felipetarijon / apymonitor Goto Github PK

Apymonitor is a python tool to create an APIMonitor xml filter output file based on a PE import list (static imports), ready to use to analyze an artifact.

python apymonitor.py -i malware.exe -o output.xml

It will output into the file output.xml something like this:

<?xml version="1.0"?>
<!--
API Monitor Filter
(c) 2010-2013, Rohitab Batra <[email protected]>
http://www.rohitab.com/apimonitor/
-
This document was generated by Apymonitor.
2021-03-13 16:36:33 UTC
A python project which generates a valid APIMonitor XML document with a PE as 
input.
More info: github.com/felipetarijon/apymonitor
-->
<ApiMonitor>
    <CaptureFilter>
        <Module Name="KERNEL32.dll">
            <Api Name="VirtualAlloc"/>
            <Api Name="VirtualFree"/>
            <Api Name="CreateFileA"/>
            <Api Name="GetFileSize"/>
            <Api Name="ReadFile"/>
            <Api Name="WriteFile"/>
            <Api Name="CloseHandle"/>
            <Api Name="MapViewOfFile"/>
        </Module>
    </CaptureFilter>
</ApiMonitor>

Then load the XML file on APIMonitor:

You can also get the x64 apymonitor Windows build on apymonitor-winx64.rar.
Downloading using powershell:

powershell.exe -c "wget https://raw.githubusercontent.com/felipetarijon/apymonitor/main/apymonitor-winx64.rar -OutFile apymonitor.rar"

After extracting, usage example:

apymonitor\apymonitor.exe -i C:\Windows\System32\calc.exe -o calc.xml

git clone [email protected]:felipetarijon/apymonitor.git
python3.6 -m venv env
source env/bin/activate
pip install -r requirements.txt

Requirements: Git and Python.

git clone https://github.com/felipetarijon/apymonitor.git
cd apymonitor
python -m venv env
env\Scripts\activate
pip install -r requirements.txt

pyinstaller apymonitor.py

It will build on dist/apymonitor/

• Replace the XML lib (xml.dom.minidom) by another more secure
• Implement argparse
• Build an executable file to be used as a tool
• Add more arguments/options to:
  • allow change xml output filename
  • generate the xml without the extra_header (non-default option)
  • blacklist some api function or dll
• Implement a feature to get the dynamic imported api functions using capstone

• 03/13/2021:
  • Fixed the argparse to show help message when user provide no args.
  • Added the option to not output the extra_header.
  • Built the project on Windows x64 to generate the tool to be ready to use.
• 01/19/2021:
  • Added pyinstaller package to build executable files.
  • Implemented argparse.
• 01/18/2021:
  • Initial commit.
  • Implemented the basic functionality to extract the apis from the PE.