Last changed: 23.10.2020
Windows system dlls
This collection shall give a brief overview of some windows system dlls and how malware uses its functions. It is based on the book "Practical Malware Analysis" and wikipedia.org.
hal.dll
Hardware abstraction layer. Runs in kernel mode.
ntdll.dll
Native API. Runs in user mode. Normally called through kernel32.dll
.
kernel32.dll
Core functionality like memory, I/O and process management.
(covert) function/process execution
LoadLibrary
GetProcAddress
CreateProcess
CreateMutex
(covert) file manipulation
CreateFile
CreateFileMapping
MapViewOfFile
FindNextFile
process/thread manipulation
CreateToolhelp32Snapshot
SuspendThread
VirtualProtect
code injection
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
advapi32.dll
Advanced core functionality like security, services and registry management.
persistence (registry/service)
OpenSCManager
CreateService
RegSetValue
privilege escalation
OpenProcessToken
AdjustTokenPrivileges
obfuscation and encryption
CryptDecrypt
CryptImportKey
CryptBinaryToString
user32.dll
Windows GUI
windows message hook
SetWindowsHookEx
CallNextHookEx
GetMessage
user space keylogging
GetActiveWindow
GetAsyncKeyState
GetForgroundWindow
screen capture (pt.1)
In combination with gdi32.dll
GetSystemMetrics
GetDesktopWindow
gdi32.dll
Underlying Graphics Device Interface. Rendering of the Windows GUI.
screen capture (pt.2)
CreateCompatibleBitmap
GetDIBits
ws2_32.dll, wsock.dll, wsock32.dll
Winsock API. TCP/IP functions.
network connections
WSAStartup
bind
connect
send
wininet.dll
High-level network functionality like FTP, HTTP and NTP
resource download
InternetOpenUrl
InternetReadFile
netapi32.dll
Network management.
persistence (job, service)
NetScheduleJobAdd
NetServiceInstall
backdoor user
NetUserAdd
NetLocalGroupAdd
msvcrt.dll
Microsoft Visual C runtime.
malloc
free
printf
bcrypt.dll
Cryptography API: Next Generation (CNG)
BCryptOpenAlgorithmProvider
BCryptImportKey
BCryptImportKeyPair
BCryptDecrypt
psapi.dll
Process Status API: Process and driver information
get kernel driver base addresses
EnumDeviceDrivers
GetDeviceDriverBaseName
ole32.dll
Object Linking and Embedding (OLE) and Component Object Model (COM) interprocess communication.
OleInitialize
CoCreateInstance
oleaut32.dll
OLE automation.