docker_file_analysis/data/exam-cheatsheets/03-windows-apis.md

FOR610 Windows API Cheat Sheet

File Operations (kernel32.dll)

API	What it does	Malware use
CreateFileA/W	Open or create a file handle	Read/write config files, drop payloads
ReadFile	Read data from file	Read malware configuration
WriteFile	Write data to file	Drop payloads, write config
DeleteFileA/W	Delete a file	Remove traces
CopyFile	Copy a file	Spread to new locations
FindFirstFile / FindNextFile	Enumerate files in directory	Search for targets (ransomware)
GetTempPath	Get temp directory path	Common malware staging location
GetFileSize	Get file size in bytes	Check payload size

Resource Operations (kernel32.dll)

API	What it does	Malware use
FindResourceW	Locate embedded resource	Find embedded payload in PE
SizeofResource	Get resource size	Determine payload size
LoadResource	Load resource into memory	Access embedded data
LockResource	Get pointer to resource data	Read resource content

Pattern: FindResource → SizeofResource → LoadResource → LockResource → CreateFile → WriteFile → CreateProcess (dropper pattern)

Process Operations (kernel32.dll)

API	What it does	Malware use
CreateProcessA/W	Create new process	Launch cmd.exe, spawn child for hollowing
OpenProcess	Get handle to existing process	Target process for injection
TerminateProcess	Kill a process	Kill security tools
ExitProcess	Terminate current process	Anti-debug: exit if detected
GetCurrentProcess	Get own process handle	Self-inspection

Process Enumeration (kernel32.dll / psapi.dll)

API	What it does	Malware use
CreateToolhelp32Snapshot	Snapshot of running processes	Find injection targets
Process32FirstW	Get first process from snapshot	Begin enumeration
Process32NextW	Get next process from snapshot	Continue enumeration
EnumProcesses	List all process IDs	Alternative enumeration

Pattern: CreateToolhelp32Snapshot → Process32First → Process32Next (loop) → OpenProcess (find target for injection)

Memory Operations (kernel32.dll)

API	What it does	Malware use	Key params
VirtualAlloc	Allocate memory in own process	Unpack code to new memory	flProtect: 0x40 = RWX
VirtualAllocEx	Allocate memory in OTHER process	Injection: create space for shellcode	flProtect: 0x40 = PAGE_EXECUTE_READWRITE
VirtualProtect	Change memory page protection	Make data executable after writing	0x40 = RWX (suspicious!)
WriteProcessMemory	Write to OTHER process memory	Inject shellcode/DLL into target
ReadProcessMemory	Read from OTHER process memory	Steal data from other processes
VirtualFree	Free allocated memory	Cleanup

Thread Operations (kernel32.dll)

API	What it does	Malware use
CreateThread	Create thread in own process	Execute shellcode in parallel
CreateRemoteThread	Create thread in OTHER process	Execute injected code
ResumeThread	Resume suspended thread	Wake up hollowed process
SuspendThread	Pause a thread	Freeze target during injection
QueueUserAPC	Queue async procedure call	APC injection technique

DLL / Module Operations (kernel32.dll)

API	What it does	Malware use
LoadLibraryA/W	Load DLL at runtime	DLL injection via CreateRemoteThread, load sideloaded DLL
GetProcAddress	Get function address from DLL	Dynamically resolve APIs (avoid import table)
GetModuleHandleA/W	Get handle to loaded DLL	Detect security tools (check for avghookx.dll, etc.)
FreeLibrary	Unload DLL	Cleanup

Registry Operations (advapi32.dll)

API	What it does	Malware use
RegOpenKeyExA/W	Open registry key	Access persistence keys, read config
RegSetValueEx	Set registry value	Persistence (Run keys), store config
RegQueryValueExA	Read registry value	Read stored config/commands
RegCreateKeyEx	Create new key	Set up persistence
RegDeleteValue	Delete a value	Remove traces

Persistence locations:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Network — WinINet (wininet.dll)

API	What it does	Malware use
InternetOpenA	Initialize internet session	Set up HTTP C2 (set user-agent)
InternetConnectA	Connect to server	Connect to C2 host:port
HttpOpenRequestA	Create HTTP request	Build GET/POST for C2
HttpSendRequestA	Send HTTP request	Send C2 beacon/data
InternetReadFile	Read server response	Receive C2 commands
InternetOpenUrlA	Open URL directly	Direct download

C2 Pattern: InternetOpen → InternetConnect → HttpOpenRequest → HttpSendRequest → InternetReadFile

Network — Sockets (ws2_32.dll)

API	What it does	Malware use
socket	Create network socket	Raw TCP/UDP C2
connect	Connect to remote host	Establish C2 connection
send	Send data	Exfiltrate data, send commands
recv	Receive data	Receive C2 instructions

Network — Other

API	DLL	Malware use
URLDownloadToFileA	urlmon.dll	Download next stage to disk
WinHttpOpen	winhttp.dll	Modern HTTPS C2

Cryptography (advapi32.dll)

API	What it does	Malware use
CryptAcquireContext	Get crypto provider handle	Set up encryption
CryptCreateHash	Create hash object	Hash data for integrity
CryptEncrypt	Encrypt data	Protect C2 traffic, encrypt config
CryptDecrypt	Decrypt data	Decrypt config files (brbconfig.tmp)

Execution (shell32.dll / kernel32.dll)

API	DLL	Malware use
ShellExecuteA/W	shell32.dll	Run commands, open URLs, launch programs
WinExec	kernel32.dll	Simple program execution
system	msvcrt.dll	Execute shell command via cmd.exe

Anti-Analysis / Detection

API	DLL	What it checks
IsDebuggerPresent	kernel32.dll	Returns non-zero if debugger attached
CheckRemoteDebuggerPresent	kernel32.dll	Check if any debugger is present
NtQueryInformationProcess	ntdll.dll	Query ProcessDebugPort, ProcessDebugFlags
GetTickCount	kernel32.dll	System uptime — low = sandbox
QueryPerformanceCounter	kernel32.dll	High-res timer — detect single-stepping
OutputDebugString	kernel32.dll	If debugger present, no error returned
BlockInput	user32.dll	Block keyboard/mouse during execution

Injection-Specific (ntdll.dll)

API	What it does	Technique
NtUnmapViewOfSection	Remove memory section	Process hollowing — gut the target
ZwUnmapViewOfSection	Same as above (Zw prefix)	Process hollowing variant
NtWriteVirtualMemory	Native WriteProcessMemory	Injection via native API
RtlCreateUserThread	Native CreateRemoteThread	Injection via native API

Hooks & Monitoring

API	DLL	Malware use
SetWindowsHookExA	user32.dll	Install mouse/keyboard hook — wait for user activity (anti-sandbox)
FindWindowW	user32.dll	Detect analysis tools by window title (OLLYDBG, WinDbg, etc.)

System Information

API	DLL	Malware use
GetComputerName	kernel32.dll	Fingerprint victim for C2
GetUserName	advapi32.dll	Identify logged-in user
Sleep	kernel32.dll	Delay execution (anti-sandbox, C2 beacon interval)
SetFileTime	kernel32.dll	Timestomp — hide file creation time

---

Quick Reference: API → Technique Mapping

If you see these APIs...	The malware is...
VirtualAllocEx + WriteProcessMemory + CreateRemoteThread	Code injection
CreateProcess(SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory + ResumeThread	Process hollowing
LoadLibrary + GetProcAddress (in loop)	Dynamic API resolution (evasion)
InternetOpen + HttpSendRequest + InternetReadFile	HTTP C2 communication
FindResource + LoadResource + WriteFile + CreateProcess	Resource dropper
RegOpenKeyEx + RegSetValueEx (Run keys)	Persistence
CreateToolhelp32Snapshot + Process32First/Next	Process enumeration (find target)
IsDebuggerPresent / NtQueryInformationProcess	Anti-debugging
SetWindowsHookEx(WH_MOUSE_LL)	Anti-sandbox (wait for user)
CryptDecrypt	Config/payload decryption
GetModuleHandle("avghookx.dll") / FindWindow("OLLYDBG")	Security tool detection

---

DLL Quick Reference

DLL	Contains
kernel32.dll	File, process, memory, thread, module operations
advapi32.dll	Registry, crypto, services
ntdll.dll	Native API (Nt/Zw functions — low-level)
user32.dll	Windows/hooks/UI (SetWindowsHookEx, FindWindow, BlockInput)
ws2_32.dll	Winsock — raw socket networking
wininet.dll	High-level HTTP/HTTPS (InternetOpen, HttpSendRequest)
shell32.dll	ShellExecute — run programs/URLs
urlmon.dll	URLDownloadToFile
msvcrt.dll	C runtime — system(), malloc()