From 1d2427415eac4f4681d32dc6397b7a145ac5a958 Mon Sep 17 00:00:00 2001
From: tobias <tobiaskessels@cydefex.de>
Date: Sun, 29 Mar 2026 22:24:55 +0200
Subject: [PATCH] Add FOR610 exam cheat sheets (tools, assembly, Windows APIs)

Three markdown cheat sheets for exam preparation:
- 01-tools.md: All analysis tools with descriptions, platforms, book
  section refs, and key pipe chains
- 02-assembly.md: x86/x64 registers, instructions, calling conventions,
  stack frames, control flow, anti-analysis patterns
- 03-windows-apis.md: All Windows APIs by category with DLLs, malware
  use cases, and technique-to-API mapping table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 data/exam-cheatsheets/01-tools.md        | 152 +++++++++++++
 data/exam-cheatsheets/02-assembly.md     | 276 +++++++++++++++++++++++
 data/exam-cheatsheets/03-windows-apis.md | 207 +++++++++++++++++
 3 files changed, 635 insertions(+)
 create mode 100644 data/exam-cheatsheets/01-tools.md
 create mode 100644 data/exam-cheatsheets/02-assembly.md
 create mode 100644 data/exam-cheatsheets/03-windows-apis.md

diff --git a/data/exam-cheatsheets/01-tools.md b/data/exam-cheatsheets/01-tools.md
new file mode 100644
index 0000000..70a373f
--- /dev/null
+++ b/data/exam-cheatsheets/01-tools.md
@@ -0,0 +1,152 @@
+# FOR610 Tools Cheat Sheet
+
+## Static Analysis
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **PeStudio** | Windows | Examine PE properties, imports, strings, sections, entropy. Highlights malicious indicators automatically | S1 p.46 |
+| **peframe** | REMnux | REMnux alternative to PeStudio — extracts PE properties, detects anomalies | S1 p.48 |
+| **pestr** | REMnux | Extract ASCII and Unicode strings from PE files in one shot (part of Pev toolkit) | S1 p.44 |
+| **strings** | REMnux | Extract ASCII strings from any binary. Use `--encoding=l` for Unicode | S1 p.44 |
+| **Detect It Easy (diec)** | Both | Identify packers, compilers, and build tools used to create executables | S1 p.49 |
+| **ExeInfo PE** | Windows | Similar to DIE — identifies tools/packers, can "rip" (carve) embedded artifacts | S1 p.49 |
+| **CFF Explorer** | Windows | View/edit PE headers, disable DynamicBase (ASLR) flag | S4 p.22 |
+| **capa** | REMnux | Detect malware capabilities mapped to MITRE ATT&CK and MBC frameworks | S1 p.88 |
+| **FLOSS** | REMnux | Automatically extract obfuscated strings (static + stack + decoded) | S5 p.28 |
+| **file** | REMnux | Identify file type using magic bytes | S3 |
+| **trid** | REMnux | Identify file type using signature database | S3 |
+| **exiftool** | REMnux | Extract metadata from files (author, timestamps, etc.) | S1 |
+
+## Document Analysis
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **pdfid.py** | REMnux | Scan PDF for suspicious keywords (/JavaScript, /OpenAction, /Launch, /URI) | S3 p.10 |
+| **pdf-parser.py** | REMnux | Parse PDF structure, locate objects, extract content, search strings, dump objects | S3 p.11 |
+| **peepdf** | REMnux | Interactive PDF analysis framework with JavaScript detection | S3 |
+| **oledump.py** | REMnux | Examine OLE2 files — list streams (M=macro), extract VBA with `-s <n> -v` | S3 p.37 |
+| **olevba** | REMnux | Extract and deobfuscate VBA macros, detect auto-execute triggers | S3 |
+| **rtfdump.py** | REMnux | Analyze RTF structure — find hex-encoded groups at deep nesting levels | S3 |
+| **base64dump.py** | REMnux | Find, extract, and decode Base64 strings. `-n 10` shows top hits, `-s <n> -d` decodes | S3 p.46 |
+| **numbers-to-string.py** | REMnux | Convert decimal number sequences (from VBA Chr() calls) to readable text | S3 p.40 |
+| **translate.py** | REMnux | Transform bytes with Python expressions: `translate.py "byte ^ 35"` for XOR | S3 p.55 |
+
+## Network Interception
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **Wireshark** | Windows | Network sniffer — capture packets, follow TCP streams, extract payloads | S1 p.52 |
+| **fakedns** | REMnux | Fake DNS server — resolves ALL queries to REMnux IP | S1 p.71 |
+| **INetSim** | REMnux | Emulate internet services: HTTP, HTTPS, DNS, FTP, SMTP, IRC | S1 p.123 |
+| **Fiddler** | Windows | HTTP/HTTPS debugging proxy — intercept, inspect, modify web traffic | S3 p.127 |
+| **httpd** | REMnux | Simple web server (nginx) for simulating C2 | S1 p.79 |
+| **iptables** | REMnux | Redirect IP-based traffic: `iptables -t nat -A PREROUTING -i eth0 -j REDIRECT` | S1 |
+
+## Emulation & Shellcode
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **speakeasy** | REMnux | Emulate Windows API calls without executing. `-t <sample> -o report.json` | S1 p.85 |
+| **scdbgc** | Both | Shellcode emulator — `/f sc.bin /s -1` for API trace, `/foff` for offset | S3 p.57 |
+| **runsc32** | Windows | Execute shellcode for dynamic analysis with debugger attachment | S3 p.73 |
+| **box-js** | REMnux | Node.js sandbox for JavaScript analysis with WScript emulation | S3 p.95 |
+| **SpiderMonkey** | REMnux | Mozilla JS engine: `js -f /usr/share/remnux/objects.js -f <script>` | S3 p.84 |
+
+## Code Analysis & Debugging
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **Ghidra** | Both | NSA disassembler/decompiler — function graphs, symbol trees, scripting | S2 |
+| **x64dbg** | Windows | 64-bit debugger — breakpoints, memory inspection, patching | S1 p.92 |
+| **x32dbg** | Windows | 32-bit debugger — same as x64dbg for 32-bit binaries | S3-S5 |
+| **IDA** | Multi | Commercial disassembler with built-in debugger (freeware version available) | S2 p.81 |
+| **Binary Ninja** | Multi | Commercial disassembler, strong for automated analysis | S2 p.81 |
+| **Cutter** | REMnux | Open-source GUI for radare2 | S2 p.81 |
+
+## Unpacking
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **UPX** | Both | Unpack UPX-packed files: `upx -d packed.exe` (fails if modified) | S4 p.40 |
+| **Scylla** | Windows | Dump process from memory + fix IAT (Import Address Table) | S4 |
+| **OllyDumpEx** | Windows | x64dbg/x32dbg plugin for memory dumping at OEP | S4 |
+| **ScyllaHide** | Windows | x64dbg plugin to hide debugger from anti-debug checks | S5 p.33 |
+| **pe_unmapper** | Windows | Convert virtual-aligned dump to raw alignment (by Hasherezade) | S5 p.38 |
+| **setdllcharacteristics** | Windows | Disable ASLR: `setdllcharacteristics -d <file>` (by Didier Stevens) | S4 p.22 |
+
+## .NET Analysis
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **ILSpy** | Windows | .NET decompiler — view C#/VB.NET source from compiled assemblies | S3 p.34 |
+| **ilspycmd** | REMnux | Command-line ILSpy: `ilspycmd <assembly> > source.cs` | S4 |
+| **dnSpyEx** | Windows | .NET debugger + decompiler — breakpoints on Assembly.Load | S3 p.34 |
+| **de4dot** | Windows | .NET deobfuscator — removes ConfuserEx, Eziriz, etc. | S4 p.33 |
+
+## String Deobfuscation
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **XORSearch** | REMnux | Find XOR-encoded shellcode/strings: `-W` for shellcode patterns, `-d 3` skip ROT | S3 p.70 |
+| **brxor.py** | REMnux | Brute-force single-byte XOR — looks for English words in decoded output | S5 p.22 |
+| **bbcrack** | REMnux | Detect XOR, ROL, ADD obfuscation: `bbcrack -l 1 <file>` | S5 p.23 |
+| **strdeob.pl** | REMnux | Decode stack-built strings (MOV byte-by-byte patterns) | S5 p.28 |
+| **CyberChef** | Both | Visual multi-step decoding (Base64, XOR, hex, decompress). By GCHQ | S1 p.107 |
+| **1768.py** | REMnux | Parse Cobalt Strike beacon configuration from shellcode | S3 p.58 |
+
+## Behavioral Analysis
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **System Informer** | Windows | Process monitor — replaces Task Manager. Shows processes, handles, network | S1 p.52 |
+| **Process Monitor** | Windows | Records file system, registry, and process/thread activity in real time | S1 p.52 |
+| **Regshot** | Windows | Compare registry/filesystem state before and after infection | S1 p.52 |
+| **ProcDOT** | Windows | Visualize Process Monitor logs as interactive graphs | S1 p.52 |
+
+## PowerShell Analysis
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **PowerShell ISE** | Windows | Debug PS scripts — set breakpoints on Invoke-Expression to intercept | S3 |
+| **logman** | Windows | Enable AMSI tracing: `logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface` | S3 |
+| **AMSIScriptContentRetrieval** | Windows | Extract monitored script content from AMSI event trace logs | S3 |
+
+## YARA & Detection
+
+| Tool | Platform | Description | Book Ref |
+|------|----------|-------------|----------|
+| **yara / yara-rules** | REMnux | Scan files with community YARA rules for malware families and capabilities | S3 p.58 |
+| **1768.py** | REMnux | Cobalt Strike beacon parser (Didier Stevens) | S3 p.58 |
+| **capa** | REMnux | Capability detection via MITRE ATT&CK mapping | S1 p.88 |
+
+---
+
+## Key Pipe Chains
+
+```bash
+# Extract Base64 PowerShell from Office macro
+oledump.py <doc> -s <stream> -d | base64dump.py -s 1 -d > payload.ps1
+
+# VBA number array → readable text
+oledump.py <doc> -s <stream> -v | numbers-to-string.py -j
+
+# Multi-stage decode: Base64 → gunzip
+base64dump.py <script.ps1> -s 3 -d | gunzip > decoded.ps1
+
+# XOR decode shellcode
+base64dump.py <script.ps1> -s 2 -d | translate.py "byte ^ 35" > sc.bin
+
+# RTF shellcode extraction + emulation
+rtfdump.py <doc> -s 5 -H -d > sc.bin
+scdbgc /f sc.bin /foff 3B /s -1
+
+# JavaScript deobfuscation
+js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
+
+# Speakeasy emulation + API extraction
+speakeasy -t <sample> -o report.json 2> report.txt
+jq '.entry_points[].apis[].api_name' report.json | sort -u
+
+# CAPA capability filtering
+capa -vv <sample> | grep -A7 "inject"
+```
diff --git a/data/exam-cheatsheets/02-assembly.md b/data/exam-cheatsheets/02-assembly.md
new file mode 100644
index 0000000..c06c5cb
--- /dev/null
+++ b/data/exam-cheatsheets/02-assembly.md
@@ -0,0 +1,276 @@
+# FOR610 Assembly & Reversing Cheat Sheet
+
+## Registers
+
+### 32-bit General Purpose
+| Register | Purpose | Notes |
+|----------|---------|-------|
+| **EAX** | Accumulator, return values | Function returns go here |
+| **EBX** | Base register | General purpose |
+| **ECX** | Counter | Loop counts, fastcall param 1 |
+| **EDX** | Data | Used with EAX in mul/div, fastcall param 2 |
+| **ESI** | Source index | String ops source |
+| **EDI** | Destination index | String ops destination |
+| **ESP** | Stack pointer | Top of stack (grows DOWN) |
+| **EBP** | Base/frame pointer | Access local vars and params |
+| **EIP** | Instruction pointer | Next instruction address |
+| **EFLAGS** | Flags | ZF, CF, SF, OF set by CMP/TEST |
+
+### 64-bit Extensions
+| 64-bit | 32-bit | 16-bit | 8-bit | Purpose |
+|--------|--------|--------|-------|---------|
+| RAX | EAX | AX | AL/AH | Return value |
+| RCX | ECX | CX | CL | x64 param 1 |
+| RDX | EDX | DX | DL | x64 param 2 |
+| R8 | R8D | R8W | R8B | x64 param 3 |
+| R9 | R9D | R9W | R9B | x64 param 4 |
+| R10-R15 | R10D-R15D | R10W-R15W | R10B-R15B | General purpose |
+
+### Special
+| Register | Purpose |
+|----------|---------|
+| **FS:[0]** | Pointer to SEH chain (32-bit) |
+| **FS:[30h]** | Pointer to PEB (Process Environment Block) |
+
+---
+
+## Instructions
+
+### Data Movement
+| Instruction | Meaning | Example |
+|-------------|---------|---------|
+| `MOV dst, src` | Copy src to dst | `MOV EAX, [EBP+8]` — load param 1 |
+| `LEA dst, [addr]` | Load address (not value) | `LEA R8, [RSP+0x30]` — pass address |
+| `PUSH val` | Push onto stack (ESP-=4) | `PUSH EBP` — save frame pointer |
+| `POP dst` | Pop from stack (ESP+=4) | `POP EBP` — restore frame pointer |
+| `XCHG a, b` | Swap a and b | `XCHG EAX, EBX` |
+
+### Arithmetic
+| Instruction | Meaning | Example |
+|-------------|---------|---------|
+| `ADD dst, src` | dst = dst + src | `ADD ESP, 8` — clean up 2 args |
+| `SUB dst, src` | dst = dst - src | `SUB ESP, 0x100` — allocate locals |
+| `INC dst` | dst = dst + 1 | `INC ECX` — loop counter |
+| `DEC dst` | dst = dst - 1 | `DEC ECX` — loop counter |
+| `MUL/IMUL` | Multiply (unsigned/signed) | Result in EDX:EAX |
+| `DIV/IDIV` | Divide (unsigned/signed) | Dividend in EDX:EAX |
+| `NEG dst` | Two's complement negate | `NEG EAX` |
+
+### Bitwise / Logic
+| Instruction | Meaning | Malware Use |
+|-------------|---------|-------------|
+| `XOR dst, src` | Bitwise XOR | **Obfuscation** (`XOR EAX, key`), zero reg (`XOR EAX, EAX`) |
+| `AND dst, src` | Bitwise AND | Masking bits |
+| `OR dst, src` | Bitwise OR | Setting flags |
+| `NOT dst` | Bitwise NOT | Invert all bits |
+| `SHL dst, n` | Shift left n bits | Multiply by 2^n |
+| `SHR dst, n` | Shift right n bits | Unsigned divide by 2^n |
+| `ROL dst, n` | Rotate left | **Obfuscation** (ROT13-like) |
+| `ROR dst, n` | Rotate right | **Obfuscation** |
+
+### Compare & Test
+| Instruction | What it does | Sets flags for |
+|-------------|-------------|----------------|
+| `CMP a, b` | Computes a - b (discards result) | All conditional jumps |
+| `TEST a, b` | Computes a AND b (discards result) | Zero check: `TEST EAX, EAX` |
+
+### Conditional Jumps (after CMP/TEST)
+
+**Unsigned (Above/Below):**
+| Jump | Condition | Meaning |
+|------|-----------|---------|
+| `JA` | CF=0, ZF=0 | Jump if Above |
+| `JAE/JNB` | CF=0 | Jump if Above or Equal |
+| `JB/JNAE` | CF=1 | Jump if Below |
+| `JBE/JNA` | CF=1 or ZF=1 | Jump if Below or Equal |
+
+**Signed (Greater/Less):**
+| Jump | Condition | Meaning |
+|------|-----------|---------|
+| `JG/JNLE` | ZF=0, SF=OF | Jump if Greater |
+| `JGE/JNL` | SF=OF | Jump if Greater or Equal |
+| `JL/JNGE` | SF≠OF | Jump if Less |
+| `JLE/JNG` | ZF=1 or SF≠OF | Jump if Less or Equal |
+
+**Equality:**
+| Jump | Condition | Meaning |
+|------|-----------|---------|
+| `JE/JZ` | ZF=1 | Jump if Equal / Zero |
+| `JNE/JNZ` | ZF=0 | Jump if Not Equal / Not Zero |
+| `JS` | SF=1 | Jump if Sign (negative) |
+| `JNS` | SF=0 | Jump if Not Sign (positive) |
+
+### Function Calls
+| Instruction | Meaning |
+|-------------|---------|
+| `CALL addr` | Push return address, jump to addr |
+| `RET` | Pop return address, jump to it (cdecl) |
+| `RET n` | Pop return address, add n to ESP (stdcall) |
+| `LEAVE` | `MOV ESP, EBP` then `POP EBP` (epilogue shortcut) |
+
+### Other Important
+| Instruction | Meaning | Significance |
+|-------------|---------|-------------|
+| `NOP` | No operation (0x90) | Padding; NOP sled = shellcode indicator |
+| `INT 3` | Software breakpoint (0xCC) | Debugger trap; anti-debug detection |
+| `CDQ` | Sign-extend EAX → EDX:EAX | Required before DIV |
+| `REP MOVSB/D` | Copy ECX bytes from ESI→EDI | Bulk memory copy (memcpy) |
+| `REP STOSB/D` | Fill ECX bytes at EDI with AL/EAX | Memory fill (memset) |
+
+---
+
+## Function Structure
+
+### 32-bit Prologue & Epilogue
+```
+PUSH EBP           ; Save old frame pointer
+MOV EBP, ESP       ; Set new frame pointer
+SUB ESP, 0x20      ; Allocate 32 bytes for locals
+```
+```
+MOV EAX, result    ; Set return value
+LEAVE              ; MOV ESP,EBP + POP EBP
+RET                ; Return to caller
+```
+
+### Stack Frame Layout (32-bit)
+```
+Higher addresses
+┌─────────────────┐
+│ Param 3         │  [EBP + 0x10]
+│ Param 2         │  [EBP + 0x0C]
+│ Param 1         │  [EBP + 0x08]
+│ Return Address  │  [EBP + 0x04]  ← pushed by CALL
+│ Saved EBP       │  [EBP]         ← pushed by PUSH EBP
+│ Local var 1     │  [EBP - 0x04]
+│ Local var 2     │  [EBP - 0x08]
+│ ...             │  ← ESP points here
+└─────────────────┘
+Lower addresses (stack grows DOWN)
+```
+
+### Calling Conventions
+
+| Convention | Params | Cleanup | Return | Used by |
+|-----------|--------|---------|--------|---------|
+| **cdecl** | Stack (R→L) | **Caller** (`ADD ESP,n`) | EAX | C library functions |
+| **stdcall** | Stack (R→L) | **Callee** (`RET n`) | EAX | Win32 API (kernel32, etc.) |
+| **fastcall** | ECX, EDX, then stack | Callee | EAX | Some internal functions |
+| **thiscall** | ECX=this, then stack | Callee | EAX | C++ member functions |
+| **x64** | RCX, RDX, R8, R9, then stack | Caller | RAX | All 64-bit Windows |
+
+---
+
+## Control Flow Patterns
+
+### If/Else
+```asm
+CMP EAX, 5         ; Compare
+JNE else_block      ; Jump if not equal
+  ; if-block code
+  JMP end_if
+else_block:
+  ; else-block code
+end_if:
+```
+
+### Loop (for/while)
+```asm
+MOV ECX, 10         ; counter = 10
+loop_start:
+  ; loop body
+  DEC ECX            ; counter--
+  JNZ loop_start     ; if counter != 0, repeat
+```
+
+### AND condition (both must be true)
+```asm
+CMP val1, limit1
+JL skip             ; if first false, skip
+CMP val2, limit2
+JL skip             ; if second false, skip
+  ; both true
+skip:
+```
+
+### OR condition (either true)
+```asm
+CMP val1, limit1
+JG execute           ; if first true, go
+CMP val2, limit2
+JLE skip             ; if second also false, skip
+execute:
+  ; at least one true
+skip:
+```
+
+---
+
+## Anti-Analysis Techniques (Section 5)
+
+### Debugger Detection
+```asm
+; IsDebuggerPresent check
+CALL IsDebuggerPresent
+TEST EAX, EAX
+JNE detected          ; non-zero = debugger present
+
+; PEB BeingDebugged field
+MOV EAX, FS:[30h]    ; PEB pointer
+MOVZX EAX, [EAX+2]   ; BeingDebugged byte
+TEST EAX, EAX
+JNE detected
+
+; Timing check (RDTSC)
+RDTSC                 ; read timestamp counter
+; ... do work ...
+RDTSC                 ; read again
+; large delta = debugger stepping
+```
+
+### SEH (Structured Exception Handling)
+```asm
+; Set up SEH handler
+PUSH handler_addr     ; push handler function
+PUSH FS:[0]           ; push current SEH chain
+MOV FS:[0], ESP       ; install new handler
+
+; Trigger exception intentionally
+XOR ECX, ECX
+DIV ECX               ; divide by zero → handler executes
+```
+
+### Process Hollowing Pattern
+```
+CreateProcessW(SUSPENDED)    ; Create target process suspended
+NtUnmapViewOfSection()       ; Remove original code
+VirtualAllocEx()             ; Allocate new memory
+WriteProcessMemory()         ; Write malicious code
+ResumeThread()               ; Execute injected code
+```
+
+### Code Injection Pattern
+```
+OpenProcess()                ; Get handle to target
+VirtualAllocEx(RWX)          ; Allocate executable memory
+WriteProcessMemory()         ; Write shellcode
+CreateRemoteThread()         ; Execute in target
+```
+
+---
+
+## Key Patterns to Recognize
+
+| Pattern | What it means |
+|---------|--------------|
+| `XOR EAX, EAX` | Zero out EAX (common idiom) |
+| `TEST EAX, EAX` + `JZ` | Check if EAX is zero |
+| `PUSH EBP; MOV EBP,ESP; SUB ESP,n` | Function prologue |
+| `LEAVE; RET` | Function epilogue |
+| `CALL; ADD ESP,n` | cdecl call (caller cleanup) |
+| `CALL; (no ADD ESP)` | stdcall call (callee cleanup) |
+| `REP MOVSB` with ESI→EDI | Memory copy (like memcpy) |
+| `FS:[0]` access | SEH manipulation |
+| `FS:[30h]` access | PEB access (anti-debug) |
+| NOP sled (many 0x90) | Shellcode indicator |
+| `VirtualAlloc` + `memcpy` | Unpacking to new memory |
diff --git a/data/exam-cheatsheets/03-windows-apis.md b/data/exam-cheatsheets/03-windows-apis.md
new file mode 100644
index 0000000..2c4ccb9
--- /dev/null
+++ b/data/exam-cheatsheets/03-windows-apis.md
@@ -0,0 +1,207 @@
+# FOR610 Windows API Cheat Sheet
+
+## File Operations (kernel32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **CreateFileA/W** | Open or create a file handle | Read/write config files, drop payloads |
+| **ReadFile** | Read data from file | Read malware configuration |
+| **WriteFile** | Write data to file | Drop payloads, write config |
+| **DeleteFileA/W** | Delete a file | Remove traces |
+| **CopyFile** | Copy a file | Spread to new locations |
+| **FindFirstFile / FindNextFile** | Enumerate files in directory | Search for targets (ransomware) |
+| **GetTempPath** | Get temp directory path | Common malware staging location |
+| **GetFileSize** | Get file size in bytes | Check payload size |
+
+## Resource Operations (kernel32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **FindResourceW** | Locate embedded resource | Find embedded payload in PE |
+| **SizeofResource** | Get resource size | Determine payload size |
+| **LoadResource** | Load resource into memory | Access embedded data |
+| **LockResource** | Get pointer to resource data | Read resource content |
+
+**Pattern:** FindResource → SizeofResource → LoadResource → LockResource → CreateFile → WriteFile → CreateProcess (**dropper pattern**)
+
+## Process Operations (kernel32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **CreateProcessA/W** | Create new process | Launch cmd.exe, spawn child for hollowing |
+| **OpenProcess** | Get handle to existing process | Target process for injection |
+| **TerminateProcess** | Kill a process | Kill security tools |
+| **ExitProcess** | Terminate current process | Anti-debug: exit if detected |
+| **GetCurrentProcess** | Get own process handle | Self-inspection |
+
+## Process Enumeration (kernel32.dll / psapi.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **CreateToolhelp32Snapshot** | Snapshot of running processes | Find injection targets |
+| **Process32FirstW** | Get first process from snapshot | Begin enumeration |
+| **Process32NextW** | Get next process from snapshot | Continue enumeration |
+| **EnumProcesses** | List all process IDs | Alternative enumeration |
+
+**Pattern:** CreateToolhelp32Snapshot → Process32First → Process32Next (loop) → OpenProcess (**find target for injection**)
+
+## Memory Operations (kernel32.dll)
+
+| API | What it does | Malware use | Key params |
+|-----|-------------|-------------|-----------|
+| **VirtualAlloc** | Allocate memory in own process | Unpack code to new memory | flProtect: 0x40 = RWX |
+| **VirtualAllocEx** | Allocate memory in OTHER process | Injection: create space for shellcode | flProtect: 0x40 = PAGE_EXECUTE_READWRITE |
+| **VirtualProtect** | Change memory page protection | Make data executable after writing | 0x40 = RWX (suspicious!) |
+| **WriteProcessMemory** | Write to OTHER process memory | Inject shellcode/DLL into target |
+| **ReadProcessMemory** | Read from OTHER process memory | Steal data from other processes |
+| **VirtualFree** | Free allocated memory | Cleanup |
+
+## Thread Operations (kernel32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **CreateThread** | Create thread in own process | Execute shellcode in parallel |
+| **CreateRemoteThread** | Create thread in OTHER process | **Execute injected code** |
+| **ResumeThread** | Resume suspended thread | Wake up hollowed process |
+| **SuspendThread** | Pause a thread | Freeze target during injection |
+| **QueueUserAPC** | Queue async procedure call | APC injection technique |
+
+## DLL / Module Operations (kernel32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **LoadLibraryA/W** | Load DLL at runtime | DLL injection via CreateRemoteThread, load sideloaded DLL |
+| **GetProcAddress** | Get function address from DLL | Dynamically resolve APIs (avoid import table) |
+| **GetModuleHandleA/W** | Get handle to loaded DLL | **Detect security tools** (check for avghookx.dll, etc.) |
+| **FreeLibrary** | Unload DLL | Cleanup |
+
+## Registry Operations (advapi32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **RegOpenKeyExA/W** | Open registry key | Access persistence keys, read config |
+| **RegSetValueEx** | Set registry value | **Persistence** (Run keys), store config |
+| **RegQueryValueExA** | Read registry value | Read stored config/commands |
+| **RegCreateKeyEx** | Create new key | Set up persistence |
+| **RegDeleteValue** | Delete a value | Remove traces |
+
+**Persistence locations:**
+- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
+- `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
+
+## Network — WinINet (wininet.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **InternetOpenA** | Initialize internet session | Set up HTTP C2 (set user-agent) |
+| **InternetConnectA** | Connect to server | Connect to C2 host:port |
+| **HttpOpenRequestA** | Create HTTP request | Build GET/POST for C2 |
+| **HttpSendRequestA** | Send HTTP request | **Send C2 beacon/data** |
+| **InternetReadFile** | Read server response | **Receive C2 commands** |
+| **InternetOpenUrlA** | Open URL directly | Direct download |
+
+**C2 Pattern:** InternetOpen → InternetConnect → HttpOpenRequest → HttpSendRequest → InternetReadFile
+
+## Network — Sockets (ws2_32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **socket** | Create network socket | Raw TCP/UDP C2 |
+| **connect** | Connect to remote host | Establish C2 connection |
+| **send** | Send data | Exfiltrate data, send commands |
+| **recv** | Receive data | Receive C2 instructions |
+
+## Network — Other
+
+| API | DLL | Malware use |
+|-----|-----|-------------|
+| **URLDownloadToFileA** | urlmon.dll | Download next stage to disk |
+| **WinHttpOpen** | winhttp.dll | Modern HTTPS C2 |
+
+## Cryptography (advapi32.dll)
+
+| API | What it does | Malware use |
+|-----|-------------|-------------|
+| **CryptAcquireContext** | Get crypto provider handle | Set up encryption |
+| **CryptCreateHash** | Create hash object | Hash data for integrity |
+| **CryptEncrypt** | Encrypt data | Protect C2 traffic, encrypt config |
+| **CryptDecrypt** | Decrypt data | **Decrypt config files** (brbconfig.tmp) |
+
+## Execution (shell32.dll / kernel32.dll)
+
+| API | DLL | Malware use |
+|-----|-----|-------------|
+| **ShellExecuteA/W** | shell32.dll | Run commands, open URLs, launch programs |
+| **WinExec** | kernel32.dll | Simple program execution |
+| **system** | msvcrt.dll | Execute shell command via cmd.exe |
+
+## Anti-Analysis / Detection
+
+| API | DLL | What it checks |
+|-----|-----|---------------|
+| **IsDebuggerPresent** | kernel32.dll | Returns non-zero if debugger attached |
+| **CheckRemoteDebuggerPresent** | kernel32.dll | Check if any debugger is present |
+| **NtQueryInformationProcess** | ntdll.dll | Query ProcessDebugPort, ProcessDebugFlags |
+| **GetTickCount** | kernel32.dll | System uptime — low = sandbox |
+| **QueryPerformanceCounter** | kernel32.dll | High-res timer — detect single-stepping |
+| **OutputDebugString** | kernel32.dll | If debugger present, no error returned |
+| **BlockInput** | user32.dll | Block keyboard/mouse during execution |
+
+## Injection-Specific (ntdll.dll)
+
+| API | What it does | Technique |
+|-----|-------------|-----------|
+| **NtUnmapViewOfSection** | Remove memory section | **Process hollowing** — gut the target |
+| **ZwUnmapViewOfSection** | Same as above (Zw prefix) | Process hollowing variant |
+| **NtWriteVirtualMemory** | Native WriteProcessMemory | Injection via native API |
+| **RtlCreateUserThread** | Native CreateRemoteThread | Injection via native API |
+
+## Hooks & Monitoring
+
+| API | DLL | Malware use |
+|-----|-----|-------------|
+| **SetWindowsHookExA** | user32.dll | Install mouse/keyboard hook — wait for user activity (anti-sandbox) |
+| **FindWindowW** | user32.dll | **Detect analysis tools** by window title (OLLYDBG, WinDbg, etc.) |
+
+## System Information
+
+| API | DLL | Malware use |
+|-----|-----|-------------|
+| **GetComputerName** | kernel32.dll | Fingerprint victim for C2 |
+| **GetUserName** | advapi32.dll | Identify logged-in user |
+| **Sleep** | kernel32.dll | Delay execution (anti-sandbox, C2 beacon interval) |
+| **SetFileTime** | kernel32.dll | Timestomp — hide file creation time |
+
+---
+
+## Quick Reference: API → Technique Mapping
+
+| If you see these APIs... | The malware is... |
+|--------------------------|-------------------|
+| VirtualAllocEx + WriteProcessMemory + CreateRemoteThread | **Code injection** |
+| CreateProcess(SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory + ResumeThread | **Process hollowing** |
+| LoadLibrary + GetProcAddress (in loop) | **Dynamic API resolution** (evasion) |
+| InternetOpen + HttpSendRequest + InternetReadFile | **HTTP C2 communication** |
+| FindResource + LoadResource + WriteFile + CreateProcess | **Resource dropper** |
+| RegOpenKeyEx + RegSetValueEx (Run keys) | **Persistence** |
+| CreateToolhelp32Snapshot + Process32First/Next | **Process enumeration** (find target) |
+| IsDebuggerPresent / NtQueryInformationProcess | **Anti-debugging** |
+| SetWindowsHookEx(WH_MOUSE_LL) | **Anti-sandbox** (wait for user) |
+| CryptDecrypt | **Config/payload decryption** |
+| GetModuleHandle("avghookx.dll") / FindWindow("OLLYDBG") | **Security tool detection** |
+
+---
+
+## DLL Quick Reference
+
+| DLL | Contains |
+|-----|---------|
+| **kernel32.dll** | File, process, memory, thread, module operations |
+| **advapi32.dll** | Registry, crypto, services |
+| **ntdll.dll** | Native API (Nt/Zw functions — low-level) |
+| **user32.dll** | Windows/hooks/UI (SetWindowsHookEx, FindWindow, BlockInput) |
+| **ws2_32.dll** | Winsock — raw socket networking |
+| **wininet.dll** | High-level HTTP/HTTPS (InternetOpen, HttpSendRequest) |
+| **shell32.dll** | ShellExecute — run programs/URLs |
+| **urlmon.dll** | URLDownloadToFile |
+| **msvcrt.dll** | C runtime — system(), malloc() |