API hooking
Definition
A monitoring technique in which the sandbox intercepts calls the malware makes to operating-system API functions. Each intercepted call is logged with its arguments and return value, creating a trace of every system-level action the sample attempts.
Related terms
- Behavioural analysis
- The examination of what a program does at runtime rather than what its code says at rest. Behavioural analysis captures the actual...
- Evasion detection
- Malware logic that checks whether the execution environment is a real host or an analysis sandbox. Checks may query hardware identifiers, count...
- MITRE ATT&CK mapping
- The process of classifying observed malware behaviours against the MITRE ATT&CK framework's taxonomy of adversary tactics and techniques. Sandbox platforms increasingly produce...
- Network indicator
- A network-based artefact produced by malware at runtime, such as a DNS query, an IP address contacted, an HTTP request path, a...
- Sandbox
- An isolated execution environment, typically a virtual machine, where a malware sample runs under full instrumentation. The sandbox logs all system calls,...
Explained in
- Dynamic Malware Analysis and Sandbox EnvironmentsA monitoring technique in which the sandbox intercepts calls the malware makes to operating-system API functions. Each intercepted call is logged with its argu...