Api Logger Overview

SysAnalyzer supports a Api-Logger option to add realtime API logging to the analysis output.

The API logger that SysAnalyzer uses works by injecting a dll into the target process. Once loaded, the dll will insert a series of detours style hooks into specific api calls. When these API are accessed by any code in the process, they will trigger a notification message which gets sent to the main SysAnalyzer interface.

The SysAnalyzer setup package also includes a standalone dll injector/logging interface which can be used outside of the main SysAnalzer application.



The Api Logging and hooking routines used in api_log.dll were first created for the sclog project released in the Malcode Analyst Pack. They are a GPL implementation of a detours style hooking library created with the help of the GPL OllyDbg Asm/Dsm Engines written by Oleh Yuschuk. They have since been changed over to the ntcore hook engine to give it x64 support.

Source for api_log.dll and Apilogger.exe are included in the api_logger subdirectories along with a quick utility designed to parse the MS .h files to auto-generate the hook procedures.

In addition to the standard API logging functionality, api_log.dll also incorporates a couple other basic features that are worth mentioning.

The CreateProcessA hook, will take the additional step to also inject the logger dll into any new process it creates. This will allow you to maintain API logging across spawned programs.

The check boxes you see on the right hand side are some additional options that you can configure the dll with at startup. The dll will communicate with the logging interface checking these values. If you need to reconfigure, you can right click in the upper list view and choose the reconfigure menu option.

The final note, the current implementation of api_log.dll does not hook any of the wide char versions of the API. This could be considered a current weak spot, however to date this has not impacted the programs performance in actual use. (Most virii and worms do not use unicode api)

a help video is available: