提取API调用

本文介绍了提取API调用的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

嗨 我正在寻找一步一步的指南，以提取某些特定应用程序发出的API调用（我希望这是恶意软件），以便我可以稍后在某个地方存储这些API调用。 我需要这些信息来制作模糊集（AI中的模糊逻辑）来执行此操作： 我测试了有限的800个恶意软件。 我提取API调用并将它们保存在某处。 现在我有一个新的未经测试的恶意软件。 我提取API调用。 ---> 如果该恶意软件提取的API调用的20％以上与数据库中的那些匹配，那么该文件是Risky（基于模糊逻辑） 这种机制是基于猜测所以它必须不是100％准确。 如果你可以帮我一些指导，我不是在找源代码。 如果我提供的信息不够清楚，请通过评论告诉我改进它。

Hi I am looking for a step by step guide to extract the API calls made by some specific application (I want to this to malware) so that I can store those API calls later in somewhere like a database. I need this information to make a fuzzy set (Fuzzy Logic in AI) to do this: I test a limited 800 malwares. I extract the API calls and keep them somewhere. Now I have a new untested malware. I extract the API calls. ---> if more than 20% of the extracted API calls by that malware matches with those in the database then the file is Risky (based on fuzzy logic) This mechanism is based on guessing so it must NOT be 100% accurate. Please if you can help give me some guides, I''m not looking for any source code. If the information I provided is not clear enough please let me know in comment to improve it.

推荐答案

如果你想构建一个API拦截框架，那么你需要看看John Robbins的工作，WinDbg的成名，以及如何使用许多Code Project文章所涵盖的Hook API。虽然没有万无一失的方法可以做到这一点，因为无论你使用何种技术，恶意软件都可以使用相同的技术将自己置于Hook链之后或拦截你的拦截并保持未被发现。原则上，如果你能做到这一点，你可能需要像隐藏马尔可夫模型或反向传播神经网络这样复杂的东西来检测合法应用程序，恶意软件和其他人的恶意软件检测器的API调用之间的任何差异。当你发现它的时候会进行通话，所以可能为时已晚。如果您确实想要这样做，那么您可能需要在具有完全假API和您自己的内核的VM上运行恶意软件，这是一项真正具有纪念意义的任务。 祝您好运。 If you want to build an API interception framework then you need to look at the work of John Robbins, of WinDbg fame and also at how to Hook APIs which is covered by a number of Code Project articles. There''s no fool proof way to do this though because whatever technique you use the Malware can use the same technique to place itself after you in the Hook chain or intercept your interception and remain undetected. In principle if you could do it you''d probably need something as sophisticated as a Hidden Markov Model or a back propogation neural network to detect any difference between the API calls of a legitimate application, malware and somebody else''s malware detector and by the time you detected it the calls would be made so it might well be too late. If you really want to do this for sure then you might need to run the malware on a VM with an entirely fake API and your own kernel, a truly monumental task. Good luck.