|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 23.10.2020

Windows system dlls


This collection shall give a brief overview of some windows system dlls and how malware uses its functions. It is based on the book "Practical Malware Analysis" and wikipedia.org.

hal.dll


Hardware abstraction layer. Runs in kernel mode.

ntdll.dll


Native API. Runs in user mode. Normally called through kernel32.dll.

kernel32.dll


Core functionality like memory, I/O and process management.

(covert) function/process execution

LoadLibrary
GetProcAddress
CreateProcess
CreateMutex

(covert) file manipulation

CreateFile
CreateFileMapping
MapViewOfFile
FindNextFile

process/thread manipulation

CreateToolhelp32Snapshot
SuspendThread
VirtualProtect

code injection

VirtualAllocEx
WriteProcessMemory
CreateRemoteThread

advapi32.dll


Advanced core functionality like security, services and registry management.

persistence (registry/service)

OpenSCManager
CreateService
RegSetValue

privilege escalation

OpenProcessToken
AdjustTokenPrivileges

obfuscation and encryption

CryptDecrypt
CryptImportKey
CryptBinaryToString

user32.dll


Windows GUI

windows message hook

SetWindowsHookEx
CallNextHookEx
GetMessage

user space keylogging

GetActiveWindow
GetAsyncKeyState
GetForgroundWindow

screen capture (pt.1)

In combination with gdi32.dll

GetSystemMetrics
GetDesktopWindow

gdi32.dll


Underlying Graphics Device Interface. Rendering of the Windows GUI.

screen capture (pt.2)

CreateCompatibleBitmap
GetDIBits

ws2_32.dll, wsock.dll, wsock32.dll


Winsock API. TCP/IP functions.

network connections

WSAStartup
bind
connect
send

wininet.dll


High-level network functionality like FTP, HTTP and NTP

resource download

InternetOpenUrl
InternetReadFile

netapi32.dll


Network management.

persistence (job, service)

NetScheduleJobAdd
NetServiceInstall

backdoor user

NetUserAdd
NetLocalGroupAdd

msvcrt.dll


Microsoft Visual C runtime.

malloc
free
printf

bcrypt.dll


Cryptography API: Next Generation (CNG)

BCryptOpenAlgorithmProvider
BCryptImportKey
BCryptImportKeyPair
BCryptDecrypt

psapi.dll


Process Status API: Process and driver information

get kernel driver base addresses

EnumDeviceDrivers
GetDeviceDriverBaseName

ole32.dll


Object Linking and Embedding (OLE) and Component Object Model (COM) interprocess communication.

OleInitialize 
CoCreateInstance

oleaut32.dll


OLE automation.