Behaviour monitoring

API calls

Sometimes we just need to know what a piece of software does under specific conditions or in a certain time. The easier way to do this is monitoring (and, if necessary, intercepting) API function calls. Don't go straight to reverse if you don't need to. ;)

With Rohitab API Monitor it is possible to set up API filters based on function names or libraries and capture each call to them. You can also set breakpoints before or after a call and under error or exception conditions. To show part of its power, let's see how to monitor a simple program that shows a message box.

I checked all API filters to API Monitor will monitor everything and open a hello.exe process to monitor. Here is the result:

In the function call log I looked for MessageBox and put a Breakpoint Before Call:

After reopen the process for monitoring (restart it) and break, API Monitor opens an window containing call details:

You can edit all of them as you wish. In this example I'll edit the message content and the dialog box style. Now right click on the lpText parameter and chose Edit Memory. In this window I searched for a hole (big sequence of null bytes), wrote the text I wanted to there and copied its address (0x004045cc in the example):

Now with the address of my new text, I'll just replace it in the lpText parameter value (F2). I also changed the MB_OK value of uType parameter to MB_RIGHT:

After clicking Continue here is the result:

So just like with any debugger, you can actually make changes on the execution flow of a program but it can be a way more easier with API Monitor, depending on your needs.

One nice feature is to support external DLLs so if your target use a custom library, you can also intercept these calls and see what is going on.

File capture

Some programs create files on the system and then deletes or changes it. Of course you can use any debugger to stop where you want, or even the previously shown API Monitor for that, but there is also another way of doing it with FileGrab tool.

This tool capture newly created files on the system and copy them to a directory or upload them to a FTP server.

It supports regular expressions to define patterns in the path of monitores files do capture them. In the following example only files created under C:\Windows directory, including subdirectories, and with .dll, .exe or .cpl extensions will be captured:

You can use either regular expressions or MS-DOS wildcard matching. One of ACCDFISA ransomware families used to create an encryption key in the disk and then secure delete it. I could easily verify this using a *.dll filter with FileGrab.