Tracing API call sequence from log report

Post Reply
febri
Posts: 4
Joined: Thu Mar 03, 2022 2:17 pm

Tracing API call sequence from log report

Post by febri »

Hello,
To trace API call sequence in runtime, we can hook the program using Detours hooking library.

But what I want to ask, is there a way to get the api call sequence from the trace log provided by sandboxie after it's done running malware/benign ?
because I'm planning to build a parser to get API call sequence and a malware detection system, using api sequences as input.
Thank you in advance.

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: Tracing API call sequence from log report

Post by DavidXanatos »

You can enable syscall tracing with CallTrace=*
then you get all calls to ntdll.dll logged

febri
Posts: 4
Joined: Thu Mar 03, 2022 2:17 pm

Re: Tracing API call sequence from log report

Post by febri »

Thanks for the answer,
but, I want to ask again, is there any other way if I want to get the win 32 API Sequence only?

The background is that I want to continue, and add many new datasets in the form of win32 API call sequences for malware and benign from previous research, source at the following link: https://ocslab.hksecurity.net/apimds-dataset, so I want to get based on win32 API only what Sandboxie gave.

Then I will process the dataset using a Machine Learning model to create a detection system, so that later when a new sequence is entered as input to the detection system, it can detect whether the program being executed is malware/benign.
Thanks very much.

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: Tracing API call sequence from log report

Post by DavidXanatos »

You can use the Api log dll: https://github.com/sandboxie-plus/LogApiDll to log mroe but not all win32 api calls, if you need more than what its already logging you will need to add them manually to that dll.

febri
Posts: 4
Joined: Thu Mar 03, 2022 2:17 pm

Re: Tracing API call sequence from log report

Post by febri »

yes, I've used https://github.com/sandboxie-plus/LogApiDll, but just want to make sure, is it sequenced or not?

image link : https://postimg.cc/hzQzvrFc

Thank you very much

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: Tracing API call sequence from log report

Post by DavidXanatos »

yes the order of the events should be maintained thay should not arive at the login server out of order or with any significant delay.

Post Reply