In this series, we are going to learn about how to develop an API call logger using Windows API. Windows provides a feature for instrumenting applications known as Windows debugging API. These are certain calls which provide an interface for instrumentation. To instrument an application, we need to define a debug loop. A primitive instrumentation code is as follows: But first a process needs to be created and initiated with DEBUG_ONLY_THIS_PROCESS flag which can be done using the following way: After the application is initialized, we can set up a break point to instrument an application when it reaches to a certain point during the runtime of an application. It can be done by replacing the instruction byte at that particular address with 0xcc byte i.e. INT 0xcc (software breakpoint) instruction. Moreover, when that particular breakpoint area, the original instruction needs to be replaced with a displacement in EIP register. We can use WriteProcessMemory and ReadProcessMemory to write/read bytes in a remote process. ReadProcessMemory(pi.hProcess ,pEntryPoint, &OrgByte, 0x01, NULL); WriteProcessMemory(pi.hProcess ,pEntryPoint,”xcc”, 0x01, NULL); in this case, at the entry point of an application a breakpoint is set, but first, the byte at EP is read and stored (it will be later on replaced when a breakpoint is hit) In this case first chance exception is caught and allowed to happen. When breakpoint at Entrypoint is hit, the instruction at the breakpoint is replaced with the original instruction and eip is displaced back by one byte to execute the original instruction. Then the new context is set.
