Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware and the Windows API

Published byEugène Gauvin Modified over 5 years ago

Similar presentations

Presentation on theme: "Malware and the Windows API"— Presentation transcript:

1 Malware and the Windows API

2 Windows API Conventions

3 Windows API Hungarian Notation
WORD (w) - 16-bit unsigned value (wVal) DWORD (dw) - Double-WORD, 32-bit unsigned value (dwVal) Handle (H) – Reference to an object (Hmodule) Long Pointer (LP) – Pointer to another type (LPByte)

4 Windows API Function Suffixes
A – ANSI strings for params / return values (CopyFileA) ANSI – 8-bit characters W – WIDE strings for params / return values (ShellExecuteW) WIDE – 16-bit characters Ex – Extended, has added functionality over normal version of function (RegSetValueExA)

5 Common Windows API Combinations in Malware

6 Guessing Behavior from API Functions
Investigating functions in the IAT can imply malware behavior Can be even more confident about likely behavior if certain Windows API calls occur sequentially in disassembly

7 Runtime Linking LoadLibrary - Load a DLL into a process’ memory
GetProcAddress – Gets the address of a function from a DLL in memory In combination, can get the address of any function in any DLL on the system Don’t need to list desired functions in the IAT

8 Privilege Escalation OpenProcessToken – Opens a process’ access token (describes the process’ security context) LookupPrivilegeValue – Retrieves a locally unique identifier (LUID), which is a struct that represents a specific privilege AdjustTokenPrivileges – Modifies privileges of an access token Usually getting SeDebugPrivilege, which is pretty much admin

9 Anti-Debugging Timing Checks
QueryPerformanceCounter – Called twice, difference between processor’s performance counter at each call is calculated GetTickCount – Called twice, difference between number of milliseconds since computer boot is calculated

10 Other Anti-Debugging API Functions
IsDebuggerPresent – Checks the current process’ Process Environment Block for the status of IsDebugged field CheckRemoteDebuggerPresent – Checks the PEB of any process on the machine for the status of the IsDebugged field

11 Even More Anti-Debugging API Functions
NtQueryInformationProcess – Gets information about a process given its handle. When passed the ProcessDebugPort parameter, returns the debug status. SetLastError, OutputDebugString, GetLastError – Sends a string for a debugger to display. If no debugger is present, the current error code has changed.

12 Process Injection VirtualAlloc – Allocate space in an external process’ memory WriteProcessMemory – Write data (executable code to be executed as a thread) to the allocated space CreateRemoteThread – Execute the injected code as a thread belonging to the victim process

13 Download + Execute URLDownloadToFile – Download a file from the internet and save it to disk WinExec / ShellExecute – Execute the downloaded file

14 Polling Keylogger FindWindow + ShowWindow / GetForegroundWindow – Gets a handle to a specific window / the window in the foreground GetKeyState / GetAsyncKeyState – Gets whether a key is being pressed Usually found in a nested loop. The outer loop gets a window and the inner polls the state of each keys

15 Hooking Keylogger SetWindowsHook – Creates a Windows hook that gets notified when a keyboard event happens. GetMessage – Called in a loop to retrieve keyboard event messages

16 Taking Screenshots GetDesktopWindow – Get a handle to the desktop window, which contains the entire screen BitBlt, GetDIBits – Given a handle to a window, copy pixels to a destination buffer Often seen with other functions, such as CreateFile (to save the screenshot)

Download ppt "Malware and the Windows API"

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 What is a Process ? The activity of program execution. Also called a task or job Has associated with it: Code Data Resources A State An executing set.

1 What is a Process ? The activity of program execution. Also called a task or job Has associated with it: Code Data Resources A State An executing set.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Threads CSCI 444/544 Operating Systems Fall 2008.

Threads CSCI 444/544 Operating Systems Fall 2008.
Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.

Unix & Windows Processes 1 CS502 Spring 2006 Unix/Windows Processes.
Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.

Chapter 6 - Implementing Processes, Threads and Resources Kris Hansen Shelby Davis Jeffery Brass 3/7/05 & 3/9/05 Kris Hansen Shelby Davis Jeffery Brass.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Part II: Addressing Modes

Part II: Addressing Modes
Chapter 26 Client Server Interaction Communication across a computer network requires a pair of application programs to cooperate. One application on one.

Chapter 26 Client Server Interaction Communication across a computer network requires a pair of application programs to cooperate. One application on one.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Prepared by Fareeha Lecturer DCS IIUI 1 Windows API.

Prepared by Fareeha Lecturer DCS IIUI 1 Windows API.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.

Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…

Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.

CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.

Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
Lecture 11 Dynamic link libraries. Differences between static libraries and DLLs In static library code is added to the executable. In DLL, the code is.

Lecture 11 Dynamic link libraries. Differences between static libraries and DLLs In static library code is added to the executable. In DLL, the code is.

Similar presentations

Ads by Google