irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add FOR610 exam cheat sheets (tools, assembly, Windows APIs)

Browse Source 
Three markdown cheat sheets for exam preparation:
- 01-tools.md: All analysis tools with descriptions, platforms, book
  section refs, and key pipe chains
- 02-assembly.md: x86/x64 registers, instructions, calling conventions,
  stack frames, control flow, anti-analysis patterns
- 03-windows-apis.md: All Windows APIs by category with DLLs, malware
  use cases, and technique-to-API mapping table

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-29 22:24:55 +02:00
parent bfc3042b9b
commit 1d2427415e
3 changed files with 635 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/exam-cheatsheets/01-tools.md
+152
View File
@@ -0,0 +1,152 @@
# FOR610 Tools Cheat Sheet
## Static Analysis
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **PeStudio** | Windows | Examine PE properties, imports, strings, sections, entropy. Highlights malicious indicators automatically | S1 p.46 |
| **peframe** | REMnux | REMnux alternative to PeStudio — extracts PE properties, detects anomalies | S1 p.48 |
| **pestr** | REMnux | Extract ASCII and Unicode strings from PE files in one shot (part of Pev toolkit) | S1 p.44 |
| **strings** | REMnux | Extract ASCII strings from any binary. Use `--encoding=l` for Unicode | S1 p.44 |
| **Detect It Easy (diec)** | Both | Identify packers, compilers, and build tools used to create executables | S1 p.49 |
| **ExeInfo PE** | Windows | Similar to DIE — identifies tools/packers, can "rip" (carve) embedded artifacts | S1 p.49 |
| **CFF Explorer** | Windows | View/edit PE headers, disable DynamicBase (ASLR) flag | S4 p.22 |
| **capa** | REMnux | Detect malware capabilities mapped to MITRE ATT&CK and MBC frameworks | S1 p.88 |
| **FLOSS** | REMnux | Automatically extract obfuscated strings (static + stack + decoded) | S5 p.28 |
| **file** | REMnux | Identify file type using magic bytes | S3 |
| **trid** | REMnux | Identify file type using signature database | S3 |
| **exiftool** | REMnux | Extract metadata from files (author, timestamps, etc.) | S1 |
## Document Analysis
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **pdfid.py** | REMnux | Scan PDF for suspicious keywords (/JavaScript, /OpenAction, /Launch, /URI) | S3 p.10 |
| **pdf-parser.py** | REMnux | Parse PDF structure, locate objects, extract content, search strings, dump objects | S3 p.11 |
| **peepdf** | REMnux | Interactive PDF analysis framework with JavaScript detection | S3 |
| **oledump.py** | REMnux | Examine OLE2 files — list streams (M=macro), extract VBA with `-s <n> -v` | S3 p.37 |
| **olevba** | REMnux | Extract and deobfuscate VBA macros, detect auto-execute triggers | S3 |
| **rtfdump.py** | REMnux | Analyze RTF structure — find hex-encoded groups at deep nesting levels | S3 |
| **base64dump.py** | REMnux | Find, extract, and decode Base64 strings. `-n 10` shows top hits, `-s <n> -d` decodes | S3 p.46 |
| **numbers-to-string.py** | REMnux | Convert decimal number sequences (from VBA Chr() calls) to readable text | S3 p.40 |
| **translate.py** | REMnux | Transform bytes with Python expressions: `translate.py "byte ^ 35"` for XOR | S3 p.55 |
## Network Interception
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **Wireshark** | Windows | Network sniffer — capture packets, follow TCP streams, extract payloads | S1 p.52 |
| **fakedns** | REMnux | Fake DNS server — resolves ALL queries to REMnux IP | S1 p.71 |
| **INetSim** | REMnux | Emulate internet services: HTTP, HTTPS, DNS, FTP, SMTP, IRC | S1 p.123 |
| **Fiddler** | Windows | HTTP/HTTPS debugging proxy — intercept, inspect, modify web traffic | S3 p.127 |
| **httpd** | REMnux | Simple web server (nginx) for simulating C2 | S1 p.79 |
| **iptables** | REMnux | Redirect IP-based traffic: `iptables -t nat -A PREROUTING -i eth0 -j REDIRECT` | S1 |
## Emulation & Shellcode
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **speakeasy** | REMnux | Emulate Windows API calls without executing. `-t <sample> -o report.json` | S1 p.85 |
| **scdbgc** | Both | Shellcode emulator — `/f sc.bin /s -1` for API trace, `/foff` for offset | S3 p.57 |
| **runsc32** | Windows | Execute shellcode for dynamic analysis with debugger attachment | S3 p.73 |
| **box-js** | REMnux | Node.js sandbox for JavaScript analysis with WScript emulation | S3 p.95 |
| **SpiderMonkey** | REMnux | Mozilla JS engine: `js -f /usr/share/remnux/objects.js -f <script>` | S3 p.84 |
## Code Analysis & Debugging
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **Ghidra** | Both | NSA disassembler/decompiler — function graphs, symbol trees, scripting | S2 |
| **x64dbg** | Windows | 64-bit debugger — breakpoints, memory inspection, patching | S1 p.92 |
| **x32dbg** | Windows | 32-bit debugger — same as x64dbg for 32-bit binaries | S3-S5 |
| **IDA** | Multi | Commercial disassembler with built-in debugger (freeware version available) | S2 p.81 |
| **Binary Ninja** | Multi | Commercial disassembler, strong for automated analysis | S2 p.81 |
| **Cutter** | REMnux | Open-source GUI for radare2 | S2 p.81 |
## Unpacking
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **UPX** | Both | Unpack UPX-packed files: `upx -d packed.exe` (fails if modified) | S4 p.40 |
| **Scylla** | Windows | Dump process from memory + fix IAT (Import Address Table) | S4 |
| **OllyDumpEx** | Windows | x64dbg/x32dbg plugin for memory dumping at OEP | S4 |
| **ScyllaHide** | Windows | x64dbg plugin to hide debugger from anti-debug checks | S5 p.33 |
| **pe_unmapper** | Windows | Convert virtual-aligned dump to raw alignment (by Hasherezade) | S5 p.38 |
| **setdllcharacteristics** | Windows | Disable ASLR: `setdllcharacteristics -d <file>` (by Didier Stevens) | S4 p.22 |
## .NET Analysis
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **ILSpy** | Windows | .NET decompiler — view C#/VB.NET source from compiled assemblies | S3 p.34 |
| **ilspycmd** | REMnux | Command-line ILSpy: `ilspycmd <assembly> > source.cs` | S4 |
| **dnSpyEx** | Windows | .NET debugger + decompiler — breakpoints on Assembly.Load | S3 p.34 |
| **de4dot** | Windows | .NET deobfuscator — removes ConfuserEx, Eziriz, etc. | S4 p.33 |
## String Deobfuscation
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **XORSearch** | REMnux | Find XOR-encoded shellcode/strings: `-W` for shellcode patterns, `-d 3` skip ROT | S3 p.70 |
| **brxor.py** | REMnux | Brute-force single-byte XOR — looks for English words in decoded output | S5 p.22 |
| **bbcrack** | REMnux | Detect XOR, ROL, ADD obfuscation: `bbcrack -l 1 <file>` | S5 p.23 |
| **strdeob.pl** | REMnux | Decode stack-built strings (MOV byte-by-byte patterns) | S5 p.28 |
| **CyberChef** | Both | Visual multi-step decoding (Base64, XOR, hex, decompress). By GCHQ | S1 p.107 |
| **1768.py** | REMnux | Parse Cobalt Strike beacon configuration from shellcode | S3 p.58 |
## Behavioral Analysis
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **System Informer** | Windows | Process monitor — replaces Task Manager. Shows processes, handles, network | S1 p.52 |
| **Process Monitor** | Windows | Records file system, registry, and process/thread activity in real time | S1 p.52 |
| **Regshot** | Windows | Compare registry/filesystem state before and after infection | S1 p.52 |
| **ProcDOT** | Windows | Visualize Process Monitor logs as interactive graphs | S1 p.52 |
## PowerShell Analysis
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **PowerShell ISE** | Windows | Debug PS scripts — set breakpoints on Invoke-Expression to intercept | S3 |
| **logman** | Windows | Enable AMSI tracing: `logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface` | S3 |
| **AMSIScriptContentRetrieval** | Windows | Extract monitored script content from AMSI event trace logs | S3 |
## YARA & Detection
| Tool | Platform | Description | Book Ref |
|------|----------|-------------|----------|
| **yara / yara-rules** | REMnux | Scan files with community YARA rules for malware families and capabilities | S3 p.58 |
| **1768.py** | REMnux | Cobalt Strike beacon parser (Didier Stevens) | S3 p.58 |
| **capa** | REMnux | Capability detection via MITRE ATT&CK mapping | S1 p.88 |
---
## Key Pipe Chains
```bash
# Extract Base64 PowerShell from Office macro
oledump.py <doc> -s <stream> -d | base64dump.py -s 1 -d > payload.ps1
# VBA number array → readable text
oledump.py <doc> -s <stream> -v | numbers-to-string.py -j
# Multi-stage decode: Base64 → gunzip
base64dump.py <script.ps1> -s 3 -d | gunzip > decoded.ps1
# XOR decode shellcode
base64dump.py <script.ps1> -s 2 -d | translate.py "byte ^ 35" > sc.bin
# RTF shellcode extraction + emulation
rtfdump.py <doc> -s 5 -H -d > sc.bin
scdbgc /f sc.bin /foff 3B /s -1
# JavaScript deobfuscation
js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js
# Speakeasy emulation + API extraction
speakeasy -t <sample> -o report.json 2> report.txt
jq '.entry_points[].apis[].api_name' report.json | sort -u
# CAPA capability filtering
capa -vv <sample> | grep -A7 "inject"
```
data/exam-cheatsheets/02-assembly.md
+276
View File
@@ -0,0 +1,276 @@
# FOR610 Assembly & Reversing Cheat Sheet
## Registers
### 32-bit General Purpose
| Register | Purpose | Notes |
|----------|---------|-------|
| **EAX** | Accumulator, return values | Function returns go here |
| **EBX** | Base register | General purpose |
| **ECX** | Counter | Loop counts, fastcall param 1 |
| **EDX** | Data | Used with EAX in mul/div, fastcall param 2 |
| **ESI** | Source index | String ops source |
| **EDI** | Destination index | String ops destination |
| **ESP** | Stack pointer | Top of stack (grows DOWN) |
| **EBP** | Base/frame pointer | Access local vars and params |
| **EIP** | Instruction pointer | Next instruction address |
| **EFLAGS** | Flags | ZF, CF, SF, OF set by CMP/TEST |
### 64-bit Extensions
| 64-bit | 32-bit | 16-bit | 8-bit | Purpose |
|--------|--------|--------|-------|---------|
| RAX | EAX | AX | AL/AH | Return value |
| RCX | ECX | CX | CL | x64 param 1 |
| RDX | EDX | DX | DL | x64 param 2 |
| R8 | R8D | R8W | R8B | x64 param 3 |
| R9 | R9D | R9W | R9B | x64 param 4 |
| R10-R15 | R10D-R15D | R10W-R15W | R10B-R15B | General purpose |
### Special
| Register | Purpose |
|----------|---------|
| **FS:[0]** | Pointer to SEH chain (32-bit) |
| **FS:[30h]** | Pointer to PEB (Process Environment Block) |
---
## Instructions
### Data Movement
| Instruction | Meaning | Example |
|-------------|---------|---------|
| `MOV dst, src` | Copy src to dst | `MOV EAX, [EBP+8]` — load param 1 |
| `LEA dst, [addr]` | Load address (not value) | `LEA R8, [RSP+0x30]` — pass address |
| `PUSH val` | Push onto stack (ESP-=4) | `PUSH EBP` — save frame pointer |
| `POP dst` | Pop from stack (ESP+=4) | `POP EBP` — restore frame pointer |
| `XCHG a, b` | Swap a and b | `XCHG EAX, EBX` |
### Arithmetic
| Instruction | Meaning | Example |
|-------------|---------|---------|
| `ADD dst, src` | dst = dst + src | `ADD ESP, 8` — clean up 2 args |
| `SUB dst, src` | dst = dst - src | `SUB ESP, 0x100` — allocate locals |
| `INC dst` | dst = dst + 1 | `INC ECX` — loop counter |
| `DEC dst` | dst = dst - 1 | `DEC ECX` — loop counter |
| `MUL/IMUL` | Multiply (unsigned/signed) | Result in EDX:EAX |
| `DIV/IDIV` | Divide (unsigned/signed) | Dividend in EDX:EAX |
| `NEG dst` | Two's complement negate | `NEG EAX` |
### Bitwise / Logic
| Instruction | Meaning | Malware Use |
|-------------|---------|-------------|
| `XOR dst, src` | Bitwise XOR | **Obfuscation** (`XOR EAX, key`), zero reg (`XOR EAX, EAX`) |
| `AND dst, src` | Bitwise AND | Masking bits |
| `OR dst, src` | Bitwise OR | Setting flags |
| `NOT dst` | Bitwise NOT | Invert all bits |
| `SHL dst, n` | Shift left n bits | Multiply by 2^n |
| `SHR dst, n` | Shift right n bits | Unsigned divide by 2^n |
| `ROL dst, n` | Rotate left | **Obfuscation** (ROT13-like) |
| `ROR dst, n` | Rotate right | **Obfuscation** |
### Compare & Test
| Instruction | What it does | Sets flags for |
|-------------|-------------|----------------|
| `CMP a, b` | Computes a - b (discards result) | All conditional jumps |
| `TEST a, b` | Computes a AND b (discards result) | Zero check: `TEST EAX, EAX` |
### Conditional Jumps (after CMP/TEST)
**Unsigned (Above/Below):**
| Jump | Condition | Meaning |
|------|-----------|---------|
| `JA` | CF=0, ZF=0 | Jump if Above |
| `JAE/JNB` | CF=0 | Jump if Above or Equal |
| `JB/JNAE` | CF=1 | Jump if Below |
| `JBE/JNA` | CF=1 or ZF=1 | Jump if Below or Equal |
**Signed (Greater/Less):**
| Jump | Condition | Meaning |
|------|-----------|---------|
| `JG/JNLE` | ZF=0, SF=OF | Jump if Greater |
| `JGE/JNL` | SF=OF | Jump if Greater or Equal |
| `JL/JNGE` | SF≠OF | Jump if Less |
| `JLE/JNG` | ZF=1 or SF≠OF | Jump if Less or Equal |
**Equality:**
| Jump | Condition | Meaning |
|------|-----------|---------|
| `JE/JZ` | ZF=1 | Jump if Equal / Zero |
| `JNE/JNZ` | ZF=0 | Jump if Not Equal / Not Zero |
| `JS` | SF=1 | Jump if Sign (negative) |
| `JNS` | SF=0 | Jump if Not Sign (positive) |
### Function Calls
| Instruction | Meaning |
|-------------|---------|
| `CALL addr` | Push return address, jump to addr |
| `RET` | Pop return address, jump to it (cdecl) |
| `RET n` | Pop return address, add n to ESP (stdcall) |
| `LEAVE` | `MOV ESP, EBP` then `POP EBP` (epilogue shortcut) |
### Other Important
| Instruction | Meaning | Significance |
|-------------|---------|-------------|
| `NOP` | No operation (0x90) | Padding; NOP sled = shellcode indicator |
| `INT 3` | Software breakpoint (0xCC) | Debugger trap; anti-debug detection |
| `CDQ` | Sign-extend EAX → EDX:EAX | Required before DIV |
| `REP MOVSB/D` | Copy ECX bytes from ESI→EDI | Bulk memory copy (memcpy) |
| `REP STOSB/D` | Fill ECX bytes at EDI with AL/EAX | Memory fill (memset) |
---
## Function Structure
### 32-bit Prologue & Epilogue
```
PUSH EBP ; Save old frame pointer
MOV EBP, ESP ; Set new frame pointer
SUB ESP, 0x20 ; Allocate 32 bytes for locals
```
```
MOV EAX, result ; Set return value
LEAVE ; MOV ESP,EBP + POP EBP
RET ; Return to caller
```
### Stack Frame Layout (32-bit)
```
Higher addresses
┌─────────────────┐
│ Param 3 │ [EBP + 0x10]
│ Param 2 │ [EBP + 0x0C]
│ Param 1 │ [EBP + 0x08]
│ Return Address │ [EBP + 0x04] ← pushed by CALL
│ Saved EBP │ [EBP] ← pushed by PUSH EBP
│ Local var 1 │ [EBP - 0x04]
│ Local var 2 │ [EBP - 0x08]
│ ... │ ← ESP points here
└─────────────────┘
Lower addresses (stack grows DOWN)
```
### Calling Conventions
| Convention | Params | Cleanup | Return | Used by |
|-----------|--------|---------|--------|---------|
| **cdecl** | Stack (R→L) | **Caller** (`ADD ESP,n`) | EAX | C library functions |
| **stdcall** | Stack (R→L) | **Callee** (`RET n`) | EAX | Win32 API (kernel32, etc.) |
| **fastcall** | ECX, EDX, then stack | Callee | EAX | Some internal functions |
| **thiscall** | ECX=this, then stack | Callee | EAX | C++ member functions |
| **x64** | RCX, RDX, R8, R9, then stack | Caller | RAX | All 64-bit Windows |
---
## Control Flow Patterns
### If/Else
```asm
CMP EAX, 5 ; Compare
JNE else_block ; Jump if not equal
; if-block code
JMP end_if
else_block:
; else-block code
end_if:
```
### Loop (for/while)
```asm
MOV ECX, 10 ; counter = 10
loop_start:
; loop body
DEC ECX ; counter--
JNZ loop_start ; if counter != 0, repeat
```
### AND condition (both must be true)
```asm
CMP val1, limit1
JL skip ; if first false, skip
CMP val2, limit2
JL skip ; if second false, skip
; both true
skip:
```
### OR condition (either true)
```asm
CMP val1, limit1
JG execute ; if first true, go
CMP val2, limit2
JLE skip ; if second also false, skip
execute:
; at least one true
skip:
```
---
## Anti-Analysis Techniques (Section 5)
### Debugger Detection
```asm
; IsDebuggerPresent check
CALL IsDebuggerPresent
TEST EAX, EAX
JNE detected ; non-zero = debugger present
; PEB BeingDebugged field
MOV EAX, FS:[30h] ; PEB pointer
MOVZX EAX, [EAX+2] ; BeingDebugged byte
TEST EAX, EAX
JNE detected
; Timing check (RDTSC)
RDTSC ; read timestamp counter
; ... do work ...
RDTSC ; read again
; large delta = debugger stepping
```
### SEH (Structured Exception Handling)
```asm
; Set up SEH handler
PUSH handler_addr ; push handler function
PUSH FS:[0] ; push current SEH chain
MOV FS:[0], ESP ; install new handler
; Trigger exception intentionally
XOR ECX, ECX
DIV ECX ; divide by zero → handler executes
```
### Process Hollowing Pattern
```
CreateProcessW(SUSPENDED) ; Create target process suspended
NtUnmapViewOfSection() ; Remove original code
VirtualAllocEx() ; Allocate new memory
WriteProcessMemory() ; Write malicious code
ResumeThread() ; Execute injected code
```
### Code Injection Pattern
```
OpenProcess() ; Get handle to target
VirtualAllocEx(RWX) ; Allocate executable memory
WriteProcessMemory() ; Write shellcode
CreateRemoteThread() ; Execute in target
```
---
## Key Patterns to Recognize
| Pattern | What it means |
|---------|--------------|
| `XOR EAX, EAX` | Zero out EAX (common idiom) |
| `TEST EAX, EAX` + `JZ` | Check if EAX is zero |
| `PUSH EBP; MOV EBP,ESP; SUB ESP,n` | Function prologue |
| `LEAVE; RET` | Function epilogue |
| `CALL; ADD ESP,n` | cdecl call (caller cleanup) |
| `CALL; (no ADD ESP)` | stdcall call (callee cleanup) |
| `REP MOVSB` with ESI→EDI | Memory copy (like memcpy) |
| `FS:[0]` access | SEH manipulation |
| `FS:[30h]` access | PEB access (anti-debug) |
| NOP sled (many 0x90) | Shellcode indicator |
| `VirtualAlloc` + `memcpy` | Unpacking to new memory |
data/exam-cheatsheets/03-windows-apis.md
+207
View File
@@ -0,0 +1,207 @@
# FOR610 Windows API Cheat Sheet
## File Operations (kernel32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateFileA/W** | Open or create a file handle | Read/write config files, drop payloads |
| **ReadFile** | Read data from file | Read malware configuration |
| **WriteFile** | Write data to file | Drop payloads, write config |
| **DeleteFileA/W** | Delete a file | Remove traces |
| **CopyFile** | Copy a file | Spread to new locations |
| **FindFirstFile / FindNextFile** | Enumerate files in directory | Search for targets (ransomware) |
| **GetTempPath** | Get temp directory path | Common malware staging location |
| **GetFileSize** | Get file size in bytes | Check payload size |
## Resource Operations (kernel32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **FindResourceW** | Locate embedded resource | Find embedded payload in PE |
| **SizeofResource** | Get resource size | Determine payload size |
| **LoadResource** | Load resource into memory | Access embedded data |
| **LockResource** | Get pointer to resource data | Read resource content |
**Pattern:** FindResource → SizeofResource → LoadResource → LockResource → CreateFile → WriteFile → CreateProcess (**dropper pattern**)
## Process Operations (kernel32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateProcessA/W** | Create new process | Launch cmd.exe, spawn child for hollowing |
| **OpenProcess** | Get handle to existing process | Target process for injection |
| **TerminateProcess** | Kill a process | Kill security tools |
| **ExitProcess** | Terminate current process | Anti-debug: exit if detected |
| **GetCurrentProcess** | Get own process handle | Self-inspection |
## Process Enumeration (kernel32.dll / psapi.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateToolhelp32Snapshot** | Snapshot of running processes | Find injection targets |
| **Process32FirstW** | Get first process from snapshot | Begin enumeration |
| **Process32NextW** | Get next process from snapshot | Continue enumeration |
| **EnumProcesses** | List all process IDs | Alternative enumeration |
**Pattern:** CreateToolhelp32Snapshot → Process32First → Process32Next (loop) → OpenProcess (**find target for injection**)
## Memory Operations (kernel32.dll)
| API | What it does | Malware use | Key params |
|-----|-------------|-------------|-----------|
| **VirtualAlloc** | Allocate memory in own process | Unpack code to new memory | flProtect: 0x40 = RWX |
| **VirtualAllocEx** | Allocate memory in OTHER process | Injection: create space for shellcode | flProtect: 0x40 = PAGE_EXECUTE_READWRITE |
| **VirtualProtect** | Change memory page protection | Make data executable after writing | 0x40 = RWX (suspicious!) |
| **WriteProcessMemory** | Write to OTHER process memory | Inject shellcode/DLL into target |
| **ReadProcessMemory** | Read from OTHER process memory | Steal data from other processes |
| **VirtualFree** | Free allocated memory | Cleanup |
## Thread Operations (kernel32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateThread** | Create thread in own process | Execute shellcode in parallel |
| **CreateRemoteThread** | Create thread in OTHER process | **Execute injected code** |
| **ResumeThread** | Resume suspended thread | Wake up hollowed process |
| **SuspendThread** | Pause a thread | Freeze target during injection |
| **QueueUserAPC** | Queue async procedure call | APC injection technique |
## DLL / Module Operations (kernel32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **LoadLibraryA/W** | Load DLL at runtime | DLL injection via CreateRemoteThread, load sideloaded DLL |
| **GetProcAddress** | Get function address from DLL | Dynamically resolve APIs (avoid import table) |
| **GetModuleHandleA/W** | Get handle to loaded DLL | **Detect security tools** (check for avghookx.dll, etc.) |
| **FreeLibrary** | Unload DLL | Cleanup |
## Registry Operations (advapi32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **RegOpenKeyExA/W** | Open registry key | Access persistence keys, read config |
| **RegSetValueEx** | Set registry value | **Persistence** (Run keys), store config |
| **RegQueryValueExA** | Read registry value | Read stored config/commands |
| **RegCreateKeyEx** | Create new key | Set up persistence |
| **RegDeleteValue** | Delete a value | Remove traces |
**Persistence locations:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
## Network — WinINet (wininet.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **InternetOpenA** | Initialize internet session | Set up HTTP C2 (set user-agent) |
| **InternetConnectA** | Connect to server | Connect to C2 host:port |
| **HttpOpenRequestA** | Create HTTP request | Build GET/POST for C2 |
| **HttpSendRequestA** | Send HTTP request | **Send C2 beacon/data** |
| **InternetReadFile** | Read server response | **Receive C2 commands** |
| **InternetOpenUrlA** | Open URL directly | Direct download |
**C2 Pattern:** InternetOpen → InternetConnect → HttpOpenRequest → HttpSendRequest → InternetReadFile
## Network — Sockets (ws2_32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **socket** | Create network socket | Raw TCP/UDP C2 |
| **connect** | Connect to remote host | Establish C2 connection |
| **send** | Send data | Exfiltrate data, send commands |
| **recv** | Receive data | Receive C2 instructions |
## Network — Other
| API | DLL | Malware use |
|-----|-----|-------------|
| **URLDownloadToFileA** | urlmon.dll | Download next stage to disk |
| **WinHttpOpen** | winhttp.dll | Modern HTTPS C2 |
## Cryptography (advapi32.dll)
| API | What it does | Malware use |
|-----|-------------|-------------|
| **CryptAcquireContext** | Get crypto provider handle | Set up encryption |
| **CryptCreateHash** | Create hash object | Hash data for integrity |
| **CryptEncrypt** | Encrypt data | Protect C2 traffic, encrypt config |
| **CryptDecrypt** | Decrypt data | **Decrypt config files** (brbconfig.tmp) |
## Execution (shell32.dll / kernel32.dll)
| API | DLL | Malware use |
|-----|-----|-------------|
| **ShellExecuteA/W** | shell32.dll | Run commands, open URLs, launch programs |
| **WinExec** | kernel32.dll | Simple program execution |
| **system** | msvcrt.dll | Execute shell command via cmd.exe |
## Anti-Analysis / Detection
| API | DLL | What it checks |
|-----|-----|---------------|
| **IsDebuggerPresent** | kernel32.dll | Returns non-zero if debugger attached |
| **CheckRemoteDebuggerPresent** | kernel32.dll | Check if any debugger is present |
| **NtQueryInformationProcess** | ntdll.dll | Query ProcessDebugPort, ProcessDebugFlags |
| **GetTickCount** | kernel32.dll | System uptime — low = sandbox |
| **QueryPerformanceCounter** | kernel32.dll | High-res timer — detect single-stepping |
| **OutputDebugString** | kernel32.dll | If debugger present, no error returned |
| **BlockInput** | user32.dll | Block keyboard/mouse during execution |
## Injection-Specific (ntdll.dll)
| API | What it does | Technique |
|-----|-------------|-----------|
| **NtUnmapViewOfSection** | Remove memory section | **Process hollowing** — gut the target |
| **ZwUnmapViewOfSection** | Same as above (Zw prefix) | Process hollowing variant |
| **NtWriteVirtualMemory** | Native WriteProcessMemory | Injection via native API |
| **RtlCreateUserThread** | Native CreateRemoteThread | Injection via native API |
## Hooks & Monitoring
| API | DLL | Malware use |
|-----|-----|-------------|
| **SetWindowsHookExA** | user32.dll | Install mouse/keyboard hook — wait for user activity (anti-sandbox) |
| **FindWindowW** | user32.dll | **Detect analysis tools** by window title (OLLYDBG, WinDbg, etc.) |
## System Information
| API | DLL | Malware use |
|-----|-----|-------------|
| **GetComputerName** | kernel32.dll | Fingerprint victim for C2 |
| **GetUserName** | advapi32.dll | Identify logged-in user |
| **Sleep** | kernel32.dll | Delay execution (anti-sandbox, C2 beacon interval) |
| **SetFileTime** | kernel32.dll | Timestomp — hide file creation time |
---
## Quick Reference: API → Technique Mapping
| If you see these APIs... | The malware is... |
|--------------------------|-------------------|
| VirtualAllocEx + WriteProcessMemory + CreateRemoteThread | **Code injection** |
| CreateProcess(SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory + ResumeThread | **Process hollowing** |
| LoadLibrary + GetProcAddress (in loop) | **Dynamic API resolution** (evasion) |
| InternetOpen + HttpSendRequest + InternetReadFile | **HTTP C2 communication** |
| FindResource + LoadResource + WriteFile + CreateProcess | **Resource dropper** |
| RegOpenKeyEx + RegSetValueEx (Run keys) | **Persistence** |
| CreateToolhelp32Snapshot + Process32First/Next | **Process enumeration** (find target) |
| IsDebuggerPresent / NtQueryInformationProcess | **Anti-debugging** |
| SetWindowsHookEx(WH_MOUSE_LL) | **Anti-sandbox** (wait for user) |
| CryptDecrypt | **Config/payload decryption** |
| GetModuleHandle("avghookx.dll") / FindWindow("OLLYDBG") | **Security tool detection** |
---
## DLL Quick Reference
| DLL | Contains |
|-----|---------|
| **kernel32.dll** | File, process, memory, thread, module operations |
| **advapi32.dll** | Registry, crypto, services |
| **ntdll.dll** | Native API (Nt/Zw functions — low-level) |
| **user32.dll** | Windows/hooks/UI (SetWindowsHookEx, FindWindow, BlockInput) |
| **ws2_32.dll** | Winsock — raw socket networking |
| **wininet.dll** | High-level HTTP/HTTPS (InternetOpen, HttpSendRequest) |
| **shell32.dll** | ShellExecute — run programs/URLs |
| **urlmon.dll** | URLDownloadToFile |
| **msvcrt.dll** | C runtime — system(), malloc() |