creating win32 api == ?

Home Forums Discussions General Discussion creating win32 api == ?

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 9 years, 4 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5200

    shakuni
    Participant

    While researching for a book that I am writing (“Malware : Writing Malicious Code”), I came across this-

    “Some malware goes so far as to avoid importing any functions from available
    DLLs. Instead, it emulates all of the APIs it needs. This means that you cannot list the
    functions, so you cannot easily set breakpoints on them, as all API calls will just be
    a part of the malware code.In some cases, malware authors even use this to trap reverse engineers: they
    may import functions that are never used (having used the emulated ones instead).”

    Now my question is-

    How can I write win32 api without using win32 or native api. For example, How can I write code that’ll manipulate windows registry without using win32 or native api?

    or if you’ve heard of any virus that emulates API, give me its name. The rest (like, retrieving the API emulating code from the virus) I’ll manage.

    #6612

    Vadim Smirnov
    Moderator

    Hmm, you can bypass Win32 and use native API. You can even rewrite some Winn32 APIs through another ones. However, there is no way for user mode application to do anything without somehow calling the kernel.

    Though you don’t really need to import ntdll.dll functions, but use INT 2E (SYSCALL/SYSENTER) directly to call kernel services. Probably this is what mentioned in the quote you posted.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.