Skip to content

f3rr4nx/WinAPIGraph

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
WinAPIGraph
WinAPIGraph
 
 
docs/media
docs/media
 
 
AUTHORS
AUTHORS
 
 
LICENSE
LICENSE
 
 
PyRLogToGraph.sh
PyRLogToGraph.sh
 
 
README.md
README.md
 
 

Repository files navigation

WinAPIGraph

WinAPIGraph is a program based on neo4j for the generation of software behaviour graphs. WinAPIGraph uses the PyREBox sandbox to perform a dynamic analysis of the software and to obtain the trace of the API calls made by the software.

The first thing to do is to connect to the Neo4j database. Once connected we proceed to read the log file provided by PyREBox. Once the functions extracted from the analysis are read, they are processed by comparing them with the configuration files in the API_FILE directory. If they are found, this function and the arguments are compared with the Deviare2 database. Deviare2_db is a widely used database that contains the main APIs used by the programs. We will use this database to check that the DLLs, the functions and the arguments entered into the system are correct.

Once all the checks are done we can proceed to generate the network. A bash script is also included for the automation of the whole system to which the malware to be analyzed must be introduced as well as the path to the compressed malware. Optionally, an address to which the obtained log will be written can be included and later WinAPIGraph will use it to generate the network.

Install

WinAPIGraph uses py2neo to connect to the neo4j database, and Sqlite3 for communication with the deviare2_db database.

Use the package manager pip to install py2neo.

pip install py2neo

Usage

python3 WinAPIGraph.py
---------------------------------
Usage
---------------------------------

Options:
    -h, --help show brief help"
    -f, --file=PATH  specify the path of the file of the logs

alt text

Starting a Graph

WinAPIGraph starts a VM through PyREBox, once all the malware analysis is executed and the VM is closed the process of network creation will start, for this it is necessary to have the neo4j database active. The script can be started through PyRLogToGraph.sh.

---------------------------------
Usage
---------------------------------

Options:
    -h, --help show brief help"
    -p, --path-malware=PATH  specify the path of the malware to be analyzed"
    -m, --malware=MALWARE specify a malware to analyze"
    -l, --path-logs=PATH  specify the path of the logs to generate a graph (DEFAULT:pyrebox/logs/function_calls.log)"


./PyRLogToGraph.sh -p  /Your/path/malware.zip -m malware.exe

./PyRLogToGraph.sh -p /Your/path/malware.zip -m malware.exe -l /Your/path/function_calls.log

WinAPIGraph can also be run separately by simply entering the address where the log is located, from which we want to generate the network.

python3 WinAPIGraph.py -f /Your/path/function_calls.log

We start the process and obtain the resulting network

alt text

License

This tool is published under the GNU GPLv3 license.

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages