Apymonitor is a python tool to create an APIMonitor xml filter output file based on a PE import list (static imports), ready to use to analyze an artifact.
python apymonitor.py -i malware.exe -o output.xml
It will output into the file output.xml
something like this:
<?xml version="1.0"?>
<!--
API Monitor Filter
(c) 2010-2013, Rohitab Batra <[email protected]>
http://www.rohitab.com/apimonitor/
-
This document was generated by Apymonitor.
2021-03-13 16:36:33 UTC
A python project which generates a valid APIMonitor XML document with a PE as
input.
More info: github.com/felipetarijon/apymonitor
-->
<ApiMonitor>
<CaptureFilter>
<Module Name="KERNEL32.dll">
<Api Name="VirtualAlloc"/>
<Api Name="VirtualFree"/>
<Api Name="CreateFileA"/>
<Api Name="GetFileSize"/>
<Api Name="ReadFile"/>
<Api Name="WriteFile"/>
<Api Name="CloseHandle"/>
<Api Name="MapViewOfFile"/>
</Module>
</CaptureFilter>
</ApiMonitor>
Then load the XML file on APIMonitor:
You can also get
the x64 apymonitor Windows build on apymonitor-winx64.rar
.
Downloading using powershell:
powershell.exe -c "wget https://raw.githubusercontent.com/felipetarijon/apymonitor/main/apymonitor-winx64.rar -OutFile apymonitor.rar"
After extracting, usage example:
apymonitor\apymonitor.exe -i C:\Windows\System32\calc.exe -o calc.xml
git clone [email protected]:felipetarijon/apymonitor.git
python3.6 -m venv env
source env/bin/activate
pip install -r requirements.txt
Requirements: Git and Python.
git clone https://github.com/felipetarijon/apymonitor.git
cd apymonitor
python -m venv env
env\Scripts\activate
pip install -r requirements.txt
pyinstaller apymonitor.py
It will build on dist/apymonitor/
- Replace the XML lib (xml.dom.minidom) by another more secure
- Implement argparse
- Build an executable file to be used as a tool
- Add more arguments/options to:
- allow change xml output filename
- generate the xml without the extra_header (non-default option)
- blacklist some api function or dll
- Implement a feature to get the dynamic imported api functions using capstone
- 03/13/2021:
- Fixed the argparse to show help message when user provide no args.
- Added the option to not output the extra_header.
- Built the project on Windows x64 to generate the tool to be ready to use.
- 01/19/2021:
- Added pyinstaller package to build executable files.
- Implemented argparse.
- 01/18/2021:
- Initial commit.
- Implemented the basic functionality to extract the apis from the PE.