bitnuts.de logo   Downloads About Contact

Investigating an exploit's API-calls using WinDbg or a Hooking-Engine

In Investigating the new PowerPoint issue Bruce Dang and Jonathan Ness describe how to track down an exploit using windbg.exe and setting breakpoints to well known win32 API-functions.

Bruce and Jonathan just name CreateFile, LoadLibrary, and WinExec, but there are more calls to well known functions often used by exploits and malware I will list up below.

Instead of using WinDbg it is also possible to use some kind of hot-patching sandbox approach that uses inline hot-patching on well known win32 API-functions. Some exploits just quit if they detect a running debugger. In such cases patching the API seems to be a better solution to track the exploit's action. Just hotpatch well known API-functions by using a hooking engine (e.g. Detours, Mini Hook Engine, or EasyHook) and replace the original function with a logging dummy that logs the most important parameters of its hooked API-function before calling the original one. For example log the filename and path if LoadLibrary was called, log the filename if CreateFile was used, log the download link passed to URLDownloadToFile etc.

Such hooks can be attached into the target process by using DLL-injection into the vulnerable application (e.g. word processor, document viewer, media player). After injecting such a sandbox open the content you expect containing an exploit and wait until some magic action takes place. Your logging sandbox should monitor the hooked API calls - this information could be used for a follow up analysis.

In general the following win32 APIs might be a good starting point to track malware and/or exploits: