2019 Volume 27 Pages 297-314
We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8, 897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8, 897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls.