While researching for my book ("Malware : Writing Malicious Code"), I came across this-
Now my question is-Quote:
Some malware goes so far as to avoid importing any functions from available
DLLs. Instead, it emulates all of the APIs it needs. This means that you cannot list the
functions, so you cannot easily set breakpoints on them, as all API calls will just be
a part of the malware code.In some cases, malware authors even use this to trap reverse engineers: they
may import functions that are never used (having used the emulated ones instead).
How can I emulate an API, for example, How can I write code that'll manipulate windows registry without using win32 api ? In other words, how can I write win32 api without using win32 api.
While researching on web for this idea, all I found was either emulation of win32 api on linux boxes (wine etc.) or the "new" technology AVs that emulates win32 api to fool viruses.
Please share any ideas you may have on the problem.
Maybe these viruses use native api(s) to emulate win32 api, but I don't think so(for obvious reasons).
or if you've heard of any virus that emulates API, give me its name. The rest (like, retrieving the API emulating code from the virus) I'll manage.