Hacktricks-skills malware-api-reference

Reference for Windows APIs commonly used in malware, malware analysis techniques, and detection strategies. Use this skill whenever the user mentions malware analysis, reversing, Windows API calls, process injection, DLL injection, process hollowing, anti-analysis techniques, threat hunting, detection rules, or any security research involving Windows executables. Trigger even if they don't explicitly say "malware" but describe suspicious behavior, API sequences, or need to understand how malware evades detection.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/reversing/common-api-used-in-malware/SKILL.MD

source content

Malware API Reference & Analysis Guide

A comprehensive reference for Windows APIs commonly abused by malware, along with analysis techniques and detection strategies.

Quick Reference: Common Malware APIs

Networking APIs

Raw Sockets	WinAPI Sockets	Purpose
`socket()`	`WSAStartup()`	Initialize socket communication
`bind()`	`bind()`	Bind to local address
`listen()`	`listen()`	Listen for connections
`accept()`	`accept()`	Accept incoming connections
`connect()`	`connect()`	Connect to remote host
`read()/recv()`	`recv()`	Receive data
`write()`	`send()`	Send data
`shutdown()`	`WSACleanup()`	Cleanup socket resources

Detection tip: Monitor for

WSAStartup()

followed by

connect()

to suspicious IPs/ports, especially from non-browser processes.

Persistence APIs

Registry	File System	Service Management
`RegCreateKeyEx()`	`GetTempPath()`	`OpenSCManager()`
`RegOpenKeyEx()`	`CopyFile()`	`CreateService()`
`RegSetValueEx()`	`CreateFile()`	`StartServiceCtrlDispatcher()`
`RegDeleteKeyEx()`	`WriteFile()`
`RegGetValue()`	`ReadFile()`

Detection tip: Alert on registry modifications to Run/RunOnce keys, especially from temporary directories.

Encryption APIs (WinCrypt)

```
CryptAcquireContext()
```
- Acquire cryptographic provider
```
CryptGenKey()
```
- Generate encryption key
```
CryptDeriveKey()
```
- Derive key from password
```
CryptDecrypt()
```
- Decrypt data
```
CryptReleaseContext()
```
- Release provider

Detection tip: Ransomware often calls these in sequence. Monitor for rapid encryption of many files.

Anti-Analysis / VM Detection APIs

API	Purpose
`IsDebuggerPresent()`	Check for debugger
`GetSystemInfo()`	Gather system info
`GlobalMemoryStatusEx()`	Check memory (VM indicator)
`GetVersion()`	OS version check
`CreateToolhelp32Snapshot()`	Enumerate processes
`CreateFileW/A()`	Check for files

Assembly-level checks:

```
CPUID()
```
- CPU identification
```
IN()
```
- Port I/O (often fails in VMs)

Detection tip: Flag processes that query multiple anti-VM APIs early in execution then exit with no observable activity.

Locale/Keyboard-Based Execution Guards

Malware often aborts on certain locales to evade researchers:

```
GetKeyboardLayout()
```
- Enumerate installed layouts
```
GetLocaleInfoA/W()
```
- Resolve country/region codes

GetSystemDefaultLangID()

GetUserDefaultLangID()

- Get language IDs

Common blocked regions: CIS countries (Russia, Ukraine, Belarus, etc.)

Detection tip: Correlate locale API calls with immediate process termination and no network IOCs.

Emulator API Fingerprinting

Malware searches for sandbox/emulator exports:

Defender Virtualization exports:

```
MpVmp32Entry
```
,
```
MpVmp32FastEnter
```

MpCallPreEntryPointCode

MpCallPostEntryPointCode

MpFinalize

MpReportEvent*

MpSwitchToNextThread*

VFS family:

```
VFS_Open
```
,
```
VFS_Read
```
,
```
VFS_MapViewOfFile
```

VFS_UnmapViewOfFile

VFS_FindFirstFile/FindNextFile

```
VFS_CopyFile
```
,
```
VFS_DeleteFile
```
,
```
VFS_MoveFile
```

ThrdMgr family:

ThrdMgr_GetCurrentThreadHandle

ThrdMgr_SaveTEB

ThrdMgr_SwitchThreads

Typical evasion: Delay execution 10-30 minutes if emulator detected:

cmd /c timeout /t %RANDOM_IN_[600,1800]% > nul

Stealth & Injection APIs

API	Purpose
`VirtualAlloc()`	Allocate memory (packers)
`VirtualProtect()`	Change memory permissions
`ReadProcessMemory()`	Read from other processes
`WriteProcessMemoryA/W()`	Write to other processes
`NtWriteVirtualMemory()`	Native memory write
`CreateRemoteThread()`	Remote thread creation
`NtUnmapViewOfSection()`	Unmap memory sections
`QueueUserAPC()`	Queue APC to thread
`CreateProcessInternalA/W()`	Internal process creation

Detection tip: Alert on

CREATE_SUSPENDED

processes that allocate RWX memory before creating GUI/console windows.

Execution APIs

```
CreateProcessA/W()
```
- Create new process
```
ShellExecute()
```
- Execute via shell
```
WinExec()
```
- Execute command
```
ResumeThread()
```
- Resume suspended thread
```
NtResumeThread()
```
- Native thread resume

Miscellaneous APIs

API	Purpose
`GetAsyncKeyState()`	Key logging
`SetWindowsHookEx()`	Key logging
`GetForegroundWindow()`	Get active window
`LoadLibrary()`	Load DLL
`GetProcAddress()`	Get function address
`CreateToolhelp32Snapshot()`	List processes
`GetDC()`	Get device context
`BitBlt()`	Screenshot
`InternetOpen/Read/WriteFile()`	HTTP access
`FindResource()/LockResource()`	Access embedded resources

Malware Techniques Deep Dive

DLL Injection

Execute arbitrary DLL inside another process:

Locate target process:

CreateToolhelp32Snapshot()

Process32First()

Process32Next()

Open process:

GetModuleHandle()

GetProcAddress()

OpenProcess()

Write DLL path:
```
VirtualAllocEx()
```
,
```
WriteProcessMemory()
```
Load DLL:
```
CreateRemoteThread()
```
with
```
LoadLibrary()
```

Alternative APIs:

NTCreateThreadEx()

RtlCreateUserThread()

Reflective DLL Injection

Load DLL without normal Windows API calls:

DLL mapped directly into process memory
Imports resolved manually
Relocations fixed in-memory
```
DllMain()
```
called directly

Thread Hijacking

Find target thread:

CreateToolhelp32Snapshot()

Thread32First()

Thread32Next()

Open thread:
```
OpenThread()
```
Suspend thread:
```
SuspendThread()
```
Write DLL path:
```
VirtualAllocEx()
```
,
```
WriteProcessMemory()
```
Resume with payload:
```
ResumeThread()
```

Process Hollowing (RunPE)

Launch legitimate process suspended, replace its memory with malicious PE:

Typical workflow:

Spawn suspended process:

STARTUPINFOA si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\\Windows\\Microsoft.NET\\Framework32\\v4.0.30319\\RegAsm.exe",
              NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

Parse malicious PE headers to get
```
SizeOfImage
```
, sections,
```
EntryPoint
```

Unmap original image:

NtUnmapViewOfSection()

ZwUnmapViewOfSection()

Allocate new memory:
```
VirtualAllocEx()
```
with RWX permissions
Copy payload:
```
WriteProcessMemory()
```
- headers first, then sections
Patch thread context:
```
SetThreadContext()
```
- set
```
EIP/RIP
```
to payload entry point
Resume execution:
```
ResumeThread()
```

Common host processes:

```
RegAsm.exe
```
(signed .NET Framework binary)
```
MSBuild.exe
```
(developer tooling)
```
rundll32.exe
```
(system utility)

MSBuild path resolution:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\System32\MSBuild.exe
C:\Windows\SysWOW64\MSBuild.exe

Hooking Techniques

Type	Description
SSDT Hooking	Modify System Service Descriptor Table pointers to kernel functions
IRP Hooking	Hook I/O Request Packets for device communication (DKOM)
IAT Hooking	Modify Import Address Table to hijack function calls
EAT Hooking	Hook Export Address Table from userland
Inline Hooks	Modify function code directly (jump at beginning)

Detection Strategies

Process Hollowing Detection

Alert on
```
CREATE_SUSPENDED
```
processes that:
- Never create GUI/console windows
- Allocate RWX memory regions
- Make outbound connections

Monitor API sequence:

NtUnmapViewOfSection

→

VirtualAllocEx

→

WriteProcessMemory

Hunt for unusual hosts:
- ```
MSBuild.exe
```
  from user-writable paths
- ```
RegAsm.exe
```
  without .NET context
- ```
rundll32.exe
```
  parented by short-lived loaders
ATT&CK mapping:
- T1127.001 (Trusted Developer Utilities Proxy Execution: MSBuild)
- T1055.012 (Process Injection: Process Hollowing)

Anti-Analysis Detection

Flag processes that:
- Query multiple locale/keyboard APIs early
- Exit with no observable activity
- Call anti-VM APIs (BIOS strings, PnP devices, disk model)
Monitor for emulator fingerprints:
- Search for
```
MpVmp*
```
  ,
```
VFS_*
```
  ,
```
ThrdMgr_*
```
  exports
- Detect delayed execution (10-30 minute timeouts)

Network-Based Detection

TLS pinning indicators:
- ```
SslStream
```
  usage with certificate validation
- Compressed traffic (GZip)
- Chunked responses (~16KB segments)
Argument gatekeeping:
- Benign-looking CLI switches (e.g.,
```
/i:--type=renderer
```
  )
- Process exits if switch absent

Analysis Workflow

Static Analysis

Import analysis: Look for suspicious API combinations
String extraction: Find URLs, file paths, registry keys
PE header inspection: Check for packed/obfuscated sections
Resource section: Look for embedded payloads

Dynamic Analysis

API monitoring: Track suspicious API sequences
Memory scanning: Look for injected code, decrypted strings
Network capture: Monitor C2 communication
Process tree: Identify parent-child relationships

Memory Forensics

Scan for RWX regions in suspicious processes
Look for hollowed processes (mismatched PE headers)
Identify injected threads (unusual thread start addresses)
Extract decrypted strings from memory dumps

References

Usage Tips

For detection rules: Focus on API sequences rather than single calls
For hunting: Correlate multiple indicators (API calls + network + file system)
For analysis: Use both static and dynamic methods for comprehensive coverage
For research: Check references for latest campaign details and TTPs