Collection of common Windows behaviors and their corresponding implementation. The source code is written in C++ and has been tested with cl (Microsoft (R) C/C++ Optimizing Compiler Version 19.34.31935 for x86). The files have been compiled and tested under Windows 10 Pro Version 10.0.19044 Build 19044.
The vast majority of the behaviors here defined are based on the Malware Behavior Catalog (MBC)'s micro-behaviors.
Feel free to contribute to the WBC's corpus by opening PRs and/or issues.
/srccontains the tool to generate the catalog itself based on the contents of this repository./utilscontains several utilities.catalog.jsonandcatalog.txtcontain the WBC in JSON and plain text format, respectively.discarded.jsonanddiscarded.txtcontain the WBC discarded patterns in JSON and plain text format, respectively. This is just some additional info.- Each [OC000*] folder contain the sources, exes, reports and graphviz files the catalog is originated from.
In order to understand what a micro-objective, micro-behavior, or method is, please refer to the MBC. The contents of this catalog uses the following naming convention:
- OC####: Micro-Objective
- C####: Micro-Behavior
- C####.###: Method
- X at the end: eXpanded by us (with respect to the MBC)
- Behaviors we consider relevant but are not included in the MBC as of the moment of this writing. We will eventually pull request the MBC to include them, if they deem it.
- X at the end: eXpanded by us (with respect to the MBC)
- P####: Individual behavioral pattern
- H at the end: Manually added pattern
- Behavioral patterns both single or multiple nodes long we manually added to a specific method. This situation occurs when there is a behavior unequivocally identified by any pattern that does not arise as a result of our behavioral pattern generation algorithm (from the Category Graphs).
- H at the end: Manually added pattern
Within each category (or micro-objective) you will find the all the associated behaviors and their corresponding source code files, as well as the executables and the reports generated from CAPEv2. For each behavior, the source code file has (or pretends to) a self-explanatory name. Each category has the following structure:
- [ID] Micro-objective
- [ID] Micro-behavior
- [ID] Method
- src: Folder containing the source code files.
- exe: Folder containing the executable files.
- reports: Folder containing the report files, as generated by CAPEv2 (JSON formatted).
- gv: Folder containing the graphviz files, used to perform pattern matching and other analysis techniques.
- [ID] Method
- [ID] Micro-behavior
This repository contains a mix of original work by the WBC authors and code adapted or inspired by other sources. When using content from others, we make sure to credit the original creators.
Each behavior implementation is designed to be a straightforward, working example of that behavior. Keep it simple, clear, and focused!
Files have been compiled with cl, the same compiler Visual Studio uses, but from the command line: Use the Microsoft C++ toolset from the command line. You can find more information and instructions here: Walkthrough: Compiling a Native C++ Program on the Command Line.
The specific command used to compile each .cpp file is specified within the header of the file itself.
TBD
The typical workflow for adding new content to the Windows Behavior Catalog is as follows:
- Create the corresponding folder for the method.
- Place in
\srcthe (ideally working) C/C++ source code. - Compile the source code and place the resulting executable in the
\exefolder. - Submit the executable file to CAPEv2 for analysis. ATTENTION! We are using our modified version of capemon.
- Download the generated
report.jsonfile(s) and place them in the\reportsfolder. - Transform the analysis/es into their corresponding transition matrices and callgraphs (using our tool TBA). Place the resulting
.gvfiles into their corresponding\gvfolder.- In the utils folder there are some tools to help automatically move .gv and report files.
- Update winapi_categories_json if needed.
- Update the catalog creation script if needed.
- Use the script to regenerate the .json and .txt catalogs (the WBC itself).
Razvan Raducu
Ricardo J. RodrΓguez
Pedro Γlvarez
The WBC comprises: (Information generated with statistics.py)
- Total Micro-objectives: 6
- Total Micro-behaviors: 30
- Total Methods: 87
- Total Patterns: 329
- Minimum Pattern Length: 1
- Maximum Pattern Length: 7
Information subject to change. Updated on 2024.17.12
$ tree -L 5 -P "*.exe"
.
βββ [OC0001] Filesystem
βΒ Β βββ [C0015] Alter Filename Extension
βΒ Β βΒ Β βββ [C0015.001X] PathRenameExtension
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathRenameExtension.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.002X] PathCombine
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathCombine.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.003X] PathCchCombine
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathCchCombine.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.004X] PathCchCombineEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathCchCombineEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.005X] PathAllocCombine
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathAllocCombine.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.006X] PathAddExtension
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ PathAddExtension.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0015.007X] PathCchRenameExtension
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ PathCchRenameExtension.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0016X] Create or Open file
βΒ Β βΒ Β βββ [C0016X.001X] CreateFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0016X.002X] CreateFile2
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateFile2.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0016X.003X] OpenFile
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ OpenFile.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0045] Copy File
βΒ Β βΒ Β βββ [C0045.001X] CopyFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CopyFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0045.002X] CopyFileEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CopyFileEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0045.003X] CopyFile2
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ CopyFile2.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0046] Create Directory
βΒ Β βΒ Β βββ [C0046.001X] CreateDirectory
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateDirectory.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0046.002X] CreateDirectoryEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateDirectoryEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0046.003X] SHCreateDirectory
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ SHCreateDirectory.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0046.004X] SHCreateDirectoryEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ SHCreateDirectoryEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0046.005X] CreateFileTransacted
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ CreateFileTransacted.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0047] Delete File
βΒ Β βΒ Β βββ [C0047.001X] DeleteFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ DeleteFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0047.002X] DeleteFileTransacted
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ DeleteFileTransacted.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0049] Get File Attributes
βΒ Β βΒ Β βββ [C0049.001X] GetFileAttributes
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ GetFileAttributes.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.002X] GetFileAttributesEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ GetFileAttributesEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.003X] GetFileAttributesTransacted
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ GetFileAttributesTransacted.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.004X] GetFileInformationByHandle
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ GetFileInformationByHandle.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.005X] FindFirstFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ FindFirstFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.006X] FindFirstFileEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ FindFirstFileEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.007X] FindFirstFileTransacted
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ FindFirstFileTransacted.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0049.008X] FindNextFile
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ FindNextFile.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0051] Read File
βΒ Β βΒ Β βββ [C0051.001X] ReadFile
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ ReadFile_1.exe
βΒ Β βΒ Β βΒ Β βββ ReadFile_2.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0052] Write File
βΒ Β βΒ Β βββ [C0052.001X] WriteFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ WriteFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0052.002X] WriteFileEx
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ WriteFileEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0063] Move File
βΒ Β βΒ Β βββ [C0063.001X] MoveFile
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ MoveFile.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0063.002X] MoveFileEx
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ MoveFileEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ TODO
βΒ Β βββ src
βββ [OC0002] Memory
βΒ Β βββ [C0007] Allocate Memory
βΒ Β βΒ Β βββ [C0007.001X] VirtualAlloc
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ VirtualAlloc.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0007.003X] GlobalAlloc
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ GlobalAlloc.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0007.004X] LocalAlloc
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ LocalAlloc.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0007.005X] malloc
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ malloc.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ TODO
βΒ Β βΒ Β βββ [C0007.002X] HeapAlloc
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0008] Change Memory Protection
βΒ Β βββ [C0008.001X] VirtualProtect
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ VirtualProtect.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0008.002X] VirtualProtectEx
βΒ Β βββ exe
βΒ Β βΒ Β βββ VirtualProtectEx.exe
βΒ Β βββ gv
βΒ Β βββ reports
βΒ Β βββ src
βββ [OC0003] Process
βΒ Β βββ [C0017] Create Process
βΒ Β βΒ Β βββ [C0017.001X] ShellExecute
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ ShellExecute.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0017.002X] ShellExecuteEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ ShellExecuteEx.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0017.003X] CreateProcess
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateProcess.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0017.004X] WinExec
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ WinExec.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0038] Create Thread
βΒ Β βΒ Β βββ [C0038.001X] CreateThread
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateThread.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0038.002X] CreateRemoteThread
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ CreateRemoteThread.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0042] Create Mutex
βΒ Β βΒ Β βββ [C0042.001X] CreateMutex
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateMutex.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0042.002X] CreateMutexEx
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ CreateMutexEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0043] Check Mutex
βΒ Β βΒ Β βββ [C0043.001X] OpenMutex
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ OpenMutex.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0054] Resume Thread
βΒ Β βΒ Β βββ [C0054.001X] ResumeThread
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ ResumeThread.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0055] Suspend Thread
βΒ Β βΒ Β βββ [C0055.001X] SuspendThread
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ SuspendThread.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0064] Enumerate Threads
βΒ Β βΒ Β βββ [C0064.001X] Thread32First_Thread32Next
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ enumerate_threads.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0065] Open Process
βΒ Β βΒ Β βββ [C0065.001X] OpenProcess
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ OpenProcess.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0066] Open Thread
βΒ Β βΒ Β βββ [C0066.001X] OpenThread
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ OpenThread.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0070X] Process Enumeration
βΒ Β βΒ Β βββ [C0070X.001X] CreateSnapshot_Process32Next
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CreateSnapshot_Iterate.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0070X.002X] EnumProcesses
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ EnumProcesses.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ TODO
βΒ Β βββ src
βββ [OC0005] Cryptography
βΒ Β βββ [C0027] Encrypt Data
βΒ Β βΒ Β βββ [C0027.001X] CryptEncrypt
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptEncrypt.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0027.002X] BCryptEncrypt
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ BCryptEncrypt.exe
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0028] Encryption Key
βΒ Β βΒ Β βββ [C0028.001X] CryptGenKey
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptGenKey.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.002X] CryptImportKey
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptImportKey.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.003X] CryptImportPublicKeyInfo
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptImportPublicKeyInfo.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.004X] CryptImportPublicKeyInfoEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptImportPublicKeyInfoEx.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.005X] BCryptImportKeyPair
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ BCryptImportKeyPair.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.006X] BCryptImportKey
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ BCryptImportKey.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.008X] CryptExportKey
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptExportKey.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.009X] BCryptExportKey
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ BCryptExportKey.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.010X] CryptExportPublicKeyInfo
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptExportPublicKeyInfo.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.011X] CryptExportPublicKeyInfoEx
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptExportPublicKeyInfoEx.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0028.012X] BCryptGenerateKeyPair
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ BCryptGenerateKeyPair.exe
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0029] Cryptographic Hash
βΒ Β βΒ Β βββ [C0029.001X] CryptCreateHash
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptCreateHash.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0029.002X] CryptHashData
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptHashData.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0029.003X] CryptDestroyHash
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ CryptDestroyHash.exe
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0031] Decrypt Data
βΒ Β βΒ Β βββ [C0031.001X] CryptDecrypt
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ CryptDecrypt.exe
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0031.002X] BCryptDecrypt
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ BCryptDecrypt.exe
βΒ Β βΒ Β βββ src
βΒ Β βββ TODO
βΒ Β βββ [C0028.007X] CryptDecodeObjectEx
βΒ Β βββ CryptDecodeObject
βββ [OC0006] Communication
βΒ Β βββ [C0001] Socket Communication
βΒ Β βΒ Β βββ [C0001.006] Receive Data
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ socket_recv.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0001.007] Send Data
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ socket_send.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0002] HTTP Communication
βΒ Β βΒ Β βββ [C0002.008] WinHTTP
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ winhttp_send_recv.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0005] WinINet Communication
βΒ Β βΒ Β βββ [C0005.001] InternetConnect
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ InternetConnect.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0005.003] InternetOpenURL
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ InternetOpenUrl.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ TODO
βββ [OC0008] Operating System
βΒ Β βββ [C0034] Environment Variable
βΒ Β βΒ Β βββ [C0034.001] Set Environment Variable
βΒ Β βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βΒ Β βββ SetEnvironmentVariable.exe
βΒ Β βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βΒ Β βββ src
βΒ Β βΒ Β βββ [C0034.002] Check Environment Variable
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ ExpandEnvironmentStrings.exe
βΒ Β βΒ Β βΒ Β βββ GetEnvironmentStrings.exe
βΒ Β βΒ Β βΒ Β βββ GetEnvironmentVariable.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036] Registry
βΒ Β βββ [C0036.001] Create or Set Registry Value
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegSetKeyValue.exe
βΒ Β βΒ Β βΒ Β βββ RegSetValue.exe
βΒ Β βΒ Β βΒ Β βββ RegSetValueEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.002] Delete Registry Key
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegDeleteKey.exe
βΒ Β βΒ Β βΒ Β βββ RegDeleteKeyEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.003] Open Registry Key
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegOpenCurrentUser.exe
βΒ Β βΒ Β βΒ Β βββ RegOpenKey.exe
βΒ Β βΒ Β βΒ Β βββ RegOpenKeyEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.004] Create Registry Key
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegCreateKey.exe
βΒ Β βΒ Β βΒ Β βββ RegCreateKeyEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.005] Query Registry Key
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegQueryInfoKey.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.006] Query Registry Value
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegEnumValue.exe
βΒ Β βΒ Β βΒ Β βββ RegGetValue.exe
βΒ Β βΒ Β βΒ Β βββ RegQueryValueEx.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ [C0036.007] Delete Registry Value
βΒ Β βΒ Β βββ exe
βΒ Β βΒ Β βΒ Β βββ RegDeleteKeyValue.exe
βΒ Β βΒ Β βΒ Β βββ RegDeleteValue.exe
βΒ Β βΒ Β βββ gv
βΒ Β βΒ Β βββ reports
βΒ Β βΒ Β βββ src
βΒ Β βββ TODO
βΒ Β βββ exe
βΒ Β βΒ Β βββ RegQueryValue.exe
βΒ Β βββ gv
βΒ Β βββ reports
βΒ Β βββ src
- Code for:
- NtDeleteFile
- NtOpenFile
- getaddrinfo
- More code with HttpOpenRequest and HttpSendRequest (maybe consider them single-node patterns)