One of the biggest issues we have always faced is the availability of a
stable API logger tool for Windows applications that can be used to
analyze malware samples, that not only traces the Win32 APIs used by the
parent process, but all its child processes as well. The real option
that I have seen is Cuckoo Sandbox, but using Cuckoo Sandbox is unwieldy
in a way, some of the reasons being,
- Have seen enough people try to install Cuckoo Sandbox and fail at some step.
- Practical deployments requires a separate Virtual Machine for installing and using Cuckoo Sandbox.
- Unwieldy! As malware analysts and reverse engineer you don't want to waste time just to bring up a separate VM just to log APIs for a sample.
Now point (3) above is the most important one. As malware analysts I am
pretty sure we already have Windows Analysis VMs setup with various
tools. Why can't we run an API logger inside our existing Analysis VM? Why install another separate VM to generate API logs? This requirement became even more profound when we were writing our book Malware Analysis and Detection Engineering
where we found the lack of any such tool stifling and we wanted to do
something to drastically improve malware analysis and reversing speed.
And to solve all these issues we devised APIMiner. No extra VM required.
Take your existing Malware Analysis VM, and run APIMiner from the
command prompt to log APIs used by your malware sample. Super fast, easy and no complex setup!
You can download the latest release of APIMiner from https://github.com/poona/APIMiner/releases. The zip file from the release contains a README on how to install the tool and set it up. Currently it requires a config file apiminer_config.txt, but in a new release we will get rid of that and make things even more simpler. Also make sure you have added the APIMiner.exe to the PATH environment variable.
Test Drive
Enuf Talk! Below is a simple sample C code which that does two things - allocates a memory chunk of 4096 bytes using VirtualAlloc() Win32 API and then changes the page permissions of this memory block using VirtualProtect() Win32 API.
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
int main()
{
void *addr;
void *base;
BOOL v;
DWORD old;
base = VirtualAlloc(NULL, 4096,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
printf("Received base from VirtualAlloc: %x\n", base);
v = VirtualProtect(base, 4096, PAGE_READONLY, &old);
printf("VirtualProtect: %s\n",
(v != 0) ? "Success" : "Failure");
Sleep(1000000);
return 0;
}
The above C code has been compiled into an executable test_virtualalloc.exe which we will now execute using APIMiner from the command prompt as seen below.
Running the above command generates API log files having the apiminer_traces prefixes in their filenames in the log folder whose path you have specified in apiminer_config.txt. If you investigate these API trace files you will notice two APIs - NtAllocateVirtualMemory and NtProtectVirtualMemory which are the NTAPI variants of the APIS VirtualAlloc and VirtualProtect used by our above sample. Fast and easy!
Using APIMiner you can log the APIs used by any Windows executable. We have covered this tool extensively in our new book Malware Analysis and Detection Engineering, a 900+ comprehensive hands-on guide on Malware Analysis, Malware Reverse Engineering and Detection Engineering, published by Apress and available on the Springer Network.
In this book we have explained various tricks that you can use in
combination with our APIMiner tool to quickly analyze the behaviour of a
sample and ascertain if it is a malware or not.