Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

DLL Injection > DLL Injection - Pg. 273

AnalyzingMobileMalware·Chapter8 273 Extracting Additional API Parameter Information Now that we have shown how the sandbox intercepts API calls in a generic way, the question arises as to what additional call information it detects and extracts. Of course, we would also like to log the parameters of a hooked system call. Since we have a generic handler, we need to have a database that holds information about all the relevant system calls and their number of parameters--ideally, also the name and type of each parameter for increased expressiveness. In order to generate this database in an automatic and therefore convenient way, we made use of the tools doxygen and dumpbin. Doxygen is a widely used open-source documentation generator that is able to parse C/C++ source files and to convert the obtained information into several different formats afterwards--for example XML, HTML, Perl, and so on. On the other hand, dumpbin is a command-line driven tool that ships with Visual Studio and lets you extract information from COFF objects, such as compiled LIB files. Along with the Windows Mobile Platform SDK (available from Microsoft for free), we can then parse the standard Windows include files with doxygen, dump the linking information from the corresponding LIB files with the help of dumpbin, and afterwards combine both results in an automatic way with a self-made Perl script. The result is a database that holds the number of parameters with their individual type and name for all standard Windows Mobile APIs. The fact that we know the type of each