├── apitracker.exe ├── .gitattributes ├── apitrackerserver.py ├── .gitignore ├── readme.md └── TracingConfig.conf /apitracker.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cysinfo/API-Tracker/HEAD/apitracker.exe -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /apitrackerserver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | """ 4 | A simple server 5 | """ 6 | 7 | from socket import * 8 | import sys 9 | import struct 10 | 11 | def net_on(log_file): 12 | host = '' 13 | port = 50000 14 | backlog = 10 15 | size = 1024 16 | s = socket(AF_INET, SOCK_STREAM,0) 17 | s.bind((host,port)) 18 | s.listen(backlog) 19 | fp = open(log_file,'a') 20 | while 1: 21 | client, address = s.accept() 22 | data = client.recv(size) 23 | if data: 24 | print data 25 | fp.write(data) 26 | fp.write("\n") 27 | 28 | def main(): 29 | if len(sys.argv) < 2: 30 | print "server.py log_file" 31 | sys.exit(0) 32 | log_file = sys.argv[1] 33 | net_on(log_file) 34 | 35 | if __name__ == '__main__': 36 | main() 37 | 38 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear in the root of a volume 35 | .DocumentRevisions-V100 36 | .fseventsd 37 | .Spotlight-V100 38 | .TemporaryItems 39 | .Trashes 40 | .VolumeIcon.icns 41 | 42 | # Directories potentially created on remote AFP share 43 | .AppleDB 44 | .AppleDesktop 45 | Network Trash Folder 46 | Temporary Items 47 | .apdisk 48 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | APITracker is a major update to our tool Malpimp. It follows the same methodology for hooking and reporting but with an enhanced feature set and more stable logging options. 2 | 3 | New to APITracker: 4 | 1.Server Logging: APItracker can send the api logs on the remote server so you don’t have to worry about ransomewares etc. 5 | 6 | 2.Parameters: APItracker can also report the API parameters in a dynamic approach.. we can change the number of parmaters as per our requirements. 7 | 8 | 3.Heap Only logging: APITracker support heap only logging means by enabling the logheap option in config file it will only report the API calls that are coming from heap region. It is useful in malware unpacking and shellcode analysis. 9 | 10 | 4.Modules Logging: Now we can log API calls from the selected modules. for example: in case of DLL analysis we want to log the calls only from DLL not from rundll binary.. so this option is a great help when we want to log the APIs only from some specific modules. 11 | 12 | More info at : https://cysinfo.com/apitracker-windows-api-tracing-tool/ -------------------------------------------------------------------------------- /TracingConfig.conf: -------------------------------------------------------------------------------- 1 | ######## APITracker - Advanced API Tracing Tool, Configuration File ########### 2 | # (C) 2016 - Amit Malik (m.amit30@gmail.com) - https://cysinfo.com # 3 | # Hooking policies 4 | # TracingExclude - During hooking exclude the DLLs and APIs mentioned in this policy. 5 | # TracingInclude - During hooking only hook the DLLs and APIs mentioned in this policy, If this policy have values in its 6 | # fields then TracingExlude entries will be ingnored. 7 | 8 | ## seperate the multiple values using comma (,) 9 | # For API just use API name. eg: LoadLibraryA 10 | [TracingExclude] 11 | DLLs = USER32.dll,GDI32.dll,ntdll.dll,PSAPI.DLL,REGAPI.dll,WS2HELP.dll,ole32.dll,USERENV.dll,AUTHZ.dll,MSASN1.dll,RPCRT4.dll,SETUPAPI.dll,IMAGEHELP.dll 12 | API = 13 | 14 | # For API use DLL!API syntax eg: kernel32!LoadLibraryA 15 | [TracingInclude] 16 | DLLs = kernel32.dll,advapi32.dll,advapi.dll,ws2_32.dll,wininet.dll 17 | API = 18 | 19 | 20 | ## server related configs 21 | [Server] 22 | # use yes/no 23 | startnet = no 24 | server = 192.168.1.104 25 | port = 50000 26 | 27 | #define the number parameters to extract for each hook 28 | [API] 29 | param = 3 30 | 31 | # control the execution in a better way. 32 | [Additional] 33 | #### 34 | # solveloop (yes/no) - remove the hook from the apis that are called with same "return address" with apithreshold times. 35 | solveloop = yes 36 | apithreshold = 5 37 | 38 | # Arguments to application 39 | args = None 40 | 41 | #### 42 | # Log the calls based on criteria defined the following configs. 43 | 44 | # log the calls from heap region (yes/no) 45 | logheap = no 46 | 47 | # log the calls coming from the modules (,) separated list 48 | logmodules = 49 | 50 | # if logheap and logmodules are not enabled then logger will take these configs for logging. 51 | # Everything between these addresses will be logged into the trace file. 52 | # change according to your requirements 53 | # default: 167772160 (0x0A000000) 54 | 55 | loggingaddrmax = 167772160 56 | loggingaddrmin = 0 57 | 58 | #### End of File #### --------------------------------------------------------------------------------