Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer
Table 1
Functionalities of each component in API capturing module.
Module name
Functionality
Framework to invoke callback functions
Comparing the instruction pointer of current translation block to the entry point addresses of monitored API calls; maintaining return address stack; allocating storage buffer for front-end callback functions and back-end callback functions; invoking front-end or back-end callback functions
Front-end callback functions
Being invoked when entry point of a monitored API call is reached; initializing API call arguments capturing environment; reading the address of OUT parameters; reading IN parameters
Back-end callback functions
Being invoked when a monitored API returns; reading OUT parameters, IN_OUT parameters, and return value; writing output information to log files; cleaning buffer