427 Botnet fm qxd

As mentioned, the monitoring DLL informs the sandbox about each per-
formed API call, which in fact is done by sending a 
notification
to it.These
notifications include a lot of information, like the name of the called API
function, the used parameters, or the time when the call occurred. Depending
on the type of the function, a different 
TNotification
class is used. Subclasses
for the following categories exist:
■
TNotification_COM
Used for API calls that create COM objects
■
TNotification_DLLHandling
Used for API calls that load/unload a
DLL or that dynamically determine the entry points of API functions
(used during explicit linking)
■
TNotification_FileSystem
Used for API calls that access the file
system
■
TNotification_ICMPPacket
Used for API calls that send ICMP
packets
■
TNotification_INIFile
Used for API calls that use the Windows
built-in methods to access 
.
ini files
■
TNotification_Mutex
Used for API calls that create or access mutex
objects
■
TNotification_Network
Used for API calls that use the Windows
built-in network methods, such as for accessing Windows shares
■
TNotification_Process
Used for API calls that perform actions on
processes, such as creating, terminating, or opening a process
■

Download 6,98 Mb.

Do'stlaringiz bilan baham: