WEBVTT

00:00.990 --> 00:02.410
Hello and welcome back.

00:02.430 --> 00:07.200
In this lecture, we are going to take a look at some common API used in malware.

00:09.300 --> 00:16.470
So the topics you are going to look at are in networking, persistence, encryption and analysis.

00:16.470 --> 00:18.700
Stealth execution.

00:18.720 --> 00:19.830
Miscellaneous.

00:20.730 --> 00:22.320
First networking.

00:22.800 --> 00:25.440
Networking consists of a few types.

00:25.440 --> 00:33.120
There can be raw sockets and the on the server side we have the bind API, the listen and the accept.

00:33.480 --> 00:38.730
On the client side, we have the connect the read and receive the write and the shut down.

00:39.480 --> 00:48.120
And on the other hand we also have the Windows API sockets, which always requires a startup to create

00:48.120 --> 00:50.070
the initialize the socket.

00:50.430 --> 00:56.240
On the server side, we have bind, listen, accept and on the client side we have connect, send,

00:56.250 --> 01:04.320
receive and finally, we always have a clean up to close and dispose of the sockets that has been created

01:05.340 --> 01:06.510
for persistence.

01:06.510 --> 01:14.080
We have registry persistence, for example, the API registry create key registry open key registry

01:14.110 --> 01:17.380
set value registry, delete key registry.

01:17.380 --> 01:20.050
Get value for persistence.

01:20.080 --> 01:26.980
We have a get temporary path copy file, create file, write file, read, file and service persistence.

01:26.980 --> 01:31.540
We have open ask manager create service start Service Control dispatcher.

01:32.410 --> 01:34.290
Next we have encryption.

01:34.300 --> 01:43.900
We encrypt API using windows decrypt we acquire contacts API crypt generate key crypt destroy key crypt

01:43.930 --> 01:49.420
drive key grip and crypt creep creep creep release context.

01:50.140 --> 01:52.600
Then we also have the empty analysis.

01:53.170 --> 02:01.450
For example is debugger present get system info, global memory status get version and some of the assembly

02:01.450 --> 02:06.910
instructions cpuid and in both of which can detect virtual machines.

02:08.670 --> 02:14.790
Then we have the 12 APIs, for example, virtual virtual protect, read process, memory, write, process,

02:14.790 --> 02:18.390
memory, create remote track and the unmet view of session.

02:18.390 --> 02:23.610
And these are used for injecting into other processes.

02:25.900 --> 02:28.960
Then on the execution side, we have great process sharing.

02:28.960 --> 02:31.210
Execute Unizik Resume thread.

02:33.110 --> 02:34.790
There are also miscellaneous API.

02:34.820 --> 02:42.260
For example, get async key state and set Windows hook which are used in Keyloggers and also get foreground

02:42.260 --> 02:48.650
window which is used to identify the windows in which the Keylock is taking Keylogging activity.

02:49.070 --> 02:53.240
We also have loadlibrary and get process address for loading external libraries.

02:54.120 --> 02:55.190
Then they create to help.

02:55.200 --> 03:00.180
32 snapshot is to list all the processes in running in the operating system.

03:00.450 --> 03:08.970
We also get DC and bit build which are used for screen capture in those remote access tools and internet

03:08.970 --> 03:12.640
open internet open URL internet read file internet write file.

03:12.660 --> 03:16.380
All these are used in typically used in remote access tools.

03:17.840 --> 03:24.020
So those are the common APIs which you always look for when you are doing malware analysis.

03:24.260 --> 03:25.620
That's all for this video.

03:25.640 --> 03:27.110
Thank you for watching.