API调用跟踪------外文翻译.docVIP

API Call Tracing API Call Tracing is the powerful technique. It can provide a high level functional overview about a executable file. In some cases we only need API call logs to understand the application behaviour. I often use it to automate my Malware analysis tasks. In this article I will discuss some of my techniques. Some of the tasks that we can accelerate using this technique are, Unpacking of Packed Binary File Binary Behaviour profiling Finding out the interesting functions in the binary ? Here, I will use PyDbg script to log the API calls and finally IDAPython script to automate some of manual analysis. ? ? API Calls Logging with PEfile PyDbg ? Based on the above tasks we need following information from our script. Return Address - From where the API is called? API Name - Which API is called? It means we have to breakpoint on every API call and for that we need API name or API address. If we have API name then we can resolve its address and can breakpoint on that, In case of address we can directly breakpoint on that. But the question is how do we get the API names? This can be solved by using PEfile. So we will first enumerate the executable import table and then we will resolve the addresses and put breakpoints using PyDbg. But this approach has following limitations, It will fail in the case of a DLL that will be loaded by binary at run time using LoadLibrary() If binary is packed then unpacking stub will create the import table at run time which we cant control. Before solving this problem lets talk about the ways used by unpacker stub or custom loaders to build an import table at run time. Generally they use LoadLibrary API to load the dll and GetProcAddress to get the address of the API. LoadLibrary and GetProcAddress APIs are exported by kernel32.dll which is loaded into every Windows process by default. So if we set breakpoint on GetProcAddress then we can get API Name from stack. Then we can set breakpoint on the address