Home

MALWARE CHEATSHEET

Windows API

Keyloggers

  • GetAsyncKeyState
  • GetKeyState
  • SetWindowsHookExA

Networking

  • WSAStartup
  • WSASocket
  • WSACleanup
  • socket
  • bind
  • WSAIoctl
  • ioctlsocket()

Downloading

  • URLDownloadToFile
  • ShellExecute
  • WinExec

HTTP

  • InternetOpen
  • InternetConnect
  • HttpOpenRequest
  • HttpAddRequestHeaders
  • HTTPSendRequest
  • InternetReadFile

Droppers

  • FindResource
  • LoadResource
  • SizeOfResource
  • LockResource

DLL Injection

SetWindowsHookEx
  • LoadLibraryA
  • GetProcAddress
  • GetWindowsThreadProcessId
  • SetWindowsHookEx
  • BroadcastSystemMessage
  • GetMessage
  • DispatchMessage
CreateRemoteThread
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • GetModuleHandle
  • GetProcAddress
  • CreateRemoteThread
  • LoadLibraryA

API Hooking

  • GetProcAddress
  • VirtualProtect
  • ReadProcessMemory

Process hollowing

  • CreateProcessA
  • NtUnmapViewOfSection
  • VirtualAllocEx
  • WriteProcessMemory

Anti-debug / anti-VM

  • GetTickCount
  • CountClipboardFormats
  • GetForeGroundWindow
  • IsDebuggerPresent
  • CreateToolhelp32Snapshot
  • CheckRemoteDebuggerPresent
  • NtQueryInformationProcess
  • ZwQueryInformationProcess
  • NtSetInformationThread
  • ZwSetInformationThread
  • NtQueryObject
  • OutputDebugString
  • EventPairHandles
  • CsrGetProcessID
  • CloseHandle
  • NtClose
  • IsDebugged Flag
  • Heap Flag

Alternate Data Streams

  • FindFirstStreamW
  • FindNextStreamW

Misc

  • Process32First
  • FindWindowsA
  • RegSetValueEx
  • CreateThread
  • GetEIP
  • GetFileSize
  • malloc
  • free
  • GetTempPathA
  • WinExec
  • GetModuleHandleA
  • ResumeThread
  • NtAllocateVirtualMemory
  • NtOpenProcess
  • ZwWriteVirtualMemory
  • ZwResumeThread
  • NtOpenEvent
  • NtCreateEvent
  • NtCreateUserProcess
  • AdjustTokenPrivileges
  • CreateFileMapping
  • CreateMutex
  • FindResource
  • GetModuleFilename
  • LdrLoadDll