To use known sequence search, you need do the following steps
1) Create your sequence
On the left panel of dialog "Available Sequences" click the new button and enter the name of the new sequence.
Next, on the right panel "Selected Sequence Edition" add as many steps as you wnat with the "Add" button.
Each time you add a step , the following dialog will appear.
Known Sequences Search: Step editor
You have to define the module name (aka the dll name), the function name, and the number of calls of this function.
Once done click the "Ok" button and your step is added.
The "Move Up", "Move Down" "Edit" or "Remove" operation will help you to define your sequence.
The "Allow other function calls" option allow noisy calls between steps.
For example, if you are looking for an ABCDE sequence and the monitoring result is ABCFGDE, as FG are 2 noisy calls, sequence will be found only if this option is checked.
This option can be used against softwares trying to hide their activity by doing noisy calls (example a malware that tries to avoid being detected by antivirus)
The "Can be cross threaded" and "Can be cross processes" options specify the domain of search. By default all the steps of the sequence must be in a single thread to be detected
The "Require COM hooking" and "Require .NET hooking" are just for informing you that you need to enable these specific options during the monitoring session.
Once done, click the "Save" button.
2) Automatically generate a monitoring file for the wanted sequences
This step is not required for .Net and COM sequences (COM auto hooking and .Net monitoring don't require specific monitoring files)
On the left panel "Available Sequences", first check sequence(s) you want to monitor, next click the "Generate" button at the bottom of the panel.
- find all functions required for all the checked sequences
- grab the functions definitions from the "Monitoring Files" directory
- avoid multiple definitions of same function.
- The generated monitoring file is added by default in the "Monitoring Files" directory
- You will be warned if some functions definitions were not found
- This step is not mandatory, you can search through logs generated by other monitoring files, the "Generate" button is just an helper.
3) Do a standard monitoring session with WinApiOverride
Close Known Sequences Search dialog and do a standard monitoring session with WinApiOverride.
Select "Attach application at startup"
start hooking and use monitoring library to select your monitoring file generated at step 2. Notice: for more information on how to monitor an application, see Starting and Loading monitoring files
Once you have completed actions with the target application, close the hooked application, wait end of hooking, and go back to the "Known Sequences Search" dialog.
4) Search known sequences inside the monitoring session results
Once monitoring session done, or once your logs file has been loaded, go back to the "Known Sequences Search" dialog,
On the left panel "Available Sequences", first check the same sequence(s) as done at step 1 and then click the "Start" button
Known Sequences Search result
1) Global information
- Medium duration of the sequence
- Duration standard deviation of the sequence
2) Content : The list of different steps composed by
- Number of identical functions calls
- Function name
- Module name
3) Found at : The different locations where the sequence has been found.
For each location you get
- Start Time
- the list of all the logs for the instance of sequence
In the result window, when clicking on "Show" for the "Found at"
field, the content of each sequence is displayed, with start time, duration and the list of all the logs for the instance of sequence.
When displayed inside WinApiOverride, a single click to the "Jump To" image will bring you to the first log of the selected sequence instance inside the WinApiOverride main view.