Introduction️
The web MalAPI.io collects a list of Windows APIs that can be used by malicious programs to perform unwanted actions on the operating system. To analyze executables in search of these strings, a Python tool has been developed that automatically scans the file passed as a parameter.️
Use of MalAPI Scanner️
To use, simply pass the executable file to analyze as a parameter and have the malapi.json file in the same directory with the API database extracted from the website. This is an example of its execution.️
$ python malapi.py C:\Windows\notepad.exe
Detected APIs for file C:\Windows\notepad.exe:
Enumeration: GetSystemTime, ReadFile, GetCurrentThread, GetCurrentThreadId, GetCurrentProcess, GetCurrentProcessId, GetSystemTimeAsFileTime,
Injection: GetModuleHandleA, GetProcAddress, LocalAlloc, MapViewOfFile, CreateThread, WaitForSingleObject, OpenProcess, GetProcessHeap, HeapAlloc, GlobalAlloc, OpenProcessToken, WaitForSingleObjectEx,
Evasion: GetModuleHandleA, GetProcAddress, LoadResource, WaitForSingleObject, WaitForSingleObjectEx, Select, LockResource,
Spying: GetDC, GetForegroundWindow, SetWinEventHook,
Internet: Accept, Send,
Anti-Debugging: GetSystemTime, IsDebuggerPresent, GetForegroundWindow, QueryPerformanceCounter, GetSystemTimeAsFileTime,
Helper: GetModuleFileNameA, WriteFile, TerminateProcess, SetCurrentDirectory, FindClose, UnmapViewOfFile, RegCloseKey, OpenClipboard, SetFocus, ShowWindow, LockResource,
Source code️
import json
import string
import sys
# extract strings from binary (https://stackoverflow.com/questions/17195924/python-equivalent-of-unix-strings-utility)
def strings(filename, min=4):
with open(filename, errors="ignore") as f: # Python 3.x
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min:
yield result
result = ""
if len(result) >= min: # catch result at EOF
yield result
# get filename from arguments
file_name = sys.argv[1]
# load malicious apis from file (extracted from malapi.io)
with open('malapi.json') as api_file:
apis = json.load(api_file)
strings_pe_file = list(strings(file_name))
pe_apis = {}
# search
for category, api_list in apis["malapi"].items():
for api in api_list:
for string_pe in strings_pe_file:
if api in string_pe:
if category not in pe_apis:
pe_apis[category] = []
if api not in pe_apis[category]:
pe_apis[category].append(api)
# show
print("Detected APIs for file " + file_name + ": ")
for category, api_list in pe_apis.items():
print(' ' + category + ': ', end='')
for api in api_list:
print(api + ", ", end='')
print()
MalAPI Database️
{
"malapi": {
"Enumeration": [
"CreateToolhelp32Snapshot",
"EnumDeviceDrivers",
"EnumProcesses",
"EnumProcessModules",
"EnumProcessModulesEx",
"FindFirstFileA",
"FindNextFileA",
"GetLogicalProcessorInformation",
"GetLogicalProcessorInformationEx",
"GetModuleBaseNameA",
"GetSystemDefaultLangId",
"GetVersionExA",
"GetWindowsDirectoryA",
"IsWoW64Process",
"Module32First",
"Module32Next",
"Process32First",
"Process32Next",
"ReadProcessMemory",
"Thread32First",
"Thread32Next",
"GetSystemDirectoryA",
"GetSystemTime",
"ReadFile",
"GetComputerNameA",
"VirtualQueryEx",
"GetProcessIdOfThread",
"GetProcessId",
"GetCurrentThread",
"GetCurrentThreadId",
"GetThreadId",
"GetThreadInformation",
"GetCurrentProcess",
"GetCurrentProcessId",
"SearchPathA",
"GetFileTime",
"GetFileAttributesA",
"LookupPrivilegeValueA",
"LookupAccountNameA",
"GetCurrentHwProfileA",
"GetUserNameA",
"RegEnumKeyExA",
"RegEnumValueA",
"RegQueryInfoKeyA",
"RegQueryMultipleValuesA",
"RegQueryValueExA",
"NtQueryDirectoryFile",
"NtQueryInformationProcess",
"NtQuerySystemEnvironmentValueEx",
"EnumDesktopWindows",
"EnumWindows",
"NetShareEnum",
"NetShareGetInfo",
"NetShareCheck",
"GetAdaptersInfo",
"PathFileExistsA",
"GetNativeSystemInfo",
"RtlGetVersion",
"GetIpNetTable",
"GetLogicalDrives",
"GetDriveTypeA",
"RegEnumKeyA",
"WNetEnumResourceA",
"WNetCloseEnum",
"FindFirstUrlCacheEntryA",
"FindNextUrlCacheEntryA",
"WNetAddConnection2A",
"WNetAddConnectionA",
"EnumResourceTypesA",
"EnumResourceTypesExA",
"GetSystemTimeAsFileTime",
"GetThreadLocale",
"EnumSystemLocalesA"
],
"Injection": [
"CreateFileMappingA",
"CreateProcessA",
"CreateRemoteThread",
"CreateRemoteThreadEx",
"GetModuleHandleA",
"GetProcAddress",
"GetThreadContext",
"HeapCreate",
"LoadLibraryA",
"LoadLibraryExA",
"LocalAlloc",
"MapViewOfFile",
"MapViewOfFile2",
"MapViewOfFile3",
"MapViewOfFileEx",
"OpenThread",
"Process32First",
"Process32Next",
"QueueUserAPC",
"ReadProcessMemory",
"ResumeThread",
"SetProcessDEPPolicy",
"SetThreadContext",
"SuspendThread",
"Thread32First",
"Thread32Next",
"Toolhelp32ReadProcessMemory",
"VirtualAlloc",
"VirtualAllocEx",
"VirtualProtect",
"VirtualProtectEx",
"WriteProcessMemory",
"VirtualAllocExNuma",
"VirtualAlloc2",
"VirtualAlloc2FromApp",
"VirtualAllocFromApp",
"VirtualProtectFromApp",
"CreateThread",
"WaitForSingleObject",
"OpenProcess",
"OpenFileMappingA",
"GetProcessHeap",
"GetProcessHeaps",
"HeapAlloc",
"HeapReAlloc",
"GlobalAlloc",
"AdjustTokenPrivileges",
"CreateProcessAsUserA",
"OpenProcessToken",
"CreateProcessWithTokenW",
"NtAdjustPrivilegesToken",
"NtAllocateVirtualMemory",
"NtContinue",
"NtCreateProcess",
"NtCreateProcessEx",
"NtCreateSection",
"NtCreateThread",
"NtCreateThreadEx",
"NtCreateUserProcess",
"NtDuplicateObject",
"NtMapViewOfSection",
"NtOpenProcess",
"NtOpenThread",
"NtProtectVirtualMemory",
"NtQueueApcThread",
"NtQueueApcThreadEx",
"NtQueueApcThreadEx2",
"NtReadVirtualMemory",
"NtResumeThread",
"NtUnmapViewOfSection",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"NtWriteVirtualMemory",
"RtlCreateHeap",
"LdrLoadDll",
"RtlMoveMemory",
"RtlCopyMemory",
"SetPropA",
"WaitForSingleObjectEx",
"WaitForMultipleObjects",
"WaitForMultipleObjectsEx",
"KeInsertQueueApc",
"Wow64SetThreadContext",
"NtSuspendProcess",
"NtResumeProcess",
"DuplicateToken",
"NtReadVirtualMemoryEx",
"CreateProcessInternal",
"EnumSystemLocalesA",
"UuidFromStringA"
],
"Evasion": [
"CreateFileMappingA",
"DeleteFileA",
"GetModuleHandleA",
"GetProcAddress",
"LoadLibraryA",
"LoadLibraryExA",
"LoadResource",
"SetEnvironmentVariableA",
"SetFileTime",
"Sleep",
"WaitForSingleObject",
"SetFileAttributesA",
"SleepEx",
"NtDelayExecution",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"CreateWindowExA",
"RegisterHotKey",
"timeSetEvent",
"IcmpSendEcho",
"WaitForSingleObjectEx",
"WaitForMultipleObjects",
"WaitForMultipleObjectsEx",
"SetWaitableTimer",
"CreateTimerQueueTimer",
"CreateWaitableTimer",
"SetWaitableTimer",
"SetTimer",
"Select",
"ImpersonateLoggedOnUser",
"SetThreadToken",
"DuplicateToken",
"SizeOfResource",
"LockResource",
"CreateProcessInternal",
"TimeGetTime",
"EnumSystemLocalesA",
"UuidFromStringA"
],
"Spying": [
"AttachThreadInput",
"CallNextHookEx",
"GetAsyncKeyState",
"GetClipboardData",
"GetDC",
"GetDCEx",
"GetForegroundWindow",
"GetKeyboardState",
"GetKeyState",
"GetMessageA",
"GetRawInputData",
"GetWindowDC",
"MapVirtualKeyA",
"MapVirtualKeyExA",
"PeekMessageA",
"PostMessageA",
"PostThreadMessageA",
"RegisterHotKey",
"RegisterRawInputDevices",
"SendMessageA",
"SendMessageCallbackA",
"SendMessageTimeoutA",
"SendNotifyMessageA",
"SetWindowsHookExA",
"SetWinEventHook",
"UnhookWindowsHookEx",
"BitBlt",
"StretchBlt",
"GetKeynameTextA"
],
"Internet": [
"WinExec",
"FtpPutFileA",
"HttpOpenRequestA",
"HttpSendRequestA",
"HttpSendRequestExA",
"InternetCloseHandle",
"InternetOpenA",
"InternetOpenUrlA",
"InternetReadFile",
"InternetReadFileExA",
"InternetWriteFile",
"URLDownloadToFile",
"URLDownloadToCacheFile",
"URLOpenBlockingStream",
"URLOpenStream",
"Accept",
"Bind",
"Connect",
"Gethostbyname",
"Inet_addr",
"Recv",
"Send",
"WSAStartup",
"Gethostname",
"Socket",
"WSACleanup",
"Listen",
"ShellExecuteA",
"ShellExecuteExA",
"DnsQuery_A",
"DnsQueryEx",
"WNetOpenEnumA",
"FindFirstUrlCacheEntryA",
"FindNextUrlCacheEntryA",
"InternetConnectA",
"InternetSetOptionA",
"WSASocketA",
"Closesocket",
"WSAIoctl",
"ioctlsocket",
"HttpAddRequestHeaders"
],
"Anti-Debugging": [
"CreateToolhelp32Snapshot",
"GetLogicalProcessorInformation",
"GetLogicalProcessorInformationEx",
"GetTickCount",
"OutputDebugStringA",
"CheckRemoteDebuggerPresent",
"Sleep",
"GetSystemTime",
"GetComputerNameA",
"SleepEx",
"IsDebuggerPresent",
"GetUserNameA",
"NtQueryInformationProcess",
"ExitWindowsEx",
"FindWindowA",
"FindWindowExA",
"GetForegroundWindow",
"GetTickCount64",
"QueryPerformanceFrequency",
"QueryPerformanceCounter",
"GetNativeSystemInfo",
"RtlGetVersion",
"GetSystemTimeAsFileTime",
"CountClipboardFormats"
],
"Ransomware": [
"CryptAcquireContextA",
"EncryptFileA",
"CryptEncrypt",
"CryptDecrypt",
"CryptCreateHash",
"CryptHashData",
"CryptDeriveKey",
"CryptSetKeyParam",
"CryptGetHashParam",
"CryptSetKeyParam",
"CryptDestroyKey",
"CryptGenRandom",
"DecryptFileA",
"FlushEfsCache",
"GetLogicalDrives",
"GetDriveTypeA",
"CryptStringToBinary",
"CryptBinaryToString",
"CryptReleaseContext",
"CryptDestroyHash",
"EnumSystemLocalesA"
],
"Helper": [
"ConnectNamedPipe",
"CopyFileA",
"CreateFileA",
"CreateMutexA",
"CreateMutexExA",
"DeviceIoControl",
"FindResourceA",
"FindResourceExA",
"GetModuleBaseNameA",
"GetModuleFileNameA",
"GetModuleFileNameExA",
"GetTempPathA",
"IsWoW64Process",
"MoveFileA",
"MoveFileExA",
"PeekNamedPipe",
"WriteFile",
"TerminateThread",
"CopyFile2",
"CopyFileExA",
"CreateFile2",
"GetTempFileNameA",
"TerminateProcess",
"SetCurrentDirectory",
"FindClose",
"SetThreadPriority",
"UnmapViewOfFile",
"ControlService",
"ControlServiceExA",
"CreateServiceA",
"DeleteService",
"OpenSCManagerA",
"OpenServiceA",
"RegOpenKeyA",
"RegOpenKeyExA",
"StartServiceA",
"StartServiceCtrlDispatcherA",
"RegCreateKeyExA",
"RegCreateKeyA",
"RegSetValueExA",
"RegSetKeyValueA",
"RegDeleteValueA",
"RegOpenKeyExA",
"RegEnumKeyExA",
"RegEnumValueA",
"RegGetValueA",
"RegFlushKey",
"RegGetKeySecurity",
"RegLoadKeyA",
"RegLoadMUIStringA",
"RegOpenCurrentUser",
"RegOpenKeyTransactedA",
"RegOpenUserClassesRoot",
"RegOverridePredefKey",
"RegReplaceKeyA",
"RegRestoreKeyA",
"RegSaveKeyA",
"RegSaveKeyExA",
"RegSetKeySecurity",
"RegUnLoadKeyA",
"RegConnectRegistryA",
"RegCopyTreeA",
"RegCreateKeyTransactedA",
"RegDeleteKeyA",
"RegDeleteKeyExA",
"RegDeleteKeyTransactedA",
"RegDeleteKeyValueA",
"RegDeleteTreeA",
"RegDeleteValueA",
"RegCloseKey",
"NtClose",
"NtCreateFile",
"NtDeleteKey",
"NtDeleteValueKey",
"NtMakeTemporaryObject",
"NtSetContextThread",
"NtSetInformationProcess",
"NtSetInformationThread",
"NtSetSystemEnvironmentValueEx",
"NtSetValueKey",
"NtShutdownSystem",
"NtTerminateProcess",
"NtTerminateThread",
"RtlSetProcessIsCritical",
"DrawTextExA",
"GetDesktopWindow",
"SetClipboardData",
"SetWindowLongA",
"SetWindowLongPtrA",
"OpenClipboard",
"SetForegroundWindow",
"BringWindowToTop",
"SetFocus",
"ShowWindow",
"NetShareSetInfo",
"NetShareAdd",
"NtQueryTimer",
"GetIpNetTable",
"GetLogicalDrives",
"GetDriveTypeA",
"CreatePipe",
"RegEnumKeyA",
"WNetOpenEnumA",
"WNetEnumResourceA",
"WNetAddConnection2A",
"CallWindowProcA",
"NtResumeProcess",
"lstrcatA",
"ImpersonateLoggedOnUser",
"SetThreadToken",
"SizeOfResource",
"LockResource",
"UuidFromStringA"
]
}
}