Malware normally uses Windows API functions (Application Programming Interface) to interact with the operating system (for performing filesystem, process, memory, and network operations). As explained in Chapter 2, Static Analysis, and Chapter 3, Dynamic Analysis, Windows exports the majority of its functions required for these interactions in Dynamic Link Libary (DLL) files. Executables import and call these API functions from various DLLs, which provide different functionalities. To call the API, the executable process loads the DLL into its memory and then calls the API function. Inspecting the DLLs that a malware relies upon and the API functions that it imports can give an idea of the functionality and capability of the malware. The following table outlines some of the common DLLs, and the functionalities that they implement:
DLL | Description |
Kernel32.dll | This DLL exports functions related to process, memory, hardware, and filesystem operations. Malware imports API functions from these DLLs to carry out filesystem-memory-and process-related operations. |
Advapi32.dll | This contains functionality related to service and registry. Malware uses the API functions from this DLL to carry out service-and registry related operations. |
Gdi32.dll | It exports functions related to graphics. |
User32.dll | It implements functions that create and manipulate Windows user interface components, such as the desktop, windows, menus, message boxes, prompts, and so on. Some malware programs use functions from this DLL for performing DLL injections and for monitoring keyboard (for keylogging) and mouse events. |
MSVCRT.dll | It contains implementations of C standard library functions. |
WS2_32.dll and WSock32.dll | They contain functions for communicating on the network. Malware import functions from these DLLs for performing network-related tasks. |
Wininet.dll | It exposes high-level functions to interact with HTTP and FTP protocols. |
Urlmon.dll | It is a wrapper around WinInet.dll, and it is responsible for MIME-type handling and the downloading of web content. Malware downloaders use functions from this DLL for downloading additional malware content. |
NTDLL.dll | It exports Windows Native API functions and acts as the interface between the user mode programs and the kernel. For example, when a program calls API functions in kernel32.dll (or kernelbase.dll), the API, in turn, calls short stub in ntdll.dll. A program typically does not import functions from ntdll.dll directly; the functions in ntdll.dll are indirectly imported by DLL such as Kernel32.dll. Most of the functions in ntdll.dll are undocumented, and malware authors sometimes import functions from this DLL directly. |