ProcMon as… an API Monitor

Posted on by

A competition for the most important research tool on Windows platform is not necessary – ProcMon will always win.

Why?

It helps us with research, troubleshooting, and it still works after so many years, and despite so many changes introduced to Windows during this time.

And it still can surprise you.

In this post I briefly describe ProcMon functionality that many people may not be aware of. Actually, two features that offer a very interesting functionality.

The first one is Stack Trace.

Any event you see caught by ProcMon has an associated Stack trace that you can explore by double clicking the event of interest, and selecting the ‘Stack’ tab:

This is pretty cool as it helps researches to find out where the possible access to an interesting object (a key, a file, etc.) comes from -i.e. from main .exe or loaded .dll.

The second feature is the export to XML that may include the aforementioned stack trace (tick the ‘Resolve stack symbols’ as well – it will resolve addresses to actual function names if these are available in symbols).

This will create a HUGE XML file.

And a very interesting one…

It includes sections for process list and events. The first one includes a list of processes and their properties:

  • Time
  • Processes name
  • Process ID
  • Parent process ID
  • Command Line
  • Integrity
  • Owner
  • Base Addresses
  • Modules Loaded

And the second one lists the actual events:

  • Time
  • Process Name
  • Process ID
  • Operation
  • Path
  • Result
  • Location
  • Detail

followed by the stack trace – all frames one bye one:

  • Depth
  • Address
  • Path
  • Location

With this data, and taking selective stack trace entries, it’s very easy to convert it to a timeline that resembles a log from an API Monitor…

A small snippet of data:

<?xml version="1.0" encoding="UTF-8"?>
<procmon><processlist><process>
<ProcessIndex>100</ProcessIndex>
<ProcessId>160</ProcessId>
<ParentProcessId>2880</ParentProcessId>
<ParentProcessIndex>101</ParentProcessIndex>
<AuthenticationId>00000000:00071cd1</AuthenticationId>
<CreateTime>132308446793816226</CreateTime>
<FinishTime>0</FinishTime>
<IsVirtualized>0</IsVirtualized>
<Is64bit>1</Is64bit>
<Integrity>High</Integrity>
<Owner>user</Owner>
<ProcessName>Procmon64.exe</ProcessName>
<ImagePath>C:\Users\user\AppData\Local\Temp\Procmon64.exe</ImagePath>
<CommandLine>"C:\Users\user\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\tools\Procmon.exe"</CommandLine>
<CompanyName>Sysinternals - www.sysinternals.com</CompanyName>
<Version>3.53</Version>
<Description>Process Monitor</Description>
<modulelist>
<module>
<Timestamp>132308446979926644</Timestamp>
<BaseAddress>0x2360000</BaseAddress>
<Size>77824</Size>
<Path>C:\Windows\system32\wbem\wbemsvc.dll</Path>
<Version>10.0.14409.1005 (rs1_srvoob.161208-1155)</Version>
<Company>Microsoft Corporation</Company>
<Description>WMI</Description>
</module>
...
<eventlist>
<event>
<ProcessIndex>105</ProcessIndex>
<Time_of_Day>11:38:18.1001657</Time_of_Day>
<Process_Name>Explorer.EXE</Process_Name>
<PID>2192</PID>
<Operation>CreateFile</Operation>
<Path>C:\Users\user\AppData\Local\Temp\Procmon64.exe</Path>
<Result>SUCCESS</Result>
<Detail>Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened</Detail>
<stack>
<frame>
<depth>0</depth>
<address>0xfffff8800116d067</address>
<path>C:\Windows\system32\drivers\fltmgr.sys</path>
<location>FltAcquirePushLockShared + 0x907</location>
</frame>
…
<frame>
<depth>1</depth>
<address>0xfffff8800116f9aa</address>
<path>C:\Windows\system32\drivers\fltmgr.sys</path>
<location>FltIsCallbackDataDirty + 0x20ba</location>
</frame>
…
<frame>
<depth>39</depth>
<address>0x78e7c521</address>
<path>C:\Windows\SYSTEM32\ntdll.dll</path>
<location>RtlUserThreadStart + 0x21</location>
</frame>
</stack>
</event>

The Stack Trace covers the stack from user and kernel mode.

You may be wondering now… what happens when Procmon detects API calls from a code injected into another process?

Great question…

They stand out as hell… as Procmon is unable to resolve them:

<ProcessIndex>105</ProcessIndex>
<Time_of_Day>11:38:34.0276039</Time_of_Day>
<Process_Name>Explorer.EXE</Process_Name>
<PID>2192</PID>
<Operation>RegOpenKey</Operation>
<Path>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</Path>
<Result>SUCCESS</Result>
<Detail>Desired Access: Write, Query Value, Enumerate Sub Keys, Delete</Detail>
<stack>
<frame>
<depth>0</depth>
<address>0xfffff80002e3e550</address>
<path>C:\Windows\system32\ntoskrnl.exe</path>
<location>MmUnmapViewInSessionSpace + 0x7a0</location>
</frame>
…
<frame>
<depth>12</depth>
<address>0x16000067c</address>
</frame>
</stack>
</event>

That last address 0x16000067c?

Bingo! It’s a code injected by malware.

Now, all you have to do is to filter this data by PID, address range, etc. I am not a XML wizard so I take a shortcut and parse this data in a line-by line way using a simple state machine; still, the result is pretty… API Monitorish…

105 svchost.exe 0x2600475cc 9 RegQueryKey HKCU SUCCESS
105 svchost.exe 0x2600475cc 12 RegOpenKey HKCU\
Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
105 svchost.exe 0x2600475cc 8 RegSetInfoKey HKCU\
Software\Microsoft\Windows\CurrentVersion\Run SUCCESS
105 svchost.exe 0x2600471dd 13 RegCloseKey HKCU SUCCESS
105 svchost.exe 0x2600471dd 14 RegOpenKey HKCU SUCCESS
105 svchost.exe 0x260047291 7 RegEnumKey HKCU SUCCESS
105 svchost.exe 0x260047291 7 RegEnumKey HKCU SUCCESS

And the bonus:

You could convert these events and incorporate them as comments into IDA, extract IOCs (e.g. by filtering over ‘CreateFile’, etc.), and probably do a few more interesting things (support PE dumping of injected code?)

API Monitoring under Windows 10

Posted on by

I recently asked around about Win10 API Monitoring. The reason I asked about it is that I noticed that:

  • API monitoring tools from the past no longer work (e.g. Rohitab, WIn32Override non-commercial version)
  • They are usually focused on 32-bit anyway
  • Many of them use legacy approach (aggressive hooking) that causes troubles on win10

I am looking for an alternative that works…

The following are the ideas I gathered from various sources (thanks to anyone who replied):

  • Frida
    • https://github.com/FuzzySecurity/Fermion
  • DTRace
    • https://techcommunity.microsoft.com/t5/windows-kernel-internals/dtrace-on-windows/ba-p/362902
  • Pinitor
    • https://rayanfam.com/topics/pinitor/
  • WinDBG Time Travel Debugging
  • Commercial SpyStudio
    • https://www.nektra.com/products/spystudio-api-monitor/download/
  • Commercial WinAPIOverride
    • http://jacquelin.potier.free.fr/winapioverride32/

API Monitoring is pretty important to reverse engineers. Not only it speeds up analysis, but it also paves a way to understand rapidly developing changes in the Windows environment. Old API Monitors primarily worked in 32-bit, used aggressive hooking, and often leveraged kinda dodgy kernel drivers, and csrss code injection. They also don’t understand New Low-Level Binaries, WOW, .NET, and Metro apps.

As such… it’s time for some creative soul to kick off a new project :-). A full blown API Monitor for 64-bit userland…

How would we go about building a tool like this?

Today is so much better than 15 years ago. I still remember hunting down API definitions in early noughties (e.g. re-using files with VB API declarations) and later writing scripts to extract API definitions from .hlp, .chm, .hx* files that MSDN/SDK help was shipped as, as well as ‘talking’ to local MSDN server to retrieve XML definitions of API… It was tough, inconsistent, but doable. In fact, the definitions for 12000 APIs that HAM monitored were built this way. And today it’s… easier. Only a few days ago Microsoft released a full-blown API documentation that can be easily transformed to API definitions that any API monitor can digest. Times changed…

So now that we have API definitions… all we need is a good API hooking engine.

Which technology to use? There are actually many available today… Modern sandboxes use hypervisors, emulation, but I don’t see these being used in any available API Monitosr. Moreso, the nature of reverse engineering often asks for tools that work inside a limited VM guest environment so neither emulation or hypervisors can be efficiently used on these systems (someone correct me on this!).

But things are not too bad. Alex Ionescu outlined a few interesting ideas in his presentation from … 2015, including time travel debugging, app verifier, miniwin, shims and CFG. We can also probably force-patch system DLLs (a bad idea!), or use either DotLocal or KnownDll modification to force-redirect loading of OS DLLs to a local directory where we can use our own versions of these libraries. I have not tested these ideas, but it may work. And then there is Frida and PIN as well as ReactOS and Wine. And after I posted this, a couple of guys pinged me to let me know that Detours still works on win10 pretty well (thanks!). Also, one more update from me, apparently Quiling can work too, as well as EasyHook library.

I started playing with these ideas and will see if I have enough strength to make it a workable solution, but in the meantime… the notes are here, If you are bored… I am sure RCE world will welcome any contribution.

If you know any existing tool that should be added to the list, or know an engine that could be used for API hooking that is not listed here, please let me know.