Technical Stream
Technical Stream
Malware behavior logging system for MAC OS X

Abstract:

It is necessary to implement a system for logging API function calls of a selected executable file on MAC OS X (x86-x64 v10.4 or higher).

Objective:

The number of malware samples targeting MAC OS X users is constantly growing. In this context, the need for faster analysis methods based on dynamic analysis techniques is also growing. One such method is logging API functions calls with input and output parameters. There are lots of known methods for logging program behavior: splicing, proxy-dll, interception of system calls, etc.

The aim of this study is to develop a system that accepts an executable file as its input and generates a log file that contains the API functions or system calls with parameters at the output stage. The workflow of the system is shown in Figure 1.

4. System for Logging the Behavior of Malware for MAC OS X

Figure 1.

Requirements:

It is necessary to implement a system that can provide a detailed log containing the sequence of API function calls. The log should contain the list of parameters transferred to the function immediately before and after the call, and the result of its operation. If a reference parameter is transferred to the function, in addition to other things, there should be an opportunity to save the memory dump containing the transferred references immediately before and after the function completes its operation. The dump size limit should depend on the program settings and be either restricted by a constant, or saved in full.

It is necessary to develop a program that can be used to view saved logs. It should be able to install filters according to API function names. Memory dumps should be displayed on demand and in three different modes: in the hexadecimal form, in text form and a mix of the two. In text mode, there should be an option to view encodings (cp1251, Unicode and utf-8). While viewing, there should be an option to search by the names of API functions and by substrings in the dump. It should be possible to export logs in the html format. There should be an option for decrypting parameters and the result of the function operation from digital to text form, for example, STATUS_SUCCESS instead of 0x00000000.

The input parameter is the program executable file itself (or its path) from which the logs have to be taken. The input data is the obtained event log. Each event must be described with the following parameters: the time – accurate to microseconds, the name of the called API function, the list of transferred parameters and the hidden memory dump according to the reference parameters (if any) prior to the call and after the call.

Provided that the testing of the program is successful, the researchers should submit the following results:

  1. A ready-to-use program (monitor and viewer) in an archive, or in the form of an installer.
  2. The program source code.
  3. The executable file from which the logs were taken.
  4. The logs obtained as a result of running the executable file specified in p. 2 logs.

Data:

The developers will be provided with several MAC OS executable files that can be used for testing the logging system.

The data is available after registration.

Evaluation criteria:

The following criteria will be used to evaluate solutions:

  1. How fast they function and the load on the operating system.
  2. The number of functions/events supported by the logging system.
  3. Usability of the program in terms of viewing logs.
  4. Scalability of the system (the ability to add new features/events).
Interested? Ask an expert.
Register and start now!
Anti-Malware Research