Chapter 1:
// date = 2020.12.14
//surmise, Ordinal 

• Static analysis, dynamic analysis, advanced..
• Getlayout, Setlayout funcs are basic windows func.
• DLL files contains executable shared by windows system among multiple applications.
• Malwares often use legitimate libraries and DLL to further advance its goal.
• Packed and obfuscated code will often include at least the functions LoadLibrary and GetProcAddress, which is used to load and gain access to additional functions.
• Detect Packer w/ PEiD
• Runtime linking: only when program needs it.
• LoadLibrary, GetProcAddress LdrGetProcAddress LdrLoadDLL

• [x] Exported Functions.( What does it look like)

Host-Based Signatures: These indicators often identify files created or modified by

the malware or specific changes that it makes to the registry.

Network signatures: detect malicious code by monitoring network traffic

Analysis: use GDI32.dll and User32.dll most likely have a GUI interface. Also is able to manipulate the process/files. Using Advapi32.dll which indicates it does something with the registries. such as. \Software\Microsoft\Windows\CurrentVersion\Run, which is a registry key that controls which programs are automatically run when booting.