So, let’s begin:<\/p>\n
- \n
- First, download and run HAM<\/a>. You should see the following screen:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_1-300x201.png\" "\\"How")
<\/a><\/li>\n- Now, Press F3<\/strong>, Ctrl-O<\/strong>, or choose File->Open Executable<\/strong> from the application menu.
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_2-300x210.png\" "\\"How")
<\/a><\/li>\n- Go to your System Directory:<\/li>\n
- Type ‘notepad.exe<\/strong>‘ and hit Enter<\/li>\n
- Type the command line argument\u00a0for Notepad e.g.\u00a0‘test.txt<\/strong>‘ – this file will be opened by Notepad:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_3-300x201.png\" "\\"How")
<\/a><\/li>\n- Press Alt+A<\/strong> or click the icon as shown below:\u00a0
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_4-300x201.png\" "\\"How")
<\/a><\/li>\n- Choose ‘CreateFileW<\/strong>‘ API in the API Functions<\/strong> window:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_5-300x201.png\" "\\"How")
<\/a><\/li>\n- Press F5<\/strong> or click the icon as shown below:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_6-300x201.png\" "\\"How")
<\/a><\/li>\n- The Notepad\u00a0will now be launched, modules loaded by Notepad will be shown in a small window; for each module loaded, HAM will attempt to intercept all APIs as selected earlier in the API Functions<\/strong> – in our case it is only ‘CreateFileW’<\/strong>\u00a0:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_7-300x201.png\" "\\"How")
<\/a><\/li>\n- Each module loaded by\u00a0Notepad is shown in the output pane; Notepad window is shown on the Desktop as well;\u00a0as\u00a0you can see, CreateFileW API has been called once, and with the argument being a file name that we typed in Notepad Open File window i.e. ‘test.txt<\/strong>‘;\u00a0
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_8-300x187.png\" "\\"How")
<\/a><\/li>\n<\/ul>\nWe can conclude this demo with the following observations:<\/p>\n
- \n
- Notepad is indeed using CreateFileW<\/strong> when it opens the files<\/li>\n
- The file is being open with the flag OPEN_EXISTING<\/strong> i.e. it will attempt to open existing file, without overwriting it<\/li>\n
- The file is open in both FILE_SHARE_READ<\/strong> and FILE_SHARE_WRITE<\/strong> mode i.e. you could open file in Notepad and then still overwrite it with an external application e.g. echo foo>test.txt<\/strong> while it is being edited.<\/li>\n<\/ul>\n
We also learnt that:<\/p>\n
- \n
- Loading applications for analysis and passing arguments to it is very straightforward<\/li>\n
- In order to use it efficiently, it is good to have some basic understanding of Windows programming, You need to know which APIs to select to monitor the analyzed program efficiently.<\/li>\n
- HAM works on Windows 8 Developer Preview \ud83d\ude42<\/li>\n<\/ul>\n
As you can see, by just looking at arguments passed to APIs, as well as the flow of the APIs being called, multiple things can be done:<\/p>\n
- \n
- it may help in in-house malware analysis<\/li>\n
- it may help with vulnerability research<\/li>\n
- it may help in understanding Windows API and Windows internals<\/li>\n
- it may allow to discover undocumented or unexpected quirks\u00a0of windows (e.g. what mutexes are created by a given application, what strings are hard coded and compared against by certain APIs, etc.)<\/li>\n<\/ul>\nEnjoy!<\/div>\n","protected":false},"excerpt":{"rendered":"
This is a short intro tutorial on how to use HAM. The basic idea is to show how to: Load an application for analysis Pass command line arguments to the analyzed\u00a0program Choose APIs Run Observe the output So, let’s begin: … Continue reading
- The file is being open with the flag OPEN_EXISTING<\/strong> i.e. it will attempt to open existing file, without overwriting it<\/li>\n
- Now, Press F3<\/strong>, Ctrl-O<\/strong>, or choose File->Open Executable<\/strong> from the application menu.
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2011\/11\/ham_tut1_1.png\" "\\"How")
<\/a><\/li>\n