Introducción
La web MalAPI.io recoge un listado de APIs de Windows que pueden ser utilizadas por programas maliciosos para realizar acciones no deseadas en el sistema operativo. Para analizar ejecutables en búsqueda de estas cadenas se ha desarrollado una herramienta en Python que escarba el archivo pasado por parámetro automáticamente.
Uso de MalAPI Scanner
Para su uso, simplemente es necesario pasar por parámetro el archivo ejecutable a analizar y disponer del archivo malapi.json en la misma carpeta con la base de datos de APIs extraída de la página web. Este es un ejemplo de su ejecución.
$ python malapi.py C:\Windows\notepad.exe
Detected APIs for file C:\Windows\notepad.exe:
Enumeration: GetSystemTime, ReadFile, GetCurrentThread, GetCurrentThreadId, GetCurrentProcess, GetCurrentProcessId, GetSystemTimeAsFileTime,
Injection: GetModuleHandleA, GetProcAddress, LocalAlloc, MapViewOfFile, CreateThread, WaitForSingleObject, OpenProcess, GetProcessHeap, HeapAlloc, GlobalAlloc, OpenProcessToken, WaitForSingleObjectEx,
Evasion: GetModuleHandleA, GetProcAddress, LoadResource, WaitForSingleObject, WaitForSingleObjectEx, Select, LockResource,
Spying: GetDC, GetForegroundWindow, SetWinEventHook,
Internet: Accept, Send,
Anti-Debugging: GetSystemTime, IsDebuggerPresent, GetForegroundWindow, QueryPerformanceCounter, GetSystemTimeAsFileTime,
Helper: GetModuleFileNameA, WriteFile, TerminateProcess, SetCurrentDirectory, FindClose, UnmapViewOfFile, RegCloseKey, OpenClipboard, SetFocus, ShowWindow, LockResource,
Código fuente
import json
import string
import sys
# extract strings from binary (https://stackoverflow.com/questions/17195924/python-equivalent-of-unix-strings-utility)
def strings(filename, min=4):
with open(filename, errors="ignore") as f: # Python 3.x
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min:
yield result
result = ""
if len(result) >= min: # catch result at EOF
yield result
# get filename from arguments
file_name = sys.argv[1]
# load malicious apis from file (extracted from malapi.io)
with open('malapi.json') as api_file:
apis = json.load(api_file)
strings_pe_file = list(strings(file_name))
pe_apis = {}
# search
for category, api_list in apis["malapi"].items():
for api in api_list:
for string_pe in strings_pe_file:
if api in string_pe:
if category not in pe_apis:
pe_apis[category] = []
if api not in pe_apis[category]:
pe_apis[category].append(api)
# show
print("Detected APIs for file " + file_name + ": ")
for category, api_list in pe_apis.items():
print(' ' + category + ': ', end='')
for api in api_list:
print(api + ", ", end='')
print()
Base de datos de MalAPI
{
"malapi": {
"Enumeration": [
"CreateToolhelp32Snapshot",
"EnumDeviceDrivers",
"EnumProcesses",
"EnumProcessModules",
"EnumProcessModulesEx",
"FindFirstFileA",
"FindNextFileA",
"GetLogicalProcessorInformation",
"GetLogicalProcessorInformationEx",
"GetModuleBaseNameA",
"GetSystemDefaultLangId",
"GetVersionExA",
"GetWindowsDirectoryA",
"IsWoW64Process",
"Module32First",
"Module32Next",
"Process32First",
"Process32Next",
"ReadProcessMemory",
"Thread32First",
"Thread32Next",
"GetSystemDirectoryA",
"GetSystemTime",
"ReadFile",
"GetComputerNameA",
"VirtualQueryEx",
"GetProcessIdOfThread",
"GetProcessId",
"GetCurrentThread",
"GetCurrentThreadId",
"GetThreadId",
"GetThreadInformation",
"GetCurrentProcess",
"GetCurrentProcessId",
"SearchPathA",
"GetFileTime",
"GetFileAttributesA",
"LookupPrivilegeValueA",
"LookupAccountNameA",
"GetCurrentHwProfileA",
"GetUserNameA",
"RegEnumKeyExA",
"RegEnumValueA",
"RegQueryInfoKeyA",
"RegQueryMultipleValuesA",
"RegQueryValueExA",
"NtQueryDirectoryFile",
"NtQueryInformationProcess",
"NtQuerySystemEnvironmentValueEx",
"EnumDesktopWindows",
"EnumWindows",
"NetShareEnum",
"NetShareGetInfo",
"NetShareCheck",
"GetAdaptersInfo",
"PathFileExistsA",
"GetNativeSystemInfo",
"RtlGetVersion",
"GetIpNetTable",
"GetLogicalDrives",
"GetDriveTypeA",
"RegEnumKeyA",
"WNetEnumResourceA",
"WNetCloseEnum",
"FindFirstUrlCacheEntryA",
"FindNextUrlCacheEntryA",
"WNetAddConnection2A",
"WNetAddConnectionA",
"EnumResourceTypesA",
"EnumResourceTypesExA",
"GetSystemTimeAsFileTime",
"GetThreadLocale",
"EnumSystemLocalesA"
],
"Injection": [
"CreateFileMappingA",
"CreateProcessA",
"CreateRemoteThread",
"CreateRemoteThreadEx",
"GetModuleHandleA",
"GetProcAddress",
"GetThreadContext",
"HeapCreate",
"LoadLibraryA",
"LoadLibraryExA",
"LocalAlloc",
"MapViewOfFile",
"MapViewOfFile2",
"MapViewOfFile3",
"MapViewOfFileEx",
"OpenThread",
"Process32First",
"Process32Next",
"QueueUserAPC",
"ReadProcessMemory",
"ResumeThread",
"SetProcessDEPPolicy",
"SetThreadContext",
"SuspendThread",
"Thread32First",
"Thread32Next",
"Toolhelp32ReadProcessMemory",
"VirtualAlloc",
"VirtualAllocEx",
"VirtualProtect",
"VirtualProtectEx",
"WriteProcessMemory",
"VirtualAllocExNuma",
"VirtualAlloc2",
"VirtualAlloc2FromApp",
"VirtualAllocFromApp",
"VirtualProtectFromApp",
"CreateThread",
"WaitForSingleObject",
"OpenProcess",
"OpenFileMappingA",
"GetProcessHeap",
"GetProcessHeaps",
"HeapAlloc",
"HeapReAlloc",
"GlobalAlloc",
"AdjustTokenPrivileges",
"CreateProcessAsUserA",
"OpenProcessToken",
"CreateProcessWithTokenW",
"NtAdjustPrivilegesToken",
"NtAllocateVirtualMemory",
"NtContinue",
"NtCreateProcess",
"NtCreateProcessEx",
"NtCreateSection",
"NtCreateThread",
"NtCreateThreadEx",
"NtCreateUserProcess",
"NtDuplicateObject",
"NtMapViewOfSection",
"NtOpenProcess",
"NtOpenThread",
"NtProtectVirtualMemory",
"NtQueueApcThread",
"NtQueueApcThreadEx",
"NtQueueApcThreadEx2",
"NtReadVirtualMemory",
"NtResumeThread",
"NtUnmapViewOfSection",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"NtWriteVirtualMemory",
"RtlCreateHeap",
"LdrLoadDll",
"RtlMoveMemory",
"RtlCopyMemory",
"SetPropA",
"WaitForSingleObjectEx",
"WaitForMultipleObjects",
"WaitForMultipleObjectsEx",
"KeInsertQueueApc",
"Wow64SetThreadContext",
"NtSuspendProcess",
"NtResumeProcess",
"DuplicateToken",
"NtReadVirtualMemoryEx",
"CreateProcessInternal",
"EnumSystemLocalesA",
"UuidFromStringA"
],
"Evasion": [
"CreateFileMappingA",
"DeleteFileA",
"GetModuleHandleA",
"GetProcAddress",
"LoadLibraryA",
"LoadLibraryExA",
"LoadResource",
"SetEnvironmentVariableA",
"SetFileTime",
"Sleep",
"WaitForSingleObject",
"SetFileAttributesA",
"SleepEx",
"NtDelayExecution",
"NtWaitForMultipleObjects",
"NtWaitForSingleObject",
"CreateWindowExA",
"RegisterHotKey",
"timeSetEvent",
"IcmpSendEcho",
"WaitForSingleObjectEx",
"WaitForMultipleObjects",
"WaitForMultipleObjectsEx",
"SetWaitableTimer",
"CreateTimerQueueTimer",
"CreateWaitableTimer",
"SetWaitableTimer",
"SetTimer",
"Select",
"ImpersonateLoggedOnUser",
"SetThreadToken",
"DuplicateToken",
"SizeOfResource",
"LockResource",
"CreateProcessInternal",
"TimeGetTime",
"EnumSystemLocalesA",
"UuidFromStringA"
],
"Spying": [
"AttachThreadInput",
"CallNextHookEx",
"GetAsyncKeyState",
"GetClipboardData",
"GetDC",
"GetDCEx",
"GetForegroundWindow",
"GetKeyboardState",
"GetKeyState",
"GetMessageA",
"GetRawInputData",
"GetWindowDC",
"MapVirtualKeyA",
"MapVirtualKeyExA",
"PeekMessageA",
"PostMessageA",
"PostThreadMessageA",
"RegisterHotKey",
"RegisterRawInputDevices",
"SendMessageA",
"SendMessageCallbackA",
"SendMessageTimeoutA",
"SendNotifyMessageA",
"SetWindowsHookExA",
"SetWinEventHook",
"UnhookWindowsHookEx",
"BitBlt",
"StretchBlt",
"GetKeynameTextA"
],
"Internet": [
"WinExec",
"FtpPutFileA",
"HttpOpenRequestA",
"HttpSendRequestA",
"HttpSendRequestExA",
"InternetCloseHandle",
"InternetOpenA",
"InternetOpenUrlA",
"InternetReadFile",
"InternetReadFileExA",
"InternetWriteFile",
"URLDownloadToFile",
"URLDownloadToCacheFile",
"URLOpenBlockingStream",
"URLOpenStream",
"Accept",
"Bind",
"Connect",
"Gethostbyname",
"Inet_addr",
"Recv",
"Send",
"WSAStartup",
"Gethostname",
"Socket",
"WSACleanup",
"Listen",
"ShellExecuteA",
"ShellExecuteExA",
"DnsQuery_A",
"DnsQueryEx",
"WNetOpenEnumA",
"FindFirstUrlCacheEntryA",
"FindNextUrlCacheEntryA",
"InternetConnectA",
"InternetSetOptionA",
"WSASocketA",
"Closesocket",
"WSAIoctl",
"ioctlsocket",
"HttpAddRequestHeaders"
],
"Anti-Debugging": [
"CreateToolhelp32Snapshot",
"GetLogicalProcessorInformation",
"GetLogicalProcessorInformationEx",
"GetTickCount",
"OutputDebugStringA",
"CheckRemoteDebuggerPresent",
"Sleep",
"GetSystemTime",
"GetComputerNameA",
"SleepEx",
"IsDebuggerPresent",
"GetUserNameA",
"NtQueryInformationProcess",
"ExitWindowsEx",
"FindWindowA",
"FindWindowExA",
"GetForegroundWindow",
"GetTickCount64",
"QueryPerformanceFrequency",
"QueryPerformanceCounter",
"GetNativeSystemInfo",
"RtlGetVersion",
"GetSystemTimeAsFileTime",
"CountClipboardFormats"
],
"Ransomware": [
"CryptAcquireContextA",
"EncryptFileA",
"CryptEncrypt",
"CryptDecrypt",
"CryptCreateHash",
"CryptHashData",
"CryptDeriveKey",
"CryptSetKeyParam",
"CryptGetHashParam",
"CryptSetKeyParam",
"CryptDestroyKey",
"CryptGenRandom",
"DecryptFileA",
"FlushEfsCache",
"GetLogicalDrives",
"GetDriveTypeA",
"CryptStringToBinary",
"CryptBinaryToString",
"CryptReleaseContext",
"CryptDestroyHash",
"EnumSystemLocalesA"
],
"Helper": [
"ConnectNamedPipe",
"CopyFileA",
"CreateFileA",
"CreateMutexA",
"CreateMutexExA",
"DeviceIoControl",
"FindResourceA",
"FindResourceExA",
"GetModuleBaseNameA",
"GetModuleFileNameA",
"GetModuleFileNameExA",
"GetTempPathA",
"IsWoW64Process",
"MoveFileA",
"MoveFileExA",
"PeekNamedPipe",
"WriteFile",
"TerminateThread",
"CopyFile2",
"CopyFileExA",
"CreateFile2",
"GetTempFileNameA",
"TerminateProcess",
"SetCurrentDirectory",
"FindClose",
"SetThreadPriority",
"UnmapViewOfFile",
"ControlService",
"ControlServiceExA",
"CreateServiceA",
"DeleteService",
"OpenSCManagerA",
"OpenServiceA",
"RegOpenKeyA",
"RegOpenKeyExA",
"StartServiceA",
"StartServiceCtrlDispatcherA",
"RegCreateKeyExA",
"RegCreateKeyA",
"RegSetValueExA",
"RegSetKeyValueA",
"RegDeleteValueA",
"RegOpenKeyExA",
"RegEnumKeyExA",
"RegEnumValueA",
"RegGetValueA",
"RegFlushKey",
"RegGetKeySecurity",
"RegLoadKeyA",
"RegLoadMUIStringA",
"RegOpenCurrentUser",
"RegOpenKeyTransactedA",
"RegOpenUserClassesRoot",
"RegOverridePredefKey",
"RegReplaceKeyA",
"RegRestoreKeyA",
"RegSaveKeyA",
"RegSaveKeyExA",
"RegSetKeySecurity",
"RegUnLoadKeyA",
"RegConnectRegistryA",
"RegCopyTreeA",
"RegCreateKeyTransactedA",
"RegDeleteKeyA",
"RegDeleteKeyExA",
"RegDeleteKeyTransactedA",
"RegDeleteKeyValueA",
"RegDeleteTreeA",
"RegDeleteValueA",
"RegCloseKey",
"NtClose",
"NtCreateFile",
"NtDeleteKey",
"NtDeleteValueKey",
"NtMakeTemporaryObject",
"NtSetContextThread",
"NtSetInformationProcess",
"NtSetInformationThread",
"NtSetSystemEnvironmentValueEx",
"NtSetValueKey",
"NtShutdownSystem",
"NtTerminateProcess",
"NtTerminateThread",
"RtlSetProcessIsCritical",
"DrawTextExA",
"GetDesktopWindow",
"SetClipboardData",
"SetWindowLongA",
"SetWindowLongPtrA",
"OpenClipboard",
"SetForegroundWindow",
"BringWindowToTop",
"SetFocus",
"ShowWindow",
"NetShareSetInfo",
"NetShareAdd",
"NtQueryTimer",
"GetIpNetTable",
"GetLogicalDrives",
"GetDriveTypeA",
"CreatePipe",
"RegEnumKeyA",
"WNetOpenEnumA",
"WNetEnumResourceA",
"WNetAddConnection2A",
"CallWindowProcA",
"NtResumeProcess",
"lstrcatA",
"ImpersonateLoggedOnUser",
"SetThreadToken",
"SizeOfResource",
"LockResource",
"UuidFromStringA"
]
}
}