1. Win32 API Overview
- Definition: The Win32 API (Application Programming Interface) provides functions for modern Windows versions, implemented in system DLLs (Dynamic Link Libraries).
- Kernel32.dll: Handles memory management, I/O operations, and interrupts.
- User32.dll: Manages Windows user interface functions.
- Gdi32.dll: Provides graphical functions for Windows.
- API Types:
- ANSI: Post-fixed with
A(e.g.,MessageBoxA). - Unicode/Wide: Post-fixed with
W(e.g.,CreateProcessW).
- ANSI: Post-fixed with
- Case Sensitivity: APIs are case-sensitive. Reference MSDN for more details.
2. Example: MessageBox API
- Purpose: Displays a modal dialog box with a system icon, buttons, and a message. Returns an integer value based on user input.
- Syntax:
-
In Assembly: Parameters are pushed onto the stack in reverse order.
-
Example Call:
assemblyCopy codepush 0 push offset Caption push offset Title push 0 call MessageBoxA
-
3. Writing a "Hello, World!" Program in Assembly
-
Tools: MASM32 SDK version 11.
- Installation: Download and unzip MASM32 SDK, follow installation instructions.
-
Program Skeleton:
assemblyCopy code.386 .MODEL FLAT, STDCALL .STACK 4096 .DATA MsgBoxCaption DB 'Hello, World!',0 MsgBoxText DB 'Hello, World!',0 .CODE start: invoke MessageBoxA, 0, offset MsgBoxText, offset MsgBoxCaption, MB_OK invoke ExitProcess, 0 END start
-
Compile and Link:
- Assemble:
ml.exe /c hello.asm - Link:
link.exe hello.obj
- Assemble:
-
Result: Produces a 3 KB executable displaying a message box.
4. Analyzing Malware Example
- Downloader Behavior:
- Mutex Creation: Uses
CreateMutexWto create a mutex namedsvchost double up. - Payload Download: Utilizes
InternetOpenA,InternetOpenUrlW, andInternetCloseHandleto download and save payload. - File Saving: Saves payload to temp directory as
svchost.exeusingGetTempPathWandCreateFileW. - Registry Entry: Ensures automatic execution by creating an autostart registry entry with
RegOpenKeyExW,RegSetValueExW, andRegCloseKey.
- Mutex Creation: Uses
5. Benefits of Learning Assembly
- Performance: Provides speed and memory optimizations.
- Debugging: Helps resolve bugs, defects, and coding errors.
- Reverse Engineering: Essential for understanding and analyzing software, including malware.