SysAnalyzer/ApiLogger

From aldeid
Jump to navigation Jump to search
You are here:
ApiLogger

Description

SysAnalyzer supports an Api-Logger option to add realtime API logging to the analysis output.

The API logger that SysAnalyzer uses works by injecting a DLL into the target process. Once loaded, the DLL will insert a series of detours style hooks into specific API calls. When these API are accessed by any code in the process, they will trigger a notification message which gets sent to the main SysAnalyzer interface.

The SysAnalyzer setup package also includes a standalone DLL injector/logging interface which can be used outside of the main SysAnalzer application.

In addition to the standard API logging functionality, api_log.dll also incorporates a couple other basic features that are worth mentioning.

The first addition to be mentioned is an Anti-Anti-VmWare seek and destroy function. At the moment, this function is only invoked when the hook procedure encounters CreateFile(\\.\NTICE) and only for the small section of memory before the function call.

This code was initially added during a period where Gaobot variants were being released at a heavy pace and all contained a templated Anti-Vmware check. This code was effective at disabling the check and allowing them to easily run on the analysis machines. The implementation of the Anti-Anti-Vmware check is probably limited to it working on Gaobot variants at the moment, however it can probably be easily expanded to scan entire sections on load.

The next modification is to the hook installed for CreateProcessA. Often bots or other malware will install themselves to another location on the system, launch that copy and then terminate. The CreateProcessA hook, will take the additional step to also inject the logger DLL into any new process it creates. This will allow you to maintain API logging across spawned programs.

The final note, the current implementation of api_log.dll does not hook any of the wide char versions of the API. This could be considered a current weak spot, however to date this has not impacted the programs performance in actual use. (Most viruses and worms do not use unicode API)

Usage

Comments