Malware Analysis: Commonly used Windows functions

WriteFile function
Writes data to the specified file or input/output (I/O) device.This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.

CreateProcess function
Creates a new process and its primary thread. The new process runs in the security context of the calling process.
If the calling process is impersonating another user, the new process uses the token for the calling process, not the impersonation token. To run the new process in the security context of the user represented by the impersonation token, use the CreateProcessAsUser or CreateProcessWithLogonW function.

LookupPrivilegeValue function
The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

RegCloseKey function
Closes a handle to the specified registry key.

RegSetValue function
Sets the data for the default or unnamed value of a specified registry key. The data must be a text string.
Note:  This function is provided only for compatibility with 16-bit versions of Windows. Applications should use the RegSetValueEx function.

RegOpenKeyEx function
Opens the specified registry key. Note that key names are not case sensitive.
To perform transacted registry operations on a key, call the RegOpenKeyTransacted function.

GetCurrentProcess function
Retrieves a pseudo handle for the current process.

GetTickCount function
Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.

CreateFile function
Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.
To perform this operation as a transacted operation, which results in a handle that can be used for transacted I/O, use the CreateFileTransacted function.

WriteFile function
Writes data to the specified file or input/output (I/O) device.
This function is designed for both synchronous and asynchronous operation. For a similar function designed solely for asynchronous operation, see WriteFileEx.

No comments:

Powered by Blogger.