- 1、本文档共31页,可阅读全部内容。
- 2、有哪些信誉好的足球投注网站(book118)网站文档一经付费(服务费),不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
- 3、本站所有内容均由合作方或网友上传,本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺!文档内容仅供研究参考,付费前请自行鉴别。如您付费,意味着您自己接受本站规则且自行承担风险,本站不退款、不进行额外附加服务;查看《如何避免下载的几个坑》。如果您已付费下载过本站文档,您可以点击 这里二次下载。
- 4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“版权申诉”(推荐),也可以打举报电话:400-050-0827(电话支持时间:9:00-18:30)。
查看更多
API Call Tracing API Call Tracing is the powerful technique. It can provide a high level functional overview about a executable file. In some cases we only need API call logs to understand the application behaviour. I often use it to automate my Malware analysis tasks.
In this article I will discuss some of my techniques.
Some of the tasks that we can accelerate using this technique are, Unpacking of Packed Binary File
Binary Behaviour profiling
Finding out the interesting functions in the binary ? Here, I will use PyDbg script to log the API calls and finally IDAPython script to automate some of manual analysis. ? ? API Calls Logging with PEfile PyDbg ? Based on the above tasks we need following information from our script. Return Address - From where the API is called?
API Name - Which API is called? It means we have to breakpoint on every API call and for that we need API name or API address. If we have API name then we can resolve its address and can breakpoint on that, In case of address we can directly breakpoint on that. But the question is how do we get the API names?
This can be solved by using PEfile. So we will first enumerate the executable import table and then we will resolve the addresses and put breakpoints using PyDbg.
But this approach has following limitations, It will fail in the case of a DLL that will be loaded by binary at run time using LoadLibrary()
If binary is packed then unpacking stub will create the import table at run time which we cant control. Before solving this problem lets talk about the ways used by unpacker stub or custom loaders to build an import table at run time.
Generally they use LoadLibrary API to load the dll and GetProcAddress to get the address of the API. LoadLibrary and GetProcAddress APIs are exported by kernel32.dll which is loaded into every Windows process by default.
So if we set breakpoint on GetProcAddress then we can get API Name from stack. Then we can set breakpoint on the address
您可能关注的文档
- VB程序访问数据库的两种途径(外文文献翻译).doc
- 51单片机简介-----外文翻译.doc
- 51单片机在编程电路中的应用------外文翻译.doc
- 51系列单片机的功能和结构-------外文翻译.doc
- 51系列单片机的结构和功能------外文翻译.doc
- ASP.NET技术----外文文献译文和原文.doc
- ASP_NET中认证安全特征评述------外文翻译.doc
- ASP的开发准则及安全管理------外文翻译.doc
- asp的网站新闻管理系统的设计与实现-------(外文翻译).doc
- ASP基础语言-------外文翻译.doc
- 2024年中国钽材市场调查研究报告.docx
- 2024年中国不锈钢清洗车市场调查研究报告.docx
- 2024年中国分类垃圾箱市场调查研究报告.docx
- 2024年中国水气电磁阀市场调查研究报告.docx
- 2024年中国绿藻片市场调查研究报告.docx
- 2010-2023历年初中毕业升学考试(青海西宁卷)数学(带解析).docx
- 2010-2023历年福建厦门高一下学期质量检测地理卷.docx
- 2010-2023历年初中数学单元提优测试卷公式法(带解析).docx
- 2010-2023历年初中毕业升学考试(山东德州卷)化学(带解析).docx
- 2010-2023历年初中毕业升学考试(四川省泸州卷)化学(带解析).docx
文档评论(0)