MALWARE CHEATSHEET
Windows API
Keyloggers
- GetAsyncKeyState
- GetKeyState
- SetWindowsHookExA
Networking
- WSAStartup
- WSASocket
- WSACleanup
- socket
- bind
- WSAIoctl
- ioctlsocket()
Downloading
- URLDownloadToFile
- ShellExecute
- WinExec
HTTP
- InternetOpen
- InternetConnect
- HttpOpenRequest
- HttpAddRequestHeaders
- HTTPSendRequest
- InternetReadFile
Droppers
- FindResource
- LoadResource
- SizeOfResource
- LockResource
DLL Injection
SetWindowsHookEx
- LoadLibraryA
- GetProcAddress
- GetWindowsThreadProcessId
- SetWindowsHookEx
- BroadcastSystemMessage
- GetMessage
- DispatchMessage
CreateRemoteThread
- OpenProcess
- VirtualAllocEx
- WriteProcessMemory
- GetModuleHandle
- GetProcAddress
- CreateRemoteThread
- LoadLibraryA
API Hooking
- GetProcAddress
- VirtualProtect
- ReadProcessMemory
Process hollowing
- CreateProcessA
- NtUnmapViewOfSection
- VirtualAllocEx
- WriteProcessMemory
Anti-debug / anti-VM
- GetTickCount
- CountClipboardFormats
- GetForeGroundWindow
- IsDebuggerPresent
- CreateToolhelp32Snapshot
- CheckRemoteDebuggerPresent
- NtQueryInformationProcess
- ZwQueryInformationProcess
- NtSetInformationThread
- ZwSetInformationThread
- NtQueryObject
- OutputDebugString
- EventPairHandles
- CsrGetProcessID
- CloseHandle
- NtClose
- IsDebugged Flag
- Heap Flag
Alternate Data Streams
- FindFirstStreamW
- FindNextStreamW
Encryption (WinCryptAPI)
- CryptCreateHash
- CryptEncrypt
- CryptDecrypt
- CryptGenKey
- CryptDeriveKey
- CryptAcquireContext
Algid indicates used algorithm. (0x000066xx)
Compression
- RtlCompressBuffer
- RtlDecompressBuffer
Hashing
- CryptAcquireContext
- CryptCreateHash
- BCryptCreateHash
- CryptEncrypt/Decrypt
Misc
- Process32First
- FindWindowsA
- RegSetValueEx
- CreateThread
- GetEIP
- GetFileSize
- malloc
- free
- GetTempPathA
- WinExec
- GetModuleHandleA
- ResumeThread
- NtAllocateVirtualMemory
- NtOpenProcess
- ZwWriteVirtualMemory
- ZwResumeThread
- NtOpenEvent
- NtCreateEvent
- NtCreateUserProcess
- AdjustTokenPrivileges
- CreateFileMapping
- CreateMutex
- FindResource
- GetModuleFilename
- LdrLoadDll