1. Malware Functionalities
By now, you should have an understanding of how malware utilizes API functions to interact with the system. In this section, you will understand how malware makes use of various API functions to implement certain functionality. For information regarding where to find help about a particular API and how to read the API documentation, refer to section 3, Disassembling the Windows API, in Chapter 5, Disassembly Using IDA.
1.1 Downloader
The simplest type of malware that you will encounter during malware analysis is a Downloader. A downloader is a program that downloads another malware component from the internet and executes it on the system. It does that by calling the UrlDownloadToFile()
API, which downloads the file onto the disk. Once downloaded, it then uses either ShellExecute()
, WinExec()
, or CreateProcess()
API calls to execute the downloaded component. Normally, you will find that downloaders are used as part of the exploit shellcode.
The following screenshot...