decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
GNU General Public License v3.0
807 stars 168 forks source link

API tracer #74

Closed SpeaklessAmanda closed 5 years ago

SpeaklessAmanda commented 5 years ago

It seems that only the Windows API function can be hooked. I am trying to hook the underlying c language implementation of PHP, I just cannot get any reult. Does decaf only hook Windows API?

hengyin commented 5 years ago

For Windows VMI, there is a list of modules for symbol extraction. The function you hook must be an export function for that module, and that module must appear in this list. If not, you can add your module in this list, so the offsets of export functions in that module can be resolved.

https://github.com/decaf-project/DECAF/blob/master/decaf/shared/windows_vmi.cpp#L92

Thanks, Heng

On Tue, Oct 8, 2019 at 2:53 AM SpeaklessAmanda notifications@github.com wrote:

It seems that only the Windows API function can be hooked. I am trying to hook the underlying c language implementation of PHP, I just cannot get any reult. Does decaf only hook Windows API?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/decaf-project/DECAF/issues/74?email_source=notifications&email_token=AAWJ2RXE6O2YSPWRTDF5WXDQNRKB7A5CNFSM4I6PQTCKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HQJSY2Q, or mute the thread https://github.com/notifications/unsubscribe-auth/AAWJ2RRM6RT6H7HCD7HFQVTQNRKB7ANCNFSM4I6PQTCA .