MalAPIReader

Reads and prints information from the website MalAPI.io

optional arguments:
  z -h, --help            show this help message and exit
  --pe PE, -p PE        Specify a PE to read. The WinAPI will be checked
                        against MalAPI and information will be printed about
                        the API if the information is present.
  --look LOOK, -l LOOK  Look up an API by name and print all information.

The –look option takes one argument: the name of an API. It will then make a request for the basic details about the API from MalAPI.io and print it. In the example below, we pass “CreateRemoteThread” as an argument and receive information back.

Screenshot 2021-11-02 050332

The –pe option takes one argument: the path and name to an PE file. It will then read the Import Address Table and check for any entries on MalAPI.io. If an entry is found, information about the API is then printed.

For example, in the below image, OpenProcessToken was found and information was printed.

image

Known Bug

Keyboard Interrupts are not reliable. I am able to interrupt when running from IDLE but not when running from cmd.exe

The script does not yet account for difference between Unicdoe and ANSI versions of API. That functionality will need to be implemented later. At this time, it will fail to find the API in the table if the API in the IAT does not match the MalAPI version exactly.

Thanks

Thank you mr.d0x for the inspiring project.

GitHub

View Github