Log in

View Full Version : How Find Temporal Order Of API calls in PEs?


mansourweb
January 28th, 2010, 14:45
Dear Friends

as you know PEs have a section that has API calls.
i want to extract the API calls in PEs in a temporal order that they are calls without running the PE.
i disassemble a PE with IDA and find the API calls but i don't know if they are in temporal order or not when the PE run?

thank you.

Aimless
January 28th, 2010, 23:55
From somewhere on the internet - "...The temporal information is modeled using nth order discrete time Markov chain with k states, where each state corresponds to a particular API ..."

Aaaugghhhhh!!!!

Mansourweb, can you please tell me what a temporal order of the API is actually? I found explanations like above when I searched for this... though I suspect it really means the sequence in which the API is called, including its children...

Oh Yes, on the brighter side, I think you can use the Dependency Walker (not the microsoft one -- but the one having its OWN website).... logger, delayed APIs, whatnots....

Have Phun

mansourweb
January 29th, 2010, 03:07
Thank you dear friend

I have a virus and i want to detect it. if i run the virus , it ruin my computer.
i do static analysis on API calls , but i didn't know the API calls as the format of sequence or not (when it runs) ?
how we can run a virus safely ?
do you have any idea

thank you

naides
January 29th, 2010, 04:50
Quote:
[Originally Posted by mansourweb;84988]Thank you dear friend
how we can run a virus safely ?
do you have any idea

thank you


Run the virus in a VMWare virtual machine, preferible running under a Linux host environment. Alternatively, use an old, throw away computer, or by disconnetcting all hard drives from your computer and installing a brand new OS Windows XP preferred) in an old hard drive, with nothing else in it than your OS, your analysis tools and your virus, so that, when you are done, you can do a low level format in the trashed HD. APImon comes to mind as a useful tool.

Doing virus analysis is not a hobby, requires a laboratory, with a biosafety containment system. . .

If you were indeed working with deadly viruses and bacteria, you would not handle them in your own kitchen, at home, would you??

mansourweb
January 29th, 2010, 07:37
Thank you Dear naides

i heard that PC emulator is better than VMware. and i use sandbox for it.

P.S. it is not my hobby , it is my master thesis.
thank you for your information.

evaluator
January 29th, 2010, 07:41
upload here your maybe-virus... we look on it.

also on www.virustotal.com you can check..

mansourweb
January 29th, 2010, 07:49
Thank you dear evaluator

i work on virus databases not on a single one.
i would like to know if API calls that come from disassembling a PE in Temporal order in a sequence or not ?
and in a program in a sequence , can API calls be repetitive or not ?
if somebody know , i am very thankful from him/her.

Thank you friends

evaluator
January 29th, 2010, 08:04
you want discover some generic ideas about detecting??
that not has future.. bcoz, virus-maker always(R) will aware about generic things..

mansourweb
January 29th, 2010, 08:12
Thank you evaluator for your help.

you are right but it is a special kind of generic
But i try , god with me , i don't forget it.

Aimless
January 29th, 2010, 08:34
1. VMWare Machine with Windows XP as guest
2. Snapshot
3. Microsoft Debugger Install on guest
4. Select API tool
5. Run Virus
5. *BANG*

Alternatively...

1. Download Dependency walker
2. Run the exe
3. LOG it (ALL API Calls)
4. *BANG*

Also...

1. Download Smartcheck OR Boundschecker
2. Run exe via them
3. *BANG*

And too...

1. Download Ollydbg
2. Open file in OLLYDBG
2. Trace over functions (good job -- not only APIs, also functions inside the exe get traced and recorded to an external file)
3. *BANG*

and futhermore...

1. IDA PRO
2. Debug
3. Stop at entry
4. Start Trace
5. UNCHECK trace over API calls
6. Make number to 0
7. Run the program
8. *BANG*


Goddamn!

Have Phun

mansourweb
January 29th, 2010, 09:10
Oh my god

thank you Aimless , there are many scenarios but you mean that *BANG* perish my computer ?
isn't any software that confine the virus ? (like sandbox)

evaluator
January 29th, 2010, 09:25
just downloaded suspicious file. how your method reports on it?
i think it is mostly malware.. i only saw at it with HIEW.

mansourweb
January 29th, 2010, 09:53
Excuse me evaluator

my alorithm just in theory and i didn't implement it, i can't find environment to run viruses and my question is that what is the envirunment .
i test it for you later as soon as i find environment.

but i didn't get my answer for my question.
thank you all

evaluator
January 29th, 2010, 10:00
huh? you get answer.
environment is OS under VirtualMashine.

if you can't run file, then only you can load it in disassembler & see code.
to guess virus/malware you need to know, how looks normal programs;

Kayaker
January 29th, 2010, 12:31
Two more

Capture, care and analysis of Malware made easy
http://www.linklogger.com/vm_capture.htm
*BANG*

Practical Malware Analysis
http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
*BANG*

mansourweb
January 29th, 2010, 13:19
i mean that if i run the virus on virtual machine , for each virus , i must install windows on virtual machine.
ain't right ?

evaluator
January 29th, 2010, 15:22
NOpe, not right! read VM manuals & educate yourSELF!

no, just second ago dlded torrent.
it's name is "SandboxieInstall-343-20.exe" & it is VB6 program.

training question without further info: IS IT MALWARE!?

mansourweb
January 29th, 2010, 15:37
Dear evaluator

thank you dear friends , and thank you all for your information , i must study much more in this section.
and special thank to Kayaker for the tutorials and thank you evaluator for sandboxie.
i must check all of them.

MERSI

dELTA
February 18th, 2010, 21:13
Yes, I'm behind in posts, so shoot me...

From what I can tell, you want to be able to get an "API trace" from an executable file without actually running it. This can only be done by emulating the executable code in it (including self-modifying code), and it can not be done by something as simple as analyzing the API imports etc, as you are hinting about hoping for. Emulation will also be extra hard for malware programs, due to all the low-level/OS tricks they are fond of employing.

Good luck with your thesis, it sounds to me like you're gonna need it...

disavowed
February 19th, 2010, 09:37
Quote:
[Originally Posted by dELTA;85318]This can only be done by emulating the executable code in it

I recommend using dynamic translation. See http://download.microsoft.com/download/2/6/2/2624dcbb-6412-4520-9888-f9acfbec280d/Defeating_Polymorphism_White_Paper.pdf

mansourweb
February 19th, 2010, 13:33
Thank you dear delta and disavowed , i can download 2 nice paper from your comments , i must read them.

in another way, i use Windbg and VMware and it give me some API trace (i use dynamic analysis) , but some malware quit when distinguish the VMware.
i use a PC emulator that use dynamic translation and more powerful than VMware but i can't install windows on it , it's name is Qemu.
do you have any information about how i can install windows on it.

Thank you my best friends.

disavowed
February 19th, 2010, 19:50
http://lmgtfy.com/?q=running+windows+in+qemu

mansourweb
February 20th, 2010, 13:23
yes , thank you very much .

i can find http://manishtech.wordpress.com/2008/07/10/using-qemu-on-windows/ and my problem solve.