Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page

Win32 Assembly Programming

1. Win32 API Overview

  • Definition: The Win32 API (Application Programming Interface) provides functions for modern Windows versions, implemented in system DLLs (Dynamic Link Libraries).

    • Kernel32.dll: Handles memory management, I/O operations, and interrupts.

    • User32.dll: Manages Windows user interface functions.

    • Gdi32.dll: Provides graphical functions for Windows.

  • API Types:

    • ANSI: Post-fixed with A (e.g., MessageBoxA).

    • Unicode/Wide: Post-fixed with W (e.g., CreateProcessW).

  • Case Sensitivity: APIs are case-sensitive. Reference MSDN for more details.

2. Example: MessageBox API

  • Purpose: Displays a modal dialog box with a system icon, buttons, and a message. Returns an integer value based on user input.

  • Syntax:

    • In Assembly: Parameters are pushed onto the stack in reverse order.

    • Example Call:

      assemblyCopy codepush 0
push offset Caption
push offset Title
push 0
call MessageBoxA

3. Writing a "Hello, World!" Program in Assembly

  • Tools: MASM32 SDK version 11.

    • Installation: Download and unzip MASM32 SDK, follow installation instructions.

  • Program Skeleton:

    assemblyCopy code.386
.MODEL FLAT, STDCALL
.STACK 4096
.DATA
MsgBoxCaption DB 'Hello, World!',0
MsgBoxText DB 'Hello, World!',0
.CODE
start:
  invoke MessageBoxA, 0, offset MsgBoxText, offset MsgBoxCaption, MB_OK
  invoke ExitProcess, 0
END start

  • Compile and Link:

    • Assemble: ml.exe /c hello.asm

    • Link: link.exe hello.obj

  • Result: Produces a 3 KB executable displaying a message box.

4. Analyzing Malware Example

  • Downloader Behavior:

    • Mutex Creation: Uses CreateMutexW to create a mutex named svchost double up.

    • Payload Download: Utilizes InternetOpenA, InternetOpenUrlW, and InternetCloseHandle to download and save payload.

    • File Saving: Saves payload to temp directory as svchost.exe using GetTempPathW and CreateFileW.

    • Registry Entry: Ensures automatic execution by creating an autostart registry entry with RegOpenKeyExW, RegSetValueExW, and RegCloseKey.

5. Benefits of Learning Assembly

  • Performance: Provides speed and memory optimizations.

  • Debugging: Helps resolve bugs, defects, and coding errors.

  • Reverse Engineering: Essential for understanding and analyzing software, including malware.

PreviousCommonly Used InstructionsNextPE Format

Last updated 9 months ago