Extracting API calls

Question

0.00/5 (No votes)

See more:

Hi

I am looking for a step by step guide to extract the API calls made by some specific application (I want to this to malware) so that I can store those API calls later in somewhere like a database.

I need this information to make a fuzzy set (Fuzzy Logic in AI) to do this:

I test a limited 800 malwares.
I extract the API calls and keep them somewhere.
Now I have a new untested malware.
I extract the API calls. --->
if more than 20% of the extracted API calls by that malware matches with those in the database then the file is Risky (based on fuzzy logic)
This mechanism is based on guessing so it must NOT be 100% accurate.

Please if you can help give me some guides, I'm not looking for any source code.

If the information I provided is not clear enough please let me know in comment to improve it.

Posted 11-Feb-13 0:50am

Jackson Mackson

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Matthew Faithfull · Answer 1 · 2013-02-11T01:01:00

Solution 1

If you want to build an API interception framework then you need to look at the work of John Robbins, of WinDbg fame and also at how to Hook APIs which is covered by a number of Code Project articles. There's no fool proof way to do this though because whatever technique you use the Malware can use the same technique to place itself after you in the Hook chain or intercept your interception and remain undetected. In principle if you could do it you'd probably need something as sophisticated as a Hidden Markov Model or a back propogation neural network to detect any difference between the API calls of a legitimate application, malware and somebody else's malware detector and by the time you detected it the calls would be made so it might well be too late. If you really want to do this for sure then you might need to run the malware on a VM with an entirely fake API and your own kernel, a truly monumental task.
Good luck.

Posted 11-Feb-13 1:01am

Matthew Faithfull

Comments

Jackson Mackson 11-Feb-13 7:30am

"John Robbins, of WinDbg fame and also at how to Hook APIs which is covered by a number of Code Project articles." I think you misunderstood, I'm looking for a guide which is specialized in writing a program in c++ or c# which can run a malware in a virtual environment and the extract its called APIs. I'd like to write an stand alone application. And this is gonna be a bachelor FYP project so I don't really care about the accuracy, implementing the idea will be marked. So if you know any guide I would appreciate if you let me know. What you mentioned is relevant but it is not what I'm looking for, I need something very specific, I searched MSDN but I couldn't find anything.

Jackson Mackson 11-Feb-13 7:32am

Something that covers everything from very very basic issues to advanced ones

Matthew Faithfull 11-Feb-13 7:49am

I see, you know what you need and what to research for and even approximately how to do it with a virtualised environment but what you're looking for is someone who's done it before and knows where all the pitfalls are. A wise thing to look for and you're probably looking in the right place on CP but I'm not your man.

Jackson Mackson 11-Feb-13 7:53am

Thanks Matt anyway :)