Reverse Engineering Asked by nidorinas on September 29, 2021
Running an executable in Cuckoo sandbox gives me its dynamic API information. How do these API calls differ from their static API information (eg. If I were to just put the executable through IDA Pro or Ghidra?) I know that the static API calls have different names from the dynamic ones, but are they two separate non intersecting sets (i.e. each particular API name only belongs to either the static API category or the dynamic API category, and never both?)
First of all, I want to clarify some of the concepts about "API calls." I will explain these concepts, mainly thinking of WinAPI and PE files. I'm not claiming these definitions are correct for all systems.
Operating system programming interfaces
I assume you are referring to OS API libraries as API. OS API is consists of different interfaces that user-mode applications can use to access the operating system. Using OS API, user-mode applications can abstract system call interfaces with more portable ones. There are many other benefits of OS API libraries like diversifying basic system call operations with high-level operations and making system call interface independent from user mode application interface. Some known OS API implementations are WinAPI and Glibc.
How can obtain shared library (DLL files in Microsoft Windows systems) information from an executable file?
Most of the time shared library information is given in the PE header. And static analysis tools extract that information from that. I'm sure disassemblers like IDA has advanced features and extensions for detecting dynamic library loading.
How can we get dynamically loaded library information?
Some software like computer viruses and commercial products want to hide their operations from inspection to hide their activities or protect their intellectual property. They use dynamic loading to mask their OS and other API usages. They use LoadLibrary like API functions (and lots of different variations) for loading shared libraries. A sandbox or debugger can access this information hooking these functions. But, it is not sure that they can find all instances of dynamic loading.
Can static and dynamic shared library information differ?
I don't know how Cuckoo and IDA access shared library information, but static and dynamic analysis can show different shared libraries. Theoretically, some static analysis methods could find all dynamically loaded libraries. Which does not mean they mostly do.
Correct answer by Kerim Can Kalıpcıoğlu on September 29, 2021
on windows. dynamic link use funcion like loadlibrary or getprocaddress to get process function address and call them. static link use a table call import address table define in the excutable maintain by the system when program was loaded(the table have the process function address)
Answered by user34006 on September 29, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP