Wednesday, June 7, 2017

Random Windows Executable Dependency Notes

Random windows executable dependency notes.
Windows API reference


ADVAPI32.dll = part of an advanced API services library supporting numerous APIs including many security and registry calls

    @ CreateServiceA = create a new windows service, can be used for persistence

    @ RegCreateKeyExA = create or open registry key, can be used for persistence

    @ GetSetValueExA = set registry value, can be used for persistence

    @ StartServiceA = start a windows service, can be used for persistence

AUTHZ.dll = responsible for component Authorization Framework for Windows systems

    @ AuthzInitializeContextFromSid = creates a user-mode client context from a user security identifier (SID)



COMCTL32.dll = module that contains common GUI components used by Windows applications

COMDLG32.dll = module that contains Common dialog boxes used by Windows applications, such as the standard Open File form

    @ GetOpenFileNameA = open file dialog box

    @ GetSaveFileNameA = save file dialog box



CRYPTBASE.dll = responsible for component Base cryptographic API DLL for Windows

GDI32.dll = library that implements the GDI subsystem, where primitive graphical operations are performed

IPHLPAPI.dll = module containing the functions used by the Windows IP Helper API

    @ GetAdaptersInfo = gets info on the network adapters of the system

    @ GetIfTable = enumerates physical interfaces on system



KERNEL32.dll = Windows operating system kernel

    @ CreateFileA = create an ASCII file, can be used to drop a file

    @ CreateMutexA = create a mutex (mutually exclusive object), can be used to avoid infecting the system more than once & to coordinate communications among multiple components

    @ CreateProcessA = create a process, can be used to execute a program

    @ CreateThread = create a process, can be used to generate child process

    @ ExpandEnvironmentStringsA = get an environment variable

    @ GetModuleFileNameA = gets the name of the a module/dll already loaded

    @ GetModuleHandleA = get an existing module/dll

    @ GetProcAddress = get address of an exported function

    @ GetSystemInfo = get info about the system

    @ LoadLibraryA = load a module/dll, can be used to inject into processes

    @ LoadLibraryW = load a module/dll, can be used to inject into processes

    @ VirtualAlloc = reserves memory in the calling process

    @ WriteExe = same as CreateProcess but for 16bit compatibility, can be used to execute a program

    @ WriteFile = write to a file, can be used to drop a file



KERNELBASE.dll = system file of Windows Operating System, which serves various Windows applications and services, kinda like a second generation of kernel32.dll

MFC42.DLL = module that contains the Microsoft Foundation Classes (MFC) functions

    @ WNetAddConnection2W = makes a connection to a network resource and can redirect a local device to the network resource

    @ WNetGetConnection2W = retrieves the name of the network resource associated with a local device

    @ WNetUseConnection2W = makes a connection to a network resource. The function can redirect a local device to a network resource



MPR.DLL = module containing functions used to handle communication between the Windows operating system and the installed network providers

MSVCP60.dll = standard C library functions such as printf, memcpy, and cos

MSVCRT.DLL = the C standard library for the Visual C++ (MSVC) compiler

    @ fopen = open a file

    @ memmove = overwrite memory



NDDEAPI.DLL = Windows for Workgroups DDE (Dynamic Data Exchange) Share Interface, no longer supported

    @ NDdeShareEnumA = retrieves available shares



NETAPI32.DLL = module that contains the Windows NET API used by applications to access a Microsoft network

    @ NetLocalGroupAddMembers = adds an account to a group, can be used for persistence

    @ NetUserAdd = adds a new account, can be used for persistence



NTDSAPI.DLL = module that contains a set of COM interfaces used to access the capabilities of directory services from different network providers

    @ DsServerRegisterSpnA = function either registers or unregisters the SPNs (service prinicpal names)



OLE32.dll = part of the object linking and embedding technology, or OLE

    @ CreateBindCtx = returns object with info about a particular COM linking moniker

OLEAUT32.dll = library used in Microsoft for OLE (Object linking and embedding) technologies; OLE Automation

PSAPI.dll = Process Status Helper file used by Windows to collate information and files about all your software & drivers on your PC

    @ EnumProcesses = Retrieves the process identifier for each process object in the system

    @ EnumProcessModules = Retrieves a handle for each module in the specified process



RPCRTREMOTE.dll = process which is responsible for component Remote RPC Extension for Windows

RSAENH.dll = module that implements the Microsoft enhanced cryptographic service provider (CSP)

    @ CPCreateHash = creates and initializes a new hash object

    @ CPDecrypt = Decrypt data



SHELL32.dll = Windows Shell API functions, which are used when opening web pages and files

    @ SHBrowseForFolderA = Displays a dialog box that enables the user to select a folder

    @ ShellExecuteA = performs an operation on a file like open, find, and explore



SHFOLDER.dll = contains functions regarding Windows special folders such as My Documents

    @ SHGetFolderPathA = can be used to return folder paths like user's AppData



SHLWAPI.dll = library which contains functions for UNC and URL paths, registry entries, and color settings

    @ SHDeleteKeyA = deletes a registry key and all descendants



URLMON.dll = module that contains functions used by Microsoft OLE (Object Linking and Embedding)

    @ UrlDownloadToFileA = Downloads bits from the Internet and saves them to a file, can be used to download payload



USER32.dll = used for windowing and other interactive user program tasks

    @ CreateWindowExA = open a new window

    @ DrawIcon = draw an icon or cursor

    @ EnableWindow = enable mouse and keyboard input in a window

    @ PeekMessageA = looks at incoming message to a window

    @ PostMessageA = sends message to a window

    @ RegisterClassExA = registers a class in relation to a window

    @ SetFocus = sets focus on a window

    @ SetWindowsHookEx = popular way keyloggers receive keyboard inputs



USERENV.dll = module that contains application programming interface (API) functions to create and manage user profiles

    @ LoadUserProfileW = Loads the specified user's profile. The profile can be a local user profile or a roaming user profile



USP10.dll = module that contains a collection of application programming interface (API) functions that enable a text layout client to format complex scripts



VERSION.dll = module that contains application programming interface (API) functions used for Windows version checking



WININET.dll = module that contains Internet-related functions used by Windows applications

    @ InternetOpenA = Initializes an application's use of the WinINet functions

    @ InternetOpenUrlA = Opens a resource specified by a complete FTP or HTTP URL

    @ InternetReadFile = Reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest

    @ FindNextUrlCacheEntryA = Retrieves the next entry in the Internet cache

    @ DeleteUrlCacheEntry = Removes the file from the cache



WINNM.dll = module for the Windows Multimedia API, which contains low-level audio and joystick functions



WS2_32.dll = Windows Sockets API used by most Internet and network applications to handle network connections

    @ WSAloctl = controls the mode of a socket

    @ WSASocketA = creates a new socket



WSOCK32dll = just a wrapper for the actual winsock ws2_32.dll, windows sockets api

    @ gethostbyname = lookup ip of host

    @ send = send data thru socket

    @ socket = create a socket

    @ WSAStartup = initiates use of the Winsock DLL by a process







More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment