Win32 API That You Should Know

There's a quiz at the end

Jul 08, 2023

Hey gang. Since I’ve already got a post up for this weekend (here) it did not seem fair to have back-to-back paid posts on the same subject.

So I’ve decided to throw together this quicky as a nice free reference for fun API you should probably know.

I’ve also removed the super obvious stuff (e.g. strlen, sprintf, etc.) and opted for things that are 1: useful to both use and understand, 2: commonly seen in dangerous, exploitative software, and 3: directed towards Windows (e.g. not in the C Runtime Library). I’ve also organized them into nice sections.

Enumeration/Recon

CreateToolhelp32Snapshot

Oftentimes paired with Process32First and Process32Next, CreateToolhelp32Snapshot takes a “snapshot” of the current heaps/processes/threads/modules (depending on what you want) for enumeration.
This is pretty much the standard soup of “I want to find a certain process on this computer right now”.

All the file API

Okay maybe not all of the file API, but most of it
Should be obvious but files are a thing that malware likes to touch. There’s no “Open file by name” API, so to get a file by name you just enumerate from a file path and then compare names; recursively through directories of you’re cool enough.
Important ones:
- CreateDirectory
- CreateFile
- DeleteFile
- FindFirstFile
- FindNextFile
- GetFileAttributes
- GetTempPath
- ReadFile
- RemoveDirectory
- SetFileAttributes
- WriteFile

GetSystemDefaultLangId/GetUserDefaultUILanguage

Alongside their derivates (like locales), these functions get the language used by the system or user. This is rarer, but seen in malware targeting certain ethnic/cultural groups (e.g. North Korea targeting South Korean computers).

VirtualQueryEx

Get information about a certain memory page.
Often used to snoop around which pages can be written to and exploited for shellcode or similar.

ReadProcessMemory/WriteProcessMemory

Self explanatory

All of the registry

Okay maybe not all of the registry but you should know that the registry is used for persistence and the detection of certain Windows features.

Evasion

DeleteFile again

GetProcAddress

Referenced this in a few posts already. AKA “get procedure address”, this retrieves the address of an export from a loaded library/DLL. Since this isn’t in the Import Address Table (IAT), it is hidden from PE exploring software.

LoadLibrary

Same as GetProcAddress but instead of getting function addresses, this loads a library for the process to use.
Often paired with GetProcAddress.

Sleep/WaitForSingleObject + any delay API

Sleeping and any sort of asynchronous functionality can delay results to throw off the context around the malware detonation.
WaitFor* API is useful for logic bombs.

ImpersonateLoggedOnUser

Okay this one is funny. You can literally copy the security context of another user given you have their access token (see “access token” here).

I’ll also stick “anti-debugging” in this section too. See RTMA Part 6.

IsDebuggerPresent + other debugger API

Should be obvious.

OutputDebugString

Another trick to catch debuggers.

GetTickCount + any delta-timing API

A method to detect/trap breakpoints. Essentially, if a very long time has passed since you last called GetTickCount or another applicable API, then there’s a high possibility that the program is being debugged.

CountClipboardFormats

Actually anti-VM. It can be assumed that if the amount of objects on the clipboard is very low or empty, then the program is being executed in a sandbox.