Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
How do Antivirus know which program called which API from the kernel space?
Message
<blockquote data-quote="ted114" data-source="post: 813792" data-attributes="member: 75422"><p>Actually, my main question is, how does runtime analysis really works on AVs perspectives. I cant really find an in-depth article online about how do they work, what are the common techniques that they use to approach a specific situation, etc. </p><p></p><p>So far, in my understanding of this runtime/behavioural analysis of AVs is that, for them to understand and analyze how a process behaves, they have to make API hooks (I hope you understand here, I cant explain much). And this gives them the ability to judge if a spcific program is malicious or not by analysing the APIs it called. </p><p></p><p>1) How do they know which process called an API that they hooked from kernel-space? </p><p></p><p>Say for example, an kernel mode driver of an AV placed a hook on an API, Program X->NtQuerySystemInformation->HookedZwQuerySystemInformation->ZwQuerySystemInformation. How would the kernel mode driver be able to identify who called the NtQuerySystemInformation (which in turn, leads to the execution of the hook-function)? Since we know, AVs cant simply rely on user-space API hooks for these scenarios, so they have to do it in kernel space. </p><p></p><p></p><p>2) And how do they know that a running process does some, can-be-considered, malicious things without even calling an API? like a decryption loop perhaps?</p></blockquote><p></p>
[QUOTE="ted114, post: 813792, member: 75422"] Actually, my main question is, how does runtime analysis really works on AVs perspectives. I cant really find an in-depth article online about how do they work, what are the common techniques that they use to approach a specific situation, etc. So far, in my understanding of this runtime/behavioural analysis of AVs is that, for them to understand and analyze how a process behaves, they have to make API hooks (I hope you understand here, I cant explain much). And this gives them the ability to judge if a spcific program is malicious or not by analysing the APIs it called. 1) How do they know which process called an API that they hooked from kernel-space? Say for example, an kernel mode driver of an AV placed a hook on an API, Program X->NtQuerySystemInformation->HookedZwQuerySystemInformation->ZwQuerySystemInformation. How would the kernel mode driver be able to identify who called the NtQuerySystemInformation (which in turn, leads to the execution of the hook-function)? Since we know, AVs cant simply rely on user-space API hooks for these scenarios, so they have to do it in kernel space. 2) And how do they know that a running process does some, can-be-considered, malicious things without even calling an API? like a decryption loop perhaps? [/QUOTE]
Insert quotes…
Verification
Post reply
Top