Practical Malware Analysis Study Notes 惡意程式分析學習筆記 (持續更新)

Kernel32.dll tells us that this software can open and manipulate process

  • OpenProcess
  • GetCurrentProcess
  • GetProcessHeap

and files

  • ReadFile
  • CreateFile
  • WriteFile

User32.dll includes a large number of GUI manipulation functions indicating a high likelihood that this program has a GUI

  • RegisterClassEx
  • SetWindowText
  • ShowWindow
  • SetWindowsHookEx: It is commonly used in spyware and is the most popular way that keyloggers receive keyboard inputs.
  • RegisterHotKey: It registers a hotkey (CTRL-SHIFT-C) so that whenever the user presses that hotkey combination, the application is notified.

GDI32.dll is graphics-related and simply confirms that the program probably has a GUI.

Shell32.dll tells us that this program can launch other programs (malware)

Advapi32.dll tells us that the program uses the registry.
Example: Software\Microsoft\Windoows\CurrentVersion, which is a registry key that controls which programs are automatically run when Windows starts up.

Updated: 2022/12/05



發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

thirteen + 6 =

Back To Top
error: Content is protected !!