How to use HAM?

This is a short intro tutorial on how to use HAM. The basic idea is to show how to:

  • Load an application for analysis
  • Pass command line arguments to the analyzed program
  • Choose APIs
  • Run
  • Observe the output

So, let’s begin:

  • First, download and run HAM. You should see the following screen:
  • Now, Press F3, Ctrl-O, or choose File->Open Executable from the application menu.
  • Go to your System Directory:
  • Type ‘notepad.exe‘ and hit Enter
  • Type the command line argument for Notepad e.g. ‘test.txt‘ – this file will be opened by Notepad:
  • Press Alt+A or click the icon as shown below: 
  • Choose ‘CreateFileW‘ API in the API Functions window:
  • Press F5 or click the icon as shown below:
  • The Notepad will now be launched, modules loaded by Notepad will be shown in a small window; for each module loaded, HAM will attempt to intercept all APIs as selected earlier in the API Functions – in our case it is only ‘CreateFileW’ :
  • Each module loaded by Notepad is shown in the output pane; Notepad window is shown on the Desktop as well; as you can see, CreateFileW API has been called once, and with the argument being a file name that we typed in Notepad Open File window i.e. ‘test.txt‘; 

We can conclude this demo with the following observations:

  • Notepad is indeed using CreateFileW when it opens the files
  • The file is being open with the flag OPEN_EXISTING i.e. it will attempt to open existing file, without overwriting it
  • The file is open in both FILE_SHARE_READ and FILE_SHARE_WRITE mode i.e. you could open file in Notepad and then still overwrite it with an external application e.g. echo foo>test.txt while it is being edited.

We also learnt that:

  • Loading applications for analysis and passing arguments to it is very straightforward
  • In order to use it efficiently, it is good to have some basic understanding of Windows programming, You need to know which APIs to select to monitor the analyzed program efficiently.
  • HAM works on Windows 8 Developer Preview 🙂

As you can see, by just looking at arguments passed to APIs, as well as the flow of the APIs being called, multiple things can be done:

  • it may help in in-house malware analysis
  • it may help with vulnerability research
  • it may help in understanding Windows API and Windows internals
  • it may allow to discover undocumented or unexpected quirks of windows (e.g. what mutexes are created by a given application, what strings are hard coded and compared against by certain APIs, etc.)