Update common malicious apis

packing-box / docker-packing-box

Docker image gathering packers and tools for making datasets of packed executables and training machine learning models for packing detection

GNU General Public License v3.0

49 stars 10 forks source link

Update common malicious apis #125

Closed AlexVanMechelen closed 6 months ago

AlexVanMechelen commented 6 months ago

This PR adds:

An updated list of the common malicious apis (see Appendix B). All suffixes have been removed. When an imported function is compared to these common malicious apis, its suffixes should also be removed. Most common suffixes: ('A', 'W', 'Ex', 'ExA', 'ExW')

dhondta commented 6 months ago

@AlexVanMechelen You can use comments (with #) to specify the source where you found your entries. We can for instance integrate those of this source.

AlexVanMechelen commented 6 months ago

@dhondta The current ones in this PR follow from own analysis on dataset-packed-pe (see Appendix B). I'll add the ones from the source you included here above, as they likely follow from a larger scale analysis & to avoid overfitting to our dataset.

AlexVanMechelen commented 6 months ago

@dhondta On the other hand, the api's from the source you included are common in malware. Packers will typically try to hide those malicious api calls by dynamically loading them or other obfuscation techniques. The functions from our analysis (Appendix B) might be more tailored to packers. I might include both groups

AlexVanMechelen commented 6 months ago

@dhondta List updated.

TODO

Reimplement the invariability to function name suffixes like here
Reimplement the set of boolean features based on the presence of the malicious api's like here -> Can be an interesting for category detection where certain functions are more common in one category than in another.

Do you have suggestions for better ways of implementing those?

dhondta commented 6 months ago

@AlexVanMechelen There are two ways:

Programmatic: like you did ; but in this case, using a constant in the code base makes it static while a list of so-called API calls is variable in essence.
Dynamic: like I propose ; via the data folder, based on the file you propose in this PR. This way, we let this list up to the researcher either by using our default list from the data folder provided with the Packing Box or in the scope of his/her experiment with a dedicated data folder. This allows for more flexibility.

I will solve your issue of suffixes with a simple script for which I will keep the code in a Wiki page not to "pollute" the data folder.