Its is very essential to know and understand Windows API calls that can be utilized by malwares. Knowing these help with:-
- Understand the flow of program/malware.
- Understand capabilities of a program/malware.
- Know where to set breakpoints when performing Reverse Engineering over app/malware.
I have only curated this, the references will be at bottom of post to the original authors and blogs.
| Name | Brief | Stages | Sample Code |
|---|---|---|---|
| NtVirtualAllocX | Important API for memory allocation | Memory Management | VirtualAllocEx(); |
| NtCreateFile | Important API for file creation | File Operations | CreateFile(); |
| NtReadFile | Important API for reading files | File Operations | ReadFile(); |
| NtTerminateProcess | Important API for ending processes | Process Management | TerminateProcess(); |
| NtOpenProcess | Important API for accessing processes | Process Management | OpenProcess(); |
| NtQuerySystemInformation | Important API for system info retrieval | System Monitoring | GetSystemInfo(); |
| NtQueryDirectoryFile | Important API for directory queries | File Operations | FindFirstFile(); |
| NtOpenThread | Important API for accessing threads | Thread Management | OpenThread(); |
| NtSetInformationFile | Important API for file info modification | File Operations | SetFileInformationByHandle(); |
| NtQueryInformationProcess | Important API for process info retrieval | Process Monitoring | GetProcessInformation(); |
| NtAllocateVirtualMemory | Important API for virtual memory allocation | Memory Management | VirtualAlloc(); |
| NtFreeVirtualMemory | Important API for virtual memory release | Memory Management | VirtualFree(); |
| NtWriteFile | Important API for writing to files | File Operations | WriteFile(); |
| NtClose | Important API for closing handles | Handle Management | CloseHandle(); |
| NtDelayExecution | Important API for thread delays | Thread Management | Sleep(); |
| NtQueryKey | Important API for querying registry keys | Registry Operations | RegQueryValueEx(); |
| NtSetValueKey | Important API for setting registry values | Registry Operations | RegSetValueEx(); |
| NtOpenKey | Important API for opening registry keys | Registry Operations | RegOpenKeyEx(); |
| NtQueryValueKey | Important API for querying registry values | Registry Operations | RegQueryValueEx(); |
| NtEnumerateValueKey | Important API for enumerating registry values | Registry Operations | RegEnumValue(); |
| NtProtectVirtualMemory | Important API for memory protection | Memory Management | VirtualProtect(); |
| NtDuplicateObject | Important API for duplicating handles | Handle Management | DuplicateHandle(); |
| NtAdjustPrivilegesToken | Important API for adjusting token privileges | Security Management | AdjustTokenPrivileges(); |
| NtLoadDriver | Important API for loading device drivers | Driver Operations | LoadDriver(); |
| NtUnloadDriver | Important API for unloading device drivers | Driver Operations | UnloadDriver(); |
| NtMapViewOfSection | Important API for mapping view of a section | Memory Management | MapViewOfFile(); |
| NtUnmapViewOfSection | Important API for unmapping view of a section | Memory Management | UnmapViewOfFile(); |
| NtQueryVolumeInformationFile | Important API for querying volume information | File Operations | GetVolumeInformation(); |
| NtDeviceIoControlFile | Important API for device I/O control | Device Operations | DeviceIoControl(); |
| NtWaitForSingleObject | Important API for waiting on an object | Synchronization | WaitForSingleObject(); |
| NtWaitForMultipleObjects | Important API for waiting on multiple objects | Synchronization | WaitForMultipleObjects(); |
| NtSetEvent | Important API for setting an event | Synchronization | SetEvent(); |
| NtResetEvent | Important API for resetting an event | Synchronization | ResetEvent(); |
| NtCreateMutant | Important API for creating a mutex | Synchronization | CreateMutex(); |
| NtReleaseMutant | Important API for releasing a mutex | Synchronization | ReleaseMutex(); |
| NtSuspendThread | Important API for suspending threads | Thread Management | SuspendThread(); |
| NtResumeThread | Important API for resuming threads | Thread Management | ResumeThread(); |
| NtSetInformationThread | Important API for setting thread information | Thread Management | SetThreadInformation(); |
| NtQueryPerformanceCounter | Important API for performance counter queries | Performance Monitoring | QueryPerformanceCounter(); |
| NtQuerySemaphore | Important API for querying semaphore | Synchronization | QuerySemaphore(); |
| NtSetTimer | Important API for setting timers | Timer Operations | SetWaitableTimer(); |
| NtCancelTimer | Important API for canceling timers | Timer Operations | CancelWaitableTimer(); |
References
- Hadees Blog [Original Source of this article]