Malware normally uses Windows API functions (Application Programming Interface) to interact with the operating system (for performing filesystem, process, memory, and network operations). As explained in Chapter 2, Static Analysis, and Chapter 3, Dynamic Analysis, Windows exports the majority of its functions required for these interactions in Dynamic Link Libary (DLL) files. Executables import and call these API functions from various DLLs, which provide different functionalities. To call the API, the executable process loads the DLL into its memory and then calls the API function. Inspecting the DLLs that a malware relies upon and the API functions that it imports can give an idea of the functionality and capability of the malware. The following table outlines some of the common DLLs, and the functionalities that they implement:
DLL | ...