Skip to content

Windows Malware

Malwares interact with an OS via APIs to execute code. Since we are focusing on Windows Malware, we will look at the Windows API.

Windows API

  • Windows uses its own naming method to represent data types in the C programming language
  • It also uses Hungarian Notation for API function identifiers

Here are some examples of Windows API data types:

Type Description
WORD πŸ’­ 16 bits unsigned^^ value (2 bytes)
DWORD πŸ’­ 32 bits unsigned^^ value (4 bytes)
Handles πŸ’­ A reference to an object, and should only be manipulated by the Windows API
Long Pointer πŸ’­ A pointer to another type
Callback πŸ’­ A function that will be called by the Windows API, eg. CreateFile()

Hungarian Notation

  • An identifier naming convention where the name of the function indicates the code's purpose
  • eg. CreateFile / ReadFile / WriteFile - it does what its name states

πŸ’­ Handles

  • Handles are items that has been opened by the OS
  • Handles are like pointers and point to a location in memory
  • Can store handle for later use
  • Cannot perform arithmetic operations on handles

File API

πŸ’­ File System Functions

CreateFile

Can open existing files, pipes, streams & I/O devices

ReadFile / WriteFile

Used to read/write to files

When called, the function will read the first n number of bytes of the file. When called again, the next n number of bytes of the file will be read.

CreateFileMapping

Loads a file from disk to memory

Usually called with MapViewOfFile to load a file into memory and manipulate it.

MapViewOfFile

πŸ‘ very handy for parsing files

Returns a pointer to the base address of the mapping which is used to access the file. Pointer to the base address to read / write to the file and jump around the file easily

Windows Registry

  • Used to store OS and program configuration info (eg. settings,drivers,user accounts etc...)
  • Most configurations are in registries
  • Hierarchical database of info to improve performance
  • Malware uses this registry for persistence and configuration
  • πŸ‘ Good source of host-based indicator

Host-Based Indicators/Signatures

  • Identified data on the victim's computer that show possible signs of infection by a malware/ presence of malware
  • Other indicators are Network Signatures, which are identified/identifiable data from the network's traffic that show traces that a malware is present

Registry Terms

Key

  • Like a folder that can contain other folders
  • Root Keys and Sub Keys are both keys.

Root Key

  • Registry divided into 5 top-level sections called root key/hives

πŸ’­ The Five Root Keys

Five Root Keys from my Registry Editor

Key Description
HKEY_LOCAL_MACHINE (HKLM) Stores settings which are global to the local machine
HKEY_CURRENT_USER (HKCU) Stores settings specific to the current user
HKEY_CLASSES_ROOT Stores information defining types
HKEY_CURRENT_CONFIG Stores settings about current hardware configuration
HKEY_USERS Defines settings for current user, new user, default user

yes, the names are all in caps.

Sub Key

  • Like a subfolder to the big folder, the root key

Value entry

  • Data entry in registry that consists of three parts- the name, data type and value. An ordered pair with a name and value

Common Registry Functions πŸ’­

RegOpenKeyEx

Opens registry for querying or editing

RegSetValueEX

Adds a new value to the registry and sets its data

RegGetValue

Returns the data for a value entry

Registry Tools

  1. Regedit

    For editing registry entries

  2. Regshot

    To be completed

Systinternals also provides registry tools, such as:

  1. AutoRuns

    Parses registry to find entries that start applications upon booting the OS

The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.

Networking API

  • Programs uses socket (establish connection with remote connection) to listen & send data to the network
  • Some common functions of the Networking API is as follows:

Functions from the Networking API

  • Network sniffers πŸ’­
    • The following code creates a undetected network sniffer :
WSASocket() / socket()

WSA: Windows Socket APi

Either one of these two commands can be used to create a RAW Socket Bind()

Binds socket to interface. Binding attaches the connection (which is the socket) to the victim's computer, linking the victim's computer and the attacker

WSAloctl() / ioctlsocket()

Puts interface to promiscuous mode.

This means that the wired/wireless network interface controller passes all traffic it receives to the CPU instead of only the frames the controller is intended to receive (?)

WinINET API πŸ’­

  • Higher level API that implements some higher level protocols
  • API used in malware means that the malware has relations to manipulating internet
InternetOpen

Start/initliase a connection to Internet

InternetOpen URL

Connect to a URL

URLDownloadToFileA

Downloads a file from the internet

InternetReadFile

Reads a file off the internet

Malware downloaders

Malwares may want to keep their sizes, so they download additional data. This part of a malware is called the downloader.

Downloaders

Downloading a file from the Internet consists of two steps:

URLDownloadToFile()

Downloads a file off the internet

ShellExecute() / WinExec()

πŸ’­ Executes a specified operation on the downloaded file

Process Manipulation

  • Some malwares create new processes to hide from the user or bypass host-based firewalls.
  • These malicious programs can also be set to a socket, allowing the attacker to execute a remote shell.
  • A parent process can specify properties associated to its child process.

Example

  • A malware (disguised as Minecraft) is downloaded onto the victim's computer
  • While the "application" (also known as the parent process) runs, background processes (also known as child process) are also created
  • These background processes can be malicious and could be deleting the victim data

Specification of child process characteristics (Windows)

  • CreateProcess by the WIN32 API

    Creates a new process. Has a parameter STARTUPINFO, which includes a handle that points to standard input/output/error messages

  • Specification is done through this CreateProcess function, which takes a pointer to a STARTUPINFO structure, and options of the structure selected to specify the properties of the child process

Keyloggers

Many bots & works uses this method of monitoring a user's key strokes to spy on them and collect information

Two common methods:

  1. Install a hook for keyboard events

    A hook is a mechanism that allows applications to intercept events (messages on the computer, mouse actions, keystrokes).

    The act of intercepting an event is a hook procedure. A hook procedure can act on what it receives, choosing to modify or discard the event.

    This uses the SetWindowsHookExA API defined below.

  2. Poll keyboard state with GetAsyncKeyState

    Malware goes in a loop and queries the state of every key.

    This uses the GetAsyncKeyState API defined below.

GetAsyncKeyState

Returns the state of a key that is currently pressed

SetWindowsHookExA

If called with WH_KEYBOARD, event is relayed to a malicious function based on what key is pressed at any moment after the function is called.

If called with WH_MOUSE, mouse messages like left-click or right-click will be intercepted.

NFTS

NTFS allows for Alternate Data Streams (ADS), which allows malware authors to hide data streams from the user.

Anand's tip corner

  • If you want to know more details on certain functions, refer to the documentation
Last update: June 11, 2023
Created: June 11, 2023