This is a short intro tutorial on how to use HAM. The basic idea is to show how to:
- Load an application for analysis
- Pass command line arguments to the analyzed program
- Choose APIs
- Run
- Observe the output
So, let’s begin:
- First, download and run HAM. You should see the following screen:
- Now, Press F3, Ctrl-O, or choose File->Open Executable from the application menu.
- Go to your System Directory:
- Type ‘notepad.exe‘ and hit Enter
- Type the command line argument for Notepad e.g. ‘test.txt‘ – this file will be opened by Notepad:
- Press Alt+A or click the icon as shown below:
- Choose ‘CreateFileW‘ API in the API Functions window:
- Press F5 or click the icon as shown below:
- The Notepad will now be launched, modules loaded by Notepad will be shown in a small window; for each module loaded, HAM will attempt to intercept all APIs as selected earlier in the API Functions – in our case it is only ‘CreateFileW’ :
- Each module loaded by Notepad is shown in the output pane; Notepad window is shown on the Desktop as well; as you can see, CreateFileW API has been called once, and with the argument being a file name that we typed in Notepad Open File window i.e. ‘test.txt‘;
We can conclude this demo with the following observations:
- Notepad is indeed using CreateFileW when it opens the files
- The file is being open with the flag OPEN_EXISTING i.e. it will attempt to open existing file, without overwriting it
- The file is open in both FILE_SHARE_READ and FILE_SHARE_WRITE mode i.e. you could open file in Notepad and then still overwrite it with an external application e.g. echo foo>test.txt while it is being edited.
We also learnt that:
- Loading applications for analysis and passing arguments to it is very straightforward
- In order to use it efficiently, it is good to have some basic understanding of Windows programming, You need to know which APIs to select to monitor the analyzed program efficiently.
- HAM works on Windows 8 Developer Preview 🙂
As you can see, by just looking at arguments passed to APIs, as well as the flow of the APIs being called, multiple things can be done:
- it may help in in-house malware analysis
- it may help with vulnerability research
- it may help in understanding Windows API and Windows internals
- it may allow to discover undocumented or unexpected quirks of windows (e.g. what mutexes are created by a given application, what strings are hard coded and compared against by certain APIs, etc.)