Monday 28 September 2020

APIMiner - The API Logger for Malwares - The Fast Way To Identifying Malwares


One of the biggest issues we have always faced is the availability of a stable API logger tool for Windows applications that can be used to analyze malware samples, that not only traces the Win32 APIs used by the parent process, but all its child processes as well. The real option that I have seen is Cuckoo Sandbox, but using Cuckoo Sandbox is unwieldy in a way, some of the reasons being,

  1. Have seen enough people try to install Cuckoo Sandbox and fail at some step.
  2. Practical deployments requires a separate Virtual Machine for installing and using Cuckoo Sandbox.
  3. Unwieldy! As malware analysts and reverse engineer you don't want to waste time just to bring up a separate VM just to log APIs for a sample.

Now point (3) above is the most important one. As malware analysts I am pretty sure we already have Windows Analysis VMs setup with various tools. Why can't we run an API logger inside our existing Analysis VM? Why install another separate VM to generate API logs? This requirement became even more profound when we were writing our book Malware Analysis and Detection Engineering where we found the lack of any such tool stifling and we wanted to do something to drastically improve malware analysis and reversing speed.

And to solve all these issues we devised APIMiner. No extra VM required. Take your existing Malware Analysis VM, and run APIMiner from the command prompt to log APIs used by your malware sample. Super fast, easy and no complex setup!

You can download the latest release of APIMiner from The zip file from the release contains a README on how to install the tool and set it up. Currently it requires a config file apiminer_config.txt, but in a new release we will get rid of that and make things even more simpler. Also make sure you have added the APIMiner.exe to the PATH environment variable. 

Test Drive

Enuf Talk! Below is a simple sample C code which that does two things - allocates a memory chunk of 4096 bytes using VirtualAlloc() Win32 API and then changes the page permissions of this memory block using VirtualProtect() Win32 API.

#include <stdio.h>
#include <stdlib.h>

#include <windows.h>

int main()
    void *addr;
    void *base;
    BOOL v;

    DWORD old;

    base = VirtualAlloc(NULL, 4096,
                        MEM_COMMIT | MEM_RESERVE, 

    printf("Received base from VirtualAlloc: %x\n", base);

    v = VirtualProtect(base, 4096, PAGE_READONLY, &old);

    printf("VirtualProtect: %s\n",
           (v != 0) ? "Success" : "Failure");
    return 0;

The above C code has been compiled into an executable test_virtualalloc.exe which we will now execute using APIMiner from the command prompt as seen below.

Running the above command generates API log files having the apiminer_traces prefixes in their filenames in the log folder whose path you have specified in apiminer_config.txt. If you investigate these API trace files you will notice two APIs - NtAllocateVirtualMemory and NtProtectVirtualMemory which are the NTAPI variants of the APIS VirtualAlloc and VirtualProtect used by our above sample. Fast and easy!

Using APIMiner you can log the APIs used by any Windows executable. We have covered this tool extensively in our new book Malware Analysis and Detection Engineering, a 900+ comprehensive hands-on guide on Malware Analysis, Malware Reverse Engineering and Detection Engineering, published by Apress and available on the Springer Network. In this book we have explained various tricks that you can use in combination with our APIMiner tool to quickly analyze the behaviour of a sample and ascertain if it is a malware or not.

Wednesday 8 July 2020

Malware Analysis and Detection Engineering: A Comprehensive Guide to Detect, Analyze and Reverse Malwares

This book is a beast! If you're looking to master the ever widening field 
of malware analysis, look no further, this is the definitive guide for you
- Pedram Amini, Founder Zero Day Initiative(ZDI) and OpenRCE, CTO

8+ months. That's what it took for me along with my co-author Abhijit to complete this book. At around 900+ pages this is the most comprehensive guide one can find on Malware Analysis, Malware Reverse Engineering and Detection Engineering. This book is being published by Apress Publications and also available on the Springer Publisher Network, arguably the biggest 
book publisher network in the world.
The book also covers Detection Engineering, a topic yet to be covered by any book, where we talk 
about the internals of various detection tools like Antiviruses, Malware Sandboxes, IDS/IPS and Binary 
Instrumentation, and how their internal details can be leveraged by malware analysts and reverse
engineers and budding detection engineers to automate sample analysis.

This book will, 
  • Will help you learn how to analyze any malware thrown at you and even reverse engineer them
    using tools like Ollydbg and IDA Pro
  • Will reveal to you many undocumented tricks used by malware researchers in the industry to
    analyze and reverse malwares.
  • Balances complex technical details and easy to apply tips/techniques that can be directly used
    while researching on a sample.
  • Is very hands-on, with exercise driven content using both simulated malware samples to help
    hone your skills in a controlled setup, and then with real-world malware samples to help you
    test your newly learned skills.
  • Covers Detection Engineering - How various detection tools work internally and how to apply
    them to automating analyzing malwares. Tools covered - Antivirus, Sandboxes, IDS/IPS and
    Binary Instrumentation
  • Introduces a custom analysis tool “APIMiner” developed by us along with the book, that
    makes analyzing malware samples uper easy.
  • Provides exercise samples along with the book.
We would like to thank Pedram Amini for providing the foreword for this book and Ravikanth Tiwari
for his technical review of the book.

The book is available for pre-order at Amazon here -

Table Of Contents
Part 1: Introduction
1. Introduction
2. Malware Analysis Lab Setup

Part 2: OS and System Fundamentals
3. File & File Formats
4. Virtual Memory & Portable Executable(PE) File
5. Windows Internals
Part 3: Malware Components & Analysis
6. Malware Components & Distribution
7. Malware Packers
8. Persistence Mechanisms
9. Network Communication
10. Code Injection, Process Hollowing & API Hooking
11. Stealth and Rootkits

Part 4: Malware Analysis & Classification
12. Static Analysis
13. Dynamic Analysis
14. Memory Forensics With Volatility
15. Malware Payload Dissection & Classification

Part 5: Malware Reverse Engineering
16. Debuggers & Assembly Language
17. Debugging Tricks for Unpacking Malwares
18. Debugging Code Injection
19. Armoring & Evasion - The Anti Techniques
20. File-less, Macros & Other Malware Trends

Part 6: Detection Engineering
21. Dev Analysis Lab Setup
22. Anti-Virus Engines
23. IDS/IPS & Snort/Suricata Rule Writing
24. Malware Sandbox Internals
25. Binary Instrumentation for Reversing Automation