If you are a malware analyst, you probably already came across WinAppDbg.
This module allows you to quickly script instrumentation code in python under Windows.

One of its (many) powerful features is the ability to quickly intercept Windows API calls.
Let's have a look at a small example showing how to intercept Sleep calls.


class MyEventHandler(EventHandler):
apiHooks = {
'kernel32.dll': [
("Sleep", 1)
]
}

# Intercept the API before the actual call is being made to Sleep ('pre' callback)
def pre_Sleep(self, event, retval, dwMilliseconds):
thread = event.get_thread()
process = event.get_process()

print "Intercepted Sleep call of %d milliseconds"
Many malware use the Sleep function to delay an operation on the infected machine (e.g. to timeout dynamic analysis or to interval home-beaconing).
With WinAppDbg we can modify the function parameter (dwMilliseconds) before the actual call is being made to Sleep().
To do so we simply access the stack frame and write a new DWORD with value 0x00 to EBP+4

# Access first parameter on the stack: EBP + 4
stack_offset = thread.get_sp() + 4
# Write the new value at that address (e.g. 0 milliseconds)
process.write_dword(stack_offset, 0x00)