API Monitoring under Windows 10

Posted on by

I recently asked around about Win10 API Monitoring. The reason I asked about it is that I noticed that:

  • API monitoring tools from the past no longer work (e.g. Rohitab, WIn32Override non-commercial version)
  • They are usually focused on 32-bit anyway
  • Many of them use legacy approach (aggressive hooking) that causes troubles on win10

I am looking for an alternative that works…

The following are the ideas I gathered from various sources (thanks to anyone who replied):

  • Frida
    • https://github.com/FuzzySecurity/Fermion
  • DTRace
    • https://techcommunity.microsoft.com/t5/windows-kernel-internals/dtrace-on-windows/ba-p/362902
  • Pinitor
    • https://rayanfam.com/topics/pinitor/
  • WinDBG Time Travel Debugging
  • Commercial SpyStudio
    • https://www.nektra.com/products/spystudio-api-monitor/download/
  • Commercial WinAPIOverride
    • http://jacquelin.potier.free.fr/winapioverride32/

API Monitoring is pretty important to reverse engineers. Not only it speeds up analysis, but it also paves a way to understand rapidly developing changes in the Windows environment. Old API Monitors primarily worked in 32-bit, used aggressive hooking, and often leveraged kinda dodgy kernel drivers, and csrss code injection. They also don’t understand New Low-Level Binaries, WOW, .NET, and Metro apps.

As such… it’s time for some creative soul to kick off a new project :-). A full blown API Monitor for 64-bit userland…

How would we go about building a tool like this?

Today is so much better than 15 years ago. I still remember hunting down API definitions in early noughties (e.g. re-using files with VB API declarations) and later writing scripts to extract API definitions from .hlp, .chm, .hx* files that MSDN/SDK help was shipped as, as well as ‘talking’ to local MSDN server to retrieve XML definitions of API… It was tough, inconsistent, but doable. In fact, the definitions for 12000 APIs that HAM monitored were built this way. And today it’s… easier. Only a few days ago Microsoft released a full-blown API documentation that can be easily transformed to API definitions that any API monitor can digest. Times changed…

So now that we have API definitions… all we need is a good API hooking engine.

Which technology to use? There are actually many available today… Modern sandboxes use hypervisors, emulation, but I don’t see these being used in any available API Monitosr. Moreso, the nature of reverse engineering often asks for tools that work inside a limited VM guest environment so neither emulation or hypervisors can be efficiently used on these systems (someone correct me on this!).

But things are not too bad. Alex Ionescu outlined a few interesting ideas in his presentation from … 2015, including time travel debugging, app verifier, miniwin, shims and CFG. We can also probably force-patch system DLLs (a bad idea!), or use either DotLocal or KnownDll modification to force-redirect loading of OS DLLs to a local directory where we can use our own versions of these libraries. I have not tested these ideas, but it may work. And then there is Frida and PIN as well as ReactOS and Wine. And after I posted this, a couple of guys pinged me to let me know that Detours still works on win10 pretty well (thanks!). Also, one more update from me, apparently Quiling can work too, as well as EasyHook library.

I started playing with these ideas and will see if I have enough strength to make it a workable solution, but in the meantime… the notes are here, If you are bored… I am sure RCE world will welcome any contribution.

If you know any existing tool that should be added to the list, or know an engine that could be used for API hooking that is not listed here, please let me know.

Blue ink, Red ink… Purple Heart

Posted on by

In the past I was primarily focusing on the bad stuff. All the malware stats I ever posted were based off a substantial corpora of malware samples that I processes both ‘statically’ and ‘dynamically’… These numbers were pretty high for an individual contributor … 12M+ of samples I did static analysis on & 1.5M+ of dynamic analysis reports (shared with community via the most awesome @VXShare)…

Around 3-4 years things changed.

My primary focus moved from collecting malware samples to building a repo of clean samples (not necessarily signed tho!). There are many reasons for this ‘change of a paradigm’, but any respectable sample hoarder can easily recognize these patterns…

  • you can’t hoard all the malware samples anymore
  • it is growing too fast ($$$ for storage, time for post processing & backups), it’s also hard to classify while ROI of collection is no longer that high…
  • there are more and more boring samples (same old, same old + new fads e.g. ransomware).
  • migration in malicious techniques from a purely binary code (exe, dll, cpl) to PowerShell, C#, as well as return of Office Macros & WScript/CScript coding goodness…

The malware of today is often … an obfuscated script. Plus, many analysts don’t even bother to fully understand the internals of malware anymore as long as we can build a quick detection for it & block it…

Coming back to the ‘good samples repo’ thing – there is more …

I got interested in Living off the land and novelty code injection techniques so having access to the CLEAN sampleset made a huge difference – it suddenly opened many new research opportunities that traditional malware corpora doesn’t usually offer anymore…

How?

Legacy code, silly ideas, copypasta from CodeProject, CodeGuru, StackOverflow… the internetz of copypasta overall… drivers, COM DLLs, funny installer executables, custom installers, broken, broken, and even more broken… then debug functions, test functions, internal environment variables that made it to production, phantom DLLs, hardcoded credentials, and many, many more…

What does it mean though?

I think it’s a symptom of me getting more and more interested in the offensive side of things . And I will be probably the last one to admit that… but I kinda like it. I was never a pentester and never really had an itch to scratch to ‘pwn things’, but I really do love novelty tricks and I hope … it shows…

So… a blue teamer with the red team itch … this itch needs to be scratched.

When I realized that… I also realized that there are a lot of benefits to this ‘change of direction’. My defensive persona loves to know all the ‘new’ so I always feel that when I can contribute a new trick or discovery I become (and make others who read that…) a… better defender.

So…

This is… at least in my eyes… the ultimate destiny of anyone on a blue side of things… You will eventually become as red as the red team, and more. Cuz they just primarily focus on the ‘pwn’ bit (and they are right) and we, blue teamers’, need to be crimson-yearning… strong foundation of blue, lots of red desires, and defo more and more purple… Is lavender is the new black?