Hello,
To trace API call sequence in runtime, we can hook the program using Detours hooking library.
But what I want to ask, is there a way to get the api call sequence from the trace log provided by sandboxie after it's done running malware/benign ?
because I'm planning to build a parser to get API call sequence and a malware detection system, using api sequences as input.
Thank you in advance.
Tracing API call sequence from log report
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: Tracing API call sequence from log report
You can enable syscall tracing with CallTrace=*
then you get all calls to ntdll.dll logged
then you get all calls to ntdll.dll logged
Re: Tracing API call sequence from log report
Thanks for the answer,
but, I want to ask again, is there any other way if I want to get the win 32 API Sequence only?
The background is that I want to continue, and add many new datasets in the form of win32 API call sequences for malware and benign from previous research, source at the following link: https://ocslab.hksecurity.net/apimds-dataset, so I want to get based on win32 API only what Sandboxie gave.
Then I will process the dataset using a Machine Learning model to create a detection system, so that later when a new sequence is entered as input to the detection system, it can detect whether the program being executed is malware/benign.
Thanks very much.
but, I want to ask again, is there any other way if I want to get the win 32 API Sequence only?
The background is that I want to continue, and add many new datasets in the form of win32 API call sequences for malware and benign from previous research, source at the following link: https://ocslab.hksecurity.net/apimds-dataset, so I want to get based on win32 API only what Sandboxie gave.
Then I will process the dataset using a Machine Learning model to create a detection system, so that later when a new sequence is entered as input to the detection system, it can detect whether the program being executed is malware/benign.
Thanks very much.
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: Tracing API call sequence from log report
You can use the Api log dll: https://github.com/sandboxie-plus/LogApiDll to log mroe but not all win32 api calls, if you need more than what its already logging you will need to add them manually to that dll.
Re: Tracing API call sequence from log report
yes, I've used https://github.com/sandboxie-plus/LogApiDll, but just want to make sure, is it sequenced or not?
image link : https://postimg.cc/hzQzvrFc
Thank you very much
image link : https://postimg.cc/hzQzvrFc
Thank you very much
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: Tracing API call sequence from log report
yes the order of the events should be maintained thay should not arive at the login server out of order or with any significant delay.