恶意代码常用API

1、文件系统函数

1、CreateFile

这个函数被用来创建和打开文件。

HANDLE CreateFile(
    LPCTSTR lpFileName,
    DWORD dwDesiredAccess,
    DWORD dwShareMode,
    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
    DWORD dwCreationDistribution,
    DWORD dwFlagsAndAttributes,
    HANDLE hTemplateFile
);

2、ReadFile和WriteFile

这些函数被用来Madui对文件进行读和写。

BOOL ReadFile(
    HANDLE hFile,
    LPVOID lpBuffer,
    DWORD nNumberOfBytesToRead,
    LPDWORD lpNumberOfBytesRead,
    LPOVERLAPPED lpOverlapped
);

BOOL WriteFile(
    HANDLE hFile,
    LPCVOID lpBuffer,
    DWORD nNumberOfBytesToWrite,
    LPDWORD lpNumberOfBytesWritten,
    LPOVERLAPPED lpOverlapped
);

C3、CreateFileMapping和MapViewOfFile

CreateFileMapping函数复制从磁盘上加载一个文件到内存中。MapViewOfFile函数返回一个指向映射的基地址指针。

HANDLE CreateFileMapping(
    HANDLE hFile,
    LPSECURITY_ATTRIBUTES lpFileMappingAttributes,
    DWORD flProtect,
    DWORD dwMaximumSizeHigh,
    DWORD dwMaximumSizeLow,
    LPCTSTR lpName
);

LPVOID MapViewOfFile(
    HANDLE hFileMappingObject,
    DWORD dwDesiredAccess,
    DWORD dwFileOffsetHigh,
    DWORD dwFileOffsetLow,
    DWORD dwNumberOfBytesToMap
);

2、常用注册表函数

1、RegOpenKeyEx

打开一个zg注册表进行编辑和查询。

LONG RegOpenKeyEx(
    HKEY hKey,
    LPCTSTR lpSubKey,
    DWORD ulOptions,
    REGSAM samDesired,
    PHKEY phkResult
);

2、RegSetValueEx

添加一个新值到注册表，并设置它的数值。

LONG RegSetValueEx(
    HKEY hKey,
    LPCTSTR lpValueName,
    DWORD Reserved,
    DWORD dwType,
    CONST BYTE *lpData,
    DWORD cbData
);

3、RegGetValue

返回注册表中一个值的数值。

LONG RegGetKeySecurity(
    HKEY hKey,
    SECURITY_INFORMATION SecurityInformation,
    PSECURITY_DESCRIPTOR pSecurityDescriptor,
    LPDWORD lpcbSecurityDescriptor
);

3、WinINet API

1、InternetOpen

初始化一个到互联网的连接

void InternetOpenA(
    LPCSTR lpszAgent,
    DWORD  dwAccessType,
    LPCSTR lpszProxy,
    LPCSTR lpszProxyBypass,
    DWORD  dwFlags
);

2、InternetOpenUrl

访问一个URL

void InternetOpenUrlA(
    HINTERNET hInternet,
    LPCSTR    lpszUrl,
    LPCSTR    lpszHeaders,
    DWORD     dwHeadersLength,
    DWORD     dwFlags,
    DWORD_PTR dwContext
);

3、InternetReadFile和ReadFile

允许程序从一个来自互联网的下载文件中读取数据。

BOOLAPI InternetReadFile(
    HINTERNET hFile,
    LPVOID    lpBuffer,
    DWORD     dwNumberOfBytesToRead,
    LPDWORD   lpdwNumberOfBytesRead
);

BOOL ReadFile(
    HANDLE       hFile,
    LPVOID       lpBuffer,
    DWORD        nNumberOfBytesToRead,
    LPDWORD      lpNumberOfBytesRead,
    LPOVERLAPPED lpOverlapped
);

4、进程

1、CreateProcess

创建一个新进程。

BOOL CreateProcessA(
    LPCSTR                lpApplicationName,
    LPSTR                 lpCommandLine,
    LPSECURITY_ATTRIBUTES lpProcessAttributes,
    LPSECURITY_ATTRIBUTES lpThreadAttributes,
    BOOL                  bInheritHandles,
    DWORD                 dwCreationFlags,
    LPVOID                lpEnvironment,
    LPCSTR                lpCurrentDirectory,
    LPSTARTUPINFOA        lpStartupInfo,
    LPPROCESS_INFORMATION lpProcessInformation
);

5、线程

1、CreateThread

创建一个线程

HANDLE CreateThread(
    LPSECURITY_ATTRIBUTES   lpThreadAttributes,
    SIZE_T                  dwStackSize,
    LPTHREAD_START_ROUTINE  lpStartAddress,
    __drv_aliasesMem LPVOID lpParameter,
    DWORD                   dwCreationFlags,
    LPDWORD                 lpThreadId
);

6、服务

1、OpenSCManger

返回一个服务控制管理器的句柄，它被用来进行所以后续与服务相关的函数调用。

SC_HANDLE OpenSCManagerA(
    LPCSTR lpMachineName,
    LPCSTR lpDatabaseName,
    DWORD  dwDesiredAccess
);

2、CreateService

添加一个新服务到服务控制管理器，并且允许调用者指定服务是否在引导时自动启动，或者必须手动启动。

SC_HANDLE CreateServiceA(
    SC_HANDLE hSCManager,
    LPCSTR    lpServiceName,
    LPCSTR    lpDisplayName,
    DWORD     dwDesiredAccess,
    DWORD     dwServiceType,
    DWORD     dwStartType,
    DWORD     dwErrorControl,
    LPCSTR    lpBinaryPathName,
    LPCSTR    lpLoadOrderGroup,
    LPDWORD   lpdwTagId,
    LPCSTR    lpDependencies,
    LPCSTR    lpServiceStartName,
    LPCSTR    lpPassword
);

3、StartService

启动一个服务。

BOOL StartServiceA(
    SC_HANDLE hService,
    DWORD     dwNumServiceArgs,
    LPCSTR    *lpServiceArgVectors
);