Hi all, glad to join this great community.
I was just wondering if you guys could give me a hand in compiling a list of API's that are commonly used in malware.
So far I have:

FindResource
LockResource
ShellExecute
GetThreadContext
CreateProcessA
Read/WriteProcessMemory

I gather there are more than that, like RegOpenKey when the file it may be binded to clearly has no need for registry, but what are some other typical ones? and what kind of malware are they used for?
Kind Regards,
CT

CreateRemoteThread is a good one to remember , its used to create threads in a remote process

also the entier WinInet stuff , which is often used to dl more malware via port 80

Speaking of CreateremoteThread... is there any way to block the creation of remote threads in my process without using drivers?

You could try hooking the root entrypoint of all threads in kernel32 (BaseThreadInitThunk).

Also mind direct calls to ZwUnmapViewOfSection (this API may also be used in internal windows procedures, so make sure it is called directly from the main module).

CreateRemoteThread for sure, OpenProcess, SetWindowsHookEx, NtSetSystemInformation called with LoadAndCallDriver among other things, CreateFile on various system files or \\Device\\PhysicalMemory, VirtualProtectEx called on a different process, and many many more, that's just off the top of my head.

Thanks for all your contributions.
darawk, if there are more, please tell
I am a moderator at a proof-of-concept malware forum and obviously there are always going to me smartasses who try to backdoor attachments, so this is kinda important seeing as the forum is very very active.

you should dig it yourself if you want to know more

I've attempted many a time. I've searched for them, searched this forum, nothing that straight out had malicious API's.
Besides, this is a malware analysis forum, it's what it's meant for.

Not too sure that such a list is all that useful anyway for that purpose. Any rootkit or backdoor attempt worth its salt isn't going to make those API's visible in a static import listing for example. You're more likely only to see LoadLibrary/GetProcAddress and every "malicious" API is going to be determined dynamically or otherwise obfuscated.

If your forum deals with POC malware, then it's pretty much a given it's going to contain "bad stuff" and should be treated as such unless it comes with complete source and/or from your most trusted members.

Anyway, you could also add OpenThread, NtQueueApcThread and even CreateToolhelp32Snapshot/Thread32First/Thread32Next to that list, which is a method used by Conficker for dll injection (APC routine is address of LoadLibraryExA, parameter is malware dll name string).

If you want, you are welcome to mention the name of your forum, I'm sure a number of people here would be interested in it. If you don't want to identify the forum for some reason, that's OK too, just want to assure you that we have no problems with that here.

Kayaker

Well although the intention of this forum is proof-of-concept, the general population of our members actually use malware.
Well the website is hackhound.org
Don't let the name stir you, have a look and you might be surprised at the programming/reversing section we have.
Anyway...Most of the time, people just attempt to bind things with RATs, keyloggers, password stealers, etc. Rootkits are very rarely found. I usually just use PEiD to examine the strings and imports for malicious APIs like the ones mentioned in this thread. So my intention in starting this thread was just to broaden my arsenal of APIs.

Have a look at the following website:

https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot

Specifically section 10 of the Windows Operating System Slides. It contains a list of Windows API calls used by Malware.