# FOR610 Windows API Cheat Sheet

## File Operations (kernel32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateFileA/W** | Open or create a file handle | Read/write config files, drop payloads |
| **ReadFile** | Read data from file | Read malware configuration |
| **WriteFile** | Write data to file | Drop payloads, write config |
| **DeleteFileA/W** | Delete a file | Remove traces |
| **CopyFile** | Copy a file | Spread to new locations |
| **FindFirstFile / FindNextFile** | Enumerate files in directory | Search for targets (ransomware) |
| **GetTempPath** | Get temp directory path | Common malware staging location |
| **GetFileSize** | Get file size in bytes | Check payload size |

## Resource Operations (kernel32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **FindResourceW** | Locate embedded resource | Find embedded payload in PE |
| **SizeofResource** | Get resource size | Determine payload size |
| **LoadResource** | Load resource into memory | Access embedded data |
| **LockResource** | Get pointer to resource data | Read resource content |

**Pattern:** FindResource → SizeofResource → LoadResource → LockResource → CreateFile → WriteFile → CreateProcess (**dropper pattern**)

## Process Operations (kernel32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateProcessA/W** | Create new process | Launch cmd.exe, spawn child for hollowing |
| **OpenProcess** | Get handle to existing process | Target process for injection |
| **TerminateProcess** | Kill a process | Kill security tools |
| **ExitProcess** | Terminate current process | Anti-debug: exit if detected |
| **GetCurrentProcess** | Get own process handle | Self-inspection |

## Process Enumeration (kernel32.dll / psapi.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateToolhelp32Snapshot** | Snapshot of running processes | Find injection targets |
| **Process32FirstW** | Get first process from snapshot | Begin enumeration |
| **Process32NextW** | Get next process from snapshot | Continue enumeration |
| **EnumProcesses** | List all process IDs | Alternative enumeration |

**Pattern:** CreateToolhelp32Snapshot → Process32First → Process32Next (loop) → OpenProcess (**find target for injection**)

## Memory Operations (kernel32.dll)

| API | What it does | Malware use | Key params |
|-----|-------------|-------------|-----------|
| **VirtualAlloc** | Allocate memory in own process | Unpack code to new memory | flProtect: 0x40 = RWX |
| **VirtualAllocEx** | Allocate memory in OTHER process | Injection: create space for shellcode | flProtect: 0x40 = PAGE_EXECUTE_READWRITE |
| **VirtualProtect** | Change memory page protection | Make data executable after writing | 0x40 = RWX (suspicious!) |
| **WriteProcessMemory** | Write to OTHER process memory | Inject shellcode/DLL into target |
| **ReadProcessMemory** | Read from OTHER process memory | Steal data from other processes |
| **VirtualFree** | Free allocated memory | Cleanup |

## Thread Operations (kernel32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **CreateThread** | Create thread in own process | Execute shellcode in parallel |
| **CreateRemoteThread** | Create thread in OTHER process | **Execute injected code** |
| **ResumeThread** | Resume suspended thread | Wake up hollowed process |
| **SuspendThread** | Pause a thread | Freeze target during injection |
| **QueueUserAPC** | Queue async procedure call | APC injection technique |

## DLL / Module Operations (kernel32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **LoadLibraryA/W** | Load DLL at runtime | DLL injection via CreateRemoteThread, load sideloaded DLL |
| **GetProcAddress** | Get function address from DLL | Dynamically resolve APIs (avoid import table) |
| **GetModuleHandleA/W** | Get handle to loaded DLL | **Detect security tools** (check for avghookx.dll, etc.) |
| **FreeLibrary** | Unload DLL | Cleanup |

## Registry Operations (advapi32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **RegOpenKeyExA/W** | Open registry key | Access persistence keys, read config |
| **RegSetValueEx** | Set registry value | **Persistence** (Run keys), store config |
| **RegQueryValueExA** | Read registry value | Read stored config/commands |
| **RegCreateKeyEx** | Create new key | Set up persistence |
| **RegDeleteValue** | Delete a value | Remove traces |

**Persistence locations:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`

## Network — WinINet (wininet.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **InternetOpenA** | Initialize internet session | Set up HTTP C2 (set user-agent) |
| **InternetConnectA** | Connect to server | Connect to C2 host:port |
| **HttpOpenRequestA** | Create HTTP request | Build GET/POST for C2 |
| **HttpSendRequestA** | Send HTTP request | **Send C2 beacon/data** |
| **InternetReadFile** | Read server response | **Receive C2 commands** |
| **InternetOpenUrlA** | Open URL directly | Direct download |

**C2 Pattern:** InternetOpen → InternetConnect → HttpOpenRequest → HttpSendRequest → InternetReadFile

## Network — Sockets (ws2_32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **socket** | Create network socket | Raw TCP/UDP C2 |
| **connect** | Connect to remote host | Establish C2 connection |
| **send** | Send data | Exfiltrate data, send commands |
| **recv** | Receive data | Receive C2 instructions |

## Network — Other

| API | DLL | Malware use |
|-----|-----|-------------|
| **URLDownloadToFileA** | urlmon.dll | Download next stage to disk |
| **WinHttpOpen** | winhttp.dll | Modern HTTPS C2 |

## Cryptography (advapi32.dll)

| API | What it does | Malware use |
|-----|-------------|-------------|
| **CryptAcquireContext** | Get crypto provider handle | Set up encryption |
| **CryptCreateHash** | Create hash object | Hash data for integrity |
| **CryptEncrypt** | Encrypt data | Protect C2 traffic, encrypt config |
| **CryptDecrypt** | Decrypt data | **Decrypt config files** (brbconfig.tmp) |

## Execution (shell32.dll / kernel32.dll)

| API | DLL | Malware use |
|-----|-----|-------------|
| **ShellExecuteA/W** | shell32.dll | Run commands, open URLs, launch programs |
| **WinExec** | kernel32.dll | Simple program execution |
| **system** | msvcrt.dll | Execute shell command via cmd.exe |

## Anti-Analysis / Detection

| API | DLL | What it checks |
|-----|-----|---------------|
| **IsDebuggerPresent** | kernel32.dll | Returns non-zero if debugger attached |
| **CheckRemoteDebuggerPresent** | kernel32.dll | Check if any debugger is present |
| **NtQueryInformationProcess** | ntdll.dll | Query ProcessDebugPort, ProcessDebugFlags |
| **GetTickCount** | kernel32.dll | System uptime — low = sandbox |
| **QueryPerformanceCounter** | kernel32.dll | High-res timer — detect single-stepping |
| **OutputDebugString** | kernel32.dll | If debugger present, no error returned |
| **BlockInput** | user32.dll | Block keyboard/mouse during execution |

## Injection-Specific (ntdll.dll)

| API | What it does | Technique |
|-----|-------------|-----------|
| **NtUnmapViewOfSection** | Remove memory section | **Process hollowing** — gut the target |
| **ZwUnmapViewOfSection** | Same as above (Zw prefix) | Process hollowing variant |
| **NtWriteVirtualMemory** | Native WriteProcessMemory | Injection via native API |
| **RtlCreateUserThread** | Native CreateRemoteThread | Injection via native API |

## Hooks & Monitoring

| API | DLL | Malware use |
|-----|-----|-------------|
| **SetWindowsHookExA** | user32.dll | Install mouse/keyboard hook — wait for user activity (anti-sandbox) |
| **FindWindowW** | user32.dll | **Detect analysis tools** by window title (OLLYDBG, WinDbg, etc.) |

## System Information

| API | DLL | Malware use |
|-----|-----|-------------|
| **GetComputerName** | kernel32.dll | Fingerprint victim for C2 |
| **GetUserName** | advapi32.dll | Identify logged-in user |
| **Sleep** | kernel32.dll | Delay execution (anti-sandbox, C2 beacon interval) |
| **SetFileTime** | kernel32.dll | Timestomp — hide file creation time |

---

## Quick Reference: API → Technique Mapping

| If you see these APIs... | The malware is... |
|--------------------------|-------------------|
| VirtualAllocEx + WriteProcessMemory + CreateRemoteThread | **Code injection** |
| CreateProcess(SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory + ResumeThread | **Process hollowing** |
| LoadLibrary + GetProcAddress (in loop) | **Dynamic API resolution** (evasion) |
| InternetOpen + HttpSendRequest + InternetReadFile | **HTTP C2 communication** |
| FindResource + LoadResource + WriteFile + CreateProcess | **Resource dropper** |
| RegOpenKeyEx + RegSetValueEx (Run keys) | **Persistence** |
| CreateToolhelp32Snapshot + Process32First/Next | **Process enumeration** (find target) |
| IsDebuggerPresent / NtQueryInformationProcess | **Anti-debugging** |
| SetWindowsHookEx(WH_MOUSE_LL) | **Anti-sandbox** (wait for user) |
| CryptDecrypt | **Config/payload decryption** |
| GetModuleHandle("avghookx.dll") / FindWindow("OLLYDBG") | **Security tool detection** |

---

## DLL Quick Reference

| DLL | Contains |
|-----|---------|
| **kernel32.dll** | File, process, memory, thread, module operations |
| **advapi32.dll** | Registry, crypto, services |
| **ntdll.dll** | Native API (Nt/Zw functions — low-level) |
| **user32.dll** | Windows/hooks/UI (SetWindowsHookEx, FindWindow, BlockInput) |
| **ws2_32.dll** | Winsock — raw socket networking |
| **wininet.dll** | High-level HTTP/HTTPS (InternetOpen, HttpSendRequest) |
| **shell32.dll** | ShellExecute — run programs/URLs |
| **urlmon.dll** | URLDownloadToFile |
| **msvcrt.dll** | C runtime — system(), malloc() |