Fungua mchakato: GetModuleHandle, GetProcAddress, OpenProcess
3. Andika njia ya DLL ndani ya mchakato: VirtualAllocEx, WriteProcessMemory
4. Unda thread katika mchakato ambayo itapakia DLL mbaya: CreateRemoteThread, LoadLibrary

Mifunction mingine ya kutumia: NTCreateThreadEx, RtlCreateUserThread

### Reflective DLL Injection

Pakia DLL mbaya bila kuita simu za kawaida za Windows API.\
DLL inachorwa ndani ya mchakato, itatatua anwani za uagizaji, kurekebisha uhamasishaji na kuita kazi ya DllMain.

### Thread Hijacking

Pata thread kutoka kwa mchakato na ufanye ipakie DLL mbaya

1. Pata thread lengwa: CreateToolhelp32Snapshot, Thread32First, Thread32Next
2. Fungua thread: OpenThread
3. Suspend thread: SuspendThread
4. Andika njia ya DLL mbaya ndani ya mchakato wa mwathirika: VirtualAllocEx, WriteProcessMemory
5. Anza tena thread ikipakia maktaba: ResumeThread

### PE Injection

Uhamasishaji wa Utekelezaji wa Portable: Utekelezaji utaandikwa katika kumbukumbu ya mchakato wa mwathirika na utaanzishwa kutoka hapo.

### Process Hollowing (a.k.a **RunPE**)

`Process Hollowing` ni moja ya mbinu maarufu za **kuepuka ulinzi / utekelezaji** zinazotumiwa na malware ya Windows. Wazo ni kuzindua mchakato *halali* katika hali ya **kusimamishwa**, kuondoa (hollow) picha yake ya asili kutoka kwa kumbukumbu na nakala ya **PE isiyo ya kawaida** mahali pake. Wakati thread kuu hatimaye inarejelewa, kiingilio kibaya kinatekelezwa chini ya kivuli cha binary iliyoaminika (mara nyingi imesainiwa na Microsoft).

Mchakato wa kawaida:

1. Zindua mwenyeji mzuri (mfano `RegAsm.exe`, `rundll32.exe`, `msbuild.exe`) **kusimamishwa** ili hakuna maagizo yanayoendesha bado.
```c
STARTUPINFOA  si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe",
NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
```
2. Soma mzigo mbaya katika kumbukumbu na uchambue vichwa vyake vya PE ili kupata `SizeOfImage`, sehemu na `EntryPoint` mpya.
3. **NtUnmapViewOfSection** / **ZwUnmapViewOfSection** – ondoa msingi wa picha ya asili ya mchakato ulio kusimamishwa.
4. **VirtualAllocEx** – hifadhi kumbukumbu ya RWX ya `SizeOfImage` ndani ya mchakato wa mbali.
5. **WriteProcessMemory** – nakala ya `Headers` kwanza, kisha tembea juu ya sehemu ukinakili data zao za ghafi.
6. **SetThreadContext** – pata thamani ya `EAX/RAX` (`RCX` kwenye x64) au `Rip` katika muundo wa muktadha ili `EIP` iangalie kwenye `EntryPoint` ya mzigo.
7. **ResumeThread** – thread inaendelea, ikitekeleza msimbo uliotolewa na mshambuliaji.

Mfano wa chini wa uthibitisho wa dhana (x86):
```c
void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){
// 1. create suspended process
STARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi;
CreateProcessA(host, NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi);

// 2. read remote PEB to get ImageBaseAddress
CONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread,&ctx);
PVOID baseAddr;
ReadProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);

// 3. unmap original image & allocate new region at same base
NtUnmapViewOfSection(pi.hProcess,baseAddr);
PVOID newBase = VirtualAllocEx(pi.hProcess,baseAddr,pHdr->OptionalHeader.SizeOfImage,
MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
// 4-5. copy headers & sections …
// 6. write new image base into PEB and set Eip
WriteProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);
ctx.Eax = (DWORD)(newBase) + pHdr->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(pi.hThread,&ctx);
// 7. run!
ResumeThread(pi.hThread);
}
```
Practical notes observed in the **DarkCloud Stealer** campaign:

* Loader ilichukua `RegAsm.exe` (sehemu ya .NET Framework) kama mwenyeji – binary iliyosainiwa ambayo haiwezekani kuvuta umakini.
* Stealer ya VB6 iliyofichuliwa (`holographies.exe`) *haiangushi* kwenye diski; inakuwepo tu ndani ya mchakato uliohollowed, ikifanya ugunduzi wa statiki kuwa mgumu zaidi.
* Nyimbo nyeti (regexes, paths, Telegram credentials) zime **RC4-encrypted** kwa kila nyimbo na zinafichuliwa tu wakati wa wakati wa kukimbia, ikifanya skanning ya kumbukumbu kuwa ngumu zaidi.

Detection ideas:
* Onyo juu ya mchakato wa `CREATE_SUSPENDED` ambao kamwe hauunda madirisha ya GUI/console kabla ya eneo la kumbukumbu kutolewa kama **RWX** (nadra kwa msimbo mzuri).
* Tafuta mfuatano wa wito `NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory` kati ya michakato tofauti.



## Hooking

- **SSDT** (**System Service Descriptor Table**) inaelekeza kwenye kazi za kernel (ntoskrnl.exe) au dereva wa GUI (win32k.sys) ili michakato ya mtumiaji iweze kuita kazi hizi.
- Rootkit inaweza kubadilisha viashiria hivi kwa anwani ambazo anadhibiti.
- **IRP** (**I/O Request Packets**) hupeleka vipande vya data kutoka sehemu moja hadi nyingine. Karibu kila kitu katika kernel kinatumia IRPs na kila kituo cha kifaa kina jedwali lake la kazi ambalo linaweza kuhooked: DKOM (Direct Kernel Object Manipulation)
- **IAT** (**Import Address Table**) ni muhimu kutatua utegemezi. Inawezekana kuhook jedwali hili ili kuiba msimbo ambao utaitwa.
- **EAT** (**Export Address Table**) Hooks. Hizi hooks zinaweza kufanywa kutoka **userland**. Lengo ni kuhook kazi zilizotolewa na DLLs.
- **Inline Hooks**: Aina hii ni ngumu kufikia. Hii inahusisha kubadilisha msimbo wa kazi yenyewe. Labda kwa kuweka jump mwanzoni mwa hii.


## References

- [Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/)

{{#include ../banners/hacktricks-training.md}}