API调用跟踪------外文翻译.doc

  1. 1、本文档共31页,可阅读全部内容。
  2. 2、有哪些信誉好的足球投注网站(book118)网站文档一经付费(服务费),不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
  3. 3、本站所有内容均由合作方或网友上传,本站不对文档的完整性、权威性及其观点立场正确性做任何保证或承诺!文档内容仅供研究参考,付费前请自行鉴别。如您付费,意味着您自己接受本站规则且自行承担风险,本站不退款、不进行额外附加服务;查看《如何避免下载的几个坑》。如果您已付费下载过本站文档,您可以点击 这里二次下载
  4. 4、如文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“版权申诉”(推荐),也可以打举报电话:400-050-0827(电话支持时间:9:00-18:30)。
查看更多
API Call Tracing API Call Tracing is the powerful technique. It can provide a high level functional overview about a executable file. In some cases we only need API call logs to understand the application behaviour. I often use it to automate my Malware analysis tasks. In this article I will discuss some of my techniques. Some of the tasks that we can accelerate using this technique are, Unpacking of Packed Binary File Binary Behaviour profiling Finding out the interesting functions in the binary ? Here, I will use PyDbg script to log the API calls and finally IDAPython script to automate some of manual analysis. ? ? API Calls Logging with PEfile PyDbg ? Based on the above tasks we need following information from our script. Return Address - From where the API is called? API Name - Which API is called? It means we have to breakpoint on every API call and for that we need API name or API address. If we have API name then we can resolve its address and can breakpoint on that, In case of address we can directly breakpoint on that. But the question is how do we get the API names? This can be solved by using PEfile. So we will first enumerate the executable import table and then we will resolve the addresses and put breakpoints using PyDbg. But this approach has following limitations, It will fail in the case of a DLL that will be loaded by binary at run time using LoadLibrary() If binary is packed then unpacking stub will create the import table at run time which we cant control. Before solving this problem lets talk about the ways used by unpacker stub or custom loaders to build an import table at run time. Generally they use LoadLibrary API to load the dll and GetProcAddress to get the address of the API. LoadLibrary and GetProcAddress APIs are exported by kernel32.dll which is loaded into every Windows process by default. So if we set breakpoint on GetProcAddress then we can get API Name from stack. Then we can set breakpoint on the address

文档评论(0)

嫣雨流纱 + 关注
实名认证
内容提供者

该用户很懒,什么也没介绍

1亿VIP精品文档

相关文档