This is a collection of Frida Interceptor definitions for Windows API that are commonly abused by malware. This is a derivative of my larger Frida based dynamic malware analysis project. All the definitions are written by me. I will update the list of API in my free time.
- LoadLibraryA
- LoadLibraryExA
- LoadLibraryW
- LoadLibraryExW
- GetProcAddress
- GetModuleHandle
- ShellExecute
- ShellExecuteEx
- WinExec
- VirtualAlloc
- VirtualAllocEx
- VirtualProtect
- VirtualProtectEx
- ReadProcessMemory
- WriteProcessMemoryA/W
- memcpy
- HeapAlloc
- CryptEncrypt
- CryptDecrypt
- CryptAcquireContext
- CryptGenKey
- CryptDeriveKey
- BCryptDecrypt
- InternetOpen
- InternetOpenUrl
- InternetConnect
- HttpOpenRequest
- InternetReadFile
- InternetWriteFile
- WSAStartup
- bind
- listen
- accept
- connect
- recv
- send
- OpenProcess
- CreateProcessAsUserA
- CreateProcessAsUserW
- CreateProcessA
- CreateProcessW
- EnumProcesses
- CreateProcessInternalA/W
- QueueUserAPC
- CreateRemoteThread
- CreateRemoteThreadEx
- OpenThread
- GetThreadContext
- SetThreadContext
- SuspendThread
- ResumeThread
- RegCreateKeyEx
- RegOpenKeyEx
- RegSetValueEx
- RegQueryValue
- RegDeleteKeyEx
- RegGetValue
- GetTempPath
- CopyFile
- CreateFileA/W
- WriteFile
- ReadFile
- OpenSCManager
- CreateService
- IsDebuggerPresent
- GetSystemInfo
- GetVersion
- GlobalMemoryStatusEx
- CreateToolhelp32Snapshot
- Process32First
- Process32Next
- Thread32First
- Thread32Next
- FindResource
- LoadResource
- LockResource
- GetAsyncKeyState --> keyloggger
- SetWindowsHookEx --> keylogger
- GetForeGroundWindow --> get running window name
- GetDC --> Screen shot realted
- BitBlt --> Screenshot related
- NtAllocateVirtualMemory
- NtWriteVirtualMemory
- Nt/ZwUnmapViewOfSection
- NtResumeThread
- NtCreateThreadEx
- RtlCreateUserThread