This repository is the future home of Toxotidae, a prototype API monitor for malware analysis.
Our cutting-edge tool offers unique capabilities in monitoring API invocations, even when facing sophisticated attacks aimed at compromising completeness and correctness, with a low performance overhead compared to previously available monitoring tools. Our solution employs a static analysis approach that meticulously traces parameters propagation with high precision, and select multiple program points, within the control-flow graph of Windows APIs, to be hooked to guarantee the effective log of the API calls obfuscated with the novel attacks proposed in the manuscript.
The methodology behind this tool is described in the paper Evading Userland API Hooking, Again: Novel Attacks and a Principled Defense Method that will appear in the DIMVA '24 conference. The code will be released by the conference start date.
To reference our work, we would be grateful if you could use the following BibTeX code:
<to be uploaded>