Reads and prints information from the website MalAPI.io
optional arguments: z -h, --help show this help message and exit --pe PE, -p PE Specify a PE to read. The WinAPI will be checked against MalAPI and information will be printed about the API if the information is present. --look LOOK, -l LOOK Look up an API by name and print all information.
The –look option takes one argument: the name of an API. It will then make a request for the basic details about the API from MalAPI.io and print it. In the example below, we pass “CreateRemoteThread” as an argument and receive information back.
The –pe option takes one argument: the path and name to an PE file. It will then read the Import Address Table and check for any entries on MalAPI.io. If an entry is found, information about the API is then printed.
For example, in the below image, OpenProcessToken was found and information was printed.
Keyboard Interrupts are not reliable. I am able to interrupt when running from IDLE but not when running from cmd.exe
The script does not yet account for difference between Unicdoe and ANSI versions of API. That functionality will need to be implemented later. At this time, it will fail to find the API in the table if the API in the IAT does not match the MalAPI version exactly.
Thank you mr.d0x for the inspiring project.