Kernel32.dll tells us that this software can open and manipulate process
- OpenProcess
- GetCurrentProcess
- GetProcessHeap
and files
- ReadFile
- CreateFile
- WriteFile
User32.dll includes a large number of GUI manipulation functions indicating a high likelihood that this program has a GUI
- RegisterClassEx
- SetWindowText
- ShowWindow
- SetWindowsHookEx: It is commonly used in spyware and is the most popular way that keyloggers receive keyboard inputs.
- RegisterHotKey: It registers a hotkey (CTRL-SHIFT-C) so that whenever the user presses that hotkey combination, the application is notified.
GDI32.dll is graphics-related and simply confirms that the program probably has a GUI.
Shell32.dll tells us that this program can launch other programs (malware)
請支持《Sectools.tw》原創文章。原文標題:Practical Malware Analysis Study Notes 惡意程式分析學習筆記 (持續更新),原文網址:https://sectools.tw/practical-malware-analysis-study-notes-%e6%83%a1%e6%84%8f%e7%a8%8b%e5%bc%8f%e5%88%86%e6%9e%90%e5%ad%b8%e7%bf%92%e7%ad%86%e8%a8%98/
Advapi32.dll tells us that the program uses the registry.
Example: Software\Microsoft\Windoows\CurrentVersion, which is a registry key that controls which programs are automatically run when Windows starts up.
Updated: 2022/12/05
——–