{"id":1490,"date":"2012-11-12T12:53:13","date_gmt":"2012-11-12T12:53:13","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1490"},"modified":"2012-11-12T12:54:42","modified_gmt":"2012-11-12T12:54:42","slug":"random-stats-from-24k-drivers-apis","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/11\/12\/random-stats-from-24k-drivers-apis\/","title":{"rendered":"Random Stats from 24k drivers \u2013 APIs"},"content":{"rendered":"<p>Over last few months I have been publishing various <a title=\"Batch Analysis\" href=\"https:\/\/www.hexacorn.com\/blog\/category\/batch-analysis\/\">stats <\/a>pulled out of malware collection that I am batch analyzing. The purpose of analysis is not only just getting interesting numbers and utilizing it as a nice filler for the blog \ud83d\ude42 &#8211; all this data is being retrieved with a purpose of enhancing <a href=\"https:\/\/www.hexacorn.com\/blog\/category\/software-releases\/hexdive\/\">HexDive<\/a> and for my other projects.Until now, I have been presenting data from a superset of all malicious PE files in a collection.\u00a0 It crossed my mind recently that it would be interesting to focus on a subset of PE files as well and for starters I picked up kernel drivers.<\/p>\n<p>Getting all strings and then cherrypicking up system functions out of the samples is relatively quick as there is not so many of them &#8211; the result of top 100 most popular APIs sorted by number of occurrence is presented below:<\/p>\n<pre>18431\u00a0\u00a0\u00a0 RtlInitUnicodeString\r\n16625\u00a0\u00a0\u00a0 IofCompleteRequest\r\n16214\u00a0\u00a0\u00a0 ExAllocatePoolWithTag\r\n14783\u00a0\u00a0\u00a0 ZwClose\r\n12899\u00a0\u00a0\u00a0 MmGetSystemRoutineAddress\r\n12002\u00a0\u00a0\u00a0 ZwOpenKey\r\n11911\u00a0\u00a0\u00a0 ObfDereferenceObject\r\n11719\u00a0\u00a0\u00a0 IoCreateDevice\r\n11430\u00a0\u00a0\u00a0 IoGetCurrentProcess\r\n11411\u00a0\u00a0\u00a0 ExFreePool\r\n11395\u00a0\u00a0\u00a0 IoDeleteDevice\r\n11198\u00a0\u00a0\u00a0 RtlAnsiStringToUnicodeString\r\n10969\u00a0\u00a0\u00a0 ZwCreateFile\r\n10895\u00a0\u00a0\u00a0 wcslen\r\n10848\u00a0\u00a0\u00a0 strncmp\r\n10672\u00a0\u00a0\u00a0 strncpy\r\n10585\u00a0\u00a0\u00a0 wcscpy\r\n10195\u00a0\u00a0\u00a0 IoCreateSymbolicLink\r\n10141\u00a0\u00a0\u00a0 swprintf\r\n9957\u00a0\u00a0\u00a0 wcscat\r\n9899\u00a0\u00a0\u00a0 PsCreateSystemThread\r\n9495\u00a0\u00a0\u00a0 MmIsAddressValid\r\n9466\u00a0\u00a0\u00a0 ZwSetValueKey\r\n9112\u00a0\u00a0\u00a0 PsLookupProcessByProcessId\r\n9106\u00a0\u00a0\u00a0 ObReferenceObjectByHandle\r\n8971\u00a0\u00a0\u00a0 PsGetVersion\r\n8630\u00a0\u00a0\u00a0 ZwCreateKey\r\n8600\u00a0\u00a0\u00a0 RtlCopyUnicodeString\r\n8334\u00a0\u00a0\u00a0 KeDelayExecutionThread\r\n7925\u00a0\u00a0\u00a0 RtlCompareUnicodeString\r\n7886\u00a0\u00a0\u00a0 wcsncpy\r\n7861\u00a0\u00a0\u00a0 ZwQueryValueKey\r\n7525\u00a0\u00a0\u00a0 KeTickCount\r\n7135\u00a0\u00a0\u00a0 KeQuerySystemTime\r\n7052\u00a0\u00a0\u00a0 IoRegisterDriverReinitialization\r\n6674\u00a0\u00a0\u00a0 PsSetCreateProcessNotifyRoutine\r\n5968\u00a0\u00a0\u00a0 ExFreePoolWithTag\r\n5671\u00a0\u00a0\u00a0 ZwEnumerateKey\r\n5427\u00a0\u00a0\u00a0 ZwQuerySystemInformation\r\n5414\u00a0\u00a0\u00a0 ZwSetInformationFile\r\n5249\u00a0\u00a0\u00a0 ZwDeleteKey\r\n5072\u00a0\u00a0\u00a0 wcsstr\r\n5017\u00a0\u00a0\u00a0 KeWaitForSingleObject\r\n4922\u00a0\u00a0\u00a0 ZwCreateSection\r\n4855\u00a0\u00a0\u00a0 ZwMapViewOfSection\r\n4757\u00a0\u00a0\u00a0 IoDeleteSymbolicLink\r\n4747\u00a0\u00a0\u00a0 PsTerminateSystemThread\r\n4708\u00a0\u00a0\u00a0 wcschr\r\n4605\u00a0\u00a0\u00a0 wcsrchr\r\n4540\u00a0\u00a0\u00a0 KeServiceDescriptorTable\r\n4226\u00a0\u00a0\u00a0 KeQueryTimeIncrement\r\n4218\u00a0\u00a0\u00a0 ZwUnmapViewOfSection\r\n4070\u00a0\u00a0\u00a0 IoDeviceObjectType\r\n3941\u00a0\u00a0\u00a0 ZwReadFile\r\n3740\u00a0\u00a0\u00a0 KeInitializeEvent\r\n3706\u00a0\u00a0\u00a0 KeInitializeTimer\r\n3562\u00a0\u00a0\u00a0 ObQueryNameString\r\n3538\u00a0\u00a0\u00a0 ZwWriteFile\r\n3522\u00a0\u00a0\u00a0 KeSetEvent\r\n3495\u00a0\u00a0\u00a0 DbgPrint\r\n3470\u00a0\u00a0\u00a0 KeGetCurrentIrql\r\n3381\u00a0\u00a0\u00a0 KeBugCheckEx\r\n3313\u00a0\u00a0\u00a0 ZwQueryInformationFile\r\n3286\u00a0\u00a0\u00a0 ZwOpenFile\r\n3232\u00a0\u00a0\u00a0 IoFreeMdl\r\n3171\u00a0\u00a0\u00a0 RtlInitAnsiString\r\n3043\u00a0\u00a0\u00a0 memcpy\r\n3037\u00a0\u00a0\u00a0 IofCallDriver\r\n2897\u00a0\u00a0\u00a0 memset\r\n2892\u00a0\u00a0\u00a0 RtlFreeUnicodeString\r\n2870\u00a0\u00a0\u00a0 IoAllocateMdl\r\n2629\u00a0\u00a0\u00a0 MmProbeAndLockPages\r\n2461\u00a0\u00a0\u00a0 MmUnlockPages\r\n2349\u00a0\u00a0\u00a0 RtlUnicodeStringToAnsiString\r\n2340\u00a0\u00a0\u00a0 ZwAllocateVirtualMemory\r\n2291\u00a0\u00a0\u00a0 IoFreeIrp\r\n2265\u00a0\u00a0\u00a0 MmMapLockedPagesSpecifyCache\r\n2144\u00a0\u00a0\u00a0 KeGetCurrentThread\r\n2134\u00a0\u00a0\u00a0 KfReleaseSpinLock\r\n2090\u00a0\u00a0\u00a0 RtlFreeAnsiString\r\n2031\u00a0\u00a0\u00a0 KeStackAttachProcess\r\n2025\u00a0\u00a0\u00a0 KfRaiseIrql\r\n2022\u00a0\u00a0\u00a0 KfLowerIrql\r\n1997\u00a0\u00a0\u00a0 IoAllocateIrp\r\n1997\u00a0\u00a0\u00a0 ExAllocatePool\r\n1994\u00a0\u00a0\u00a0 RtlCompareMemory\r\n1967\u00a0\u00a0\u00a0 ExGetPreviousMode\r\n1930\u00a0\u00a0\u00a0 RtlTimeToTimeFields\r\n1918\u00a0\u00a0\u00a0 sprintf\r\n1896\u00a0\u00a0\u00a0 KeUnstackDetachProcess\r\n1884\u00a0\u00a0\u00a0 KfAcquireSpinLock\r\n1870\u00a0\u00a0\u00a0 ZwOpenProcess\r\n1808\u00a0\u00a0\u00a0 PsGetCurrentProcessId\r\n1795\u00a0\u00a0\u00a0 KeReleaseMutex\r\n1747\u00a0\u00a0\u00a0 RtlAppendUnicodeToString\r\n1746\u00a0\u00a0\u00a0 KeInitializeSpinLock\r\n1740\u00a0\u00a0\u00a0 IoCreateFile\r\n1729\u00a0\u00a0\u00a0 ProbeForRead\r\n1727\u00a0\u00a0\u00a0 KeClearEvent\r\n1713\u00a0\u00a0\u00a0 RtlUnwind<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Over last few months I have been publishing various stats pulled out of malware collection that I am batch analyzing. The purpose of analysis is not only just getting interesting numbers and utilizing it as a nice filler for the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/11\/12\/random-stats-from-24k-drivers-apis\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1490"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1490"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1490\/revisions"}],"predecessor-version":[{"id":1495,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1490\/revisions\/1495"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}