Skip to content

anpa1200/PE-Import-Analyzer

Repository files navigation

PE Import Analyzer

PE import-table analysis for malware analysts and CTI engineers: explain DLL/API usage, flag suspicious API combinations, and turn imports into capability and detection leads.

CTI Use

Use this when a Windows binary needs fast capability triage. Import tables are not proof of behavior, but they are useful leads for ATT&CK mapping, sandbox planning, YARA ideas, and analyst reporting.

Defender Outputs

Output Use
DLL/API list Capability triage
API explanations Analyst context
Dangerous API flags Detection and review priorities
HTML / text / JSON Reports and automation
LLM-ready output Structured follow-up analysis

Python Version License: MIT LIEF Parser

A command-line utility to analyze the import table of PE files. Provides detailed DLL descriptions, API function explanations, and flexible output formats (HTML, plain text, JSON). Ideal for malware analysts, reverse engineers, and forensic investigators.

πŸ“– PE Import Analyzer: A Practical Guide for Malware Analysts and Reverse Engineers (Medium) β€” installation, usage, risk classification, suspicious combination detection, and LLM-ready output.


πŸ” Features

  • Import Table Extraction: Uses LIEF to parse PE files and extract all imported DLLs and their functions.
  • Delay-Load Imports: Optional parsing of delay-load import table (LIEF 0.12+); shown as DLL_NAME (delay-load).
  • DLL Summaries: Built-in explanations for core Windows DLLs (e.g. kernel32.dll, user32.dll, advapi32.dll, ntdll.dll, ws2_32.dll, wininet.dll, and more).
  • API Explanations: Case-insensitive lookup; per-DLL limit (default 20) or --all-apis for full lists.
  • All DLLs Included: Unknown DLLs are no longer skipped; they appear with β€œNo description available” and full API lists.
  • Dangerous Function Flagging: Optional section for high-risk APIs, with categories (injection, persistence, network/C2, crypto/evasion, etc.). Expanded list for malware and hardening analysis.
  • Multiple Output Formats: HTML (styled report), plain text, and JSON (for scripting and tooling).
  • Non-Interactive Mode: Use --no-prompt with --html/--txt/--json, --dangerous, and -o FILE for automation.
  • Robustness: File existence and readability checks; clear errors for non-PE or corrupt files.

πŸ“¦ Installation

# From PyPI
pip install pe-import-analyzer

# Clone the repository
git clone https://github.com/anpa1200/PE-Import-Analyzer.git && cd PE-Import-Analyzer

# Create and activate virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate   # Windows: venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

Requires only LIEF (lief>=0.14.0) and Python 3.8+.

Development

pip install -e ".[dev]"   # lief + pytest
pytest tests/ -v           # run tests (CLI tests need lief)

πŸš€ Usage

python3 PE-Import-Analyzer.py <path_to_pe_file> [options]

# Or after PyPI install:
pe-import-analyzer <path_to_pe_file> [options]

Options

Option Description
--html Output HTML report.
--txt Output plain text report.
--json Output JSON (for scripting).
--dangerous Include dangerous/suspicious API section.
--no-dangerous Exclude dangerous API section.
-o FILE, --output FILE Output file path.
--no-prompt Non-interactive: use defaults and CLI flags only.
--all-apis Show all APIs per DLL (default: first 20).
--no-delay-load Skip delay-load import table.
-q, --quiet Minimal output (errors only).
-v, --verbose Verbose logging.
--version Show version and exit.

Examples

Interactive (prompts for format and options):

python3 PE-Import-Analyzer.py sample.exe

Non-interactive, HTML report with dangerous APIs:

python3 PE-Import-Analyzer.py sample.exe --html --dangerous --no-prompt -o report.html

JSON for tooling:

python3 PE-Import-Analyzer.py sample.exe --json --no-prompt -o report.json

Full API list, text and HTML:

python3 PE-Import-Analyzer.py sample.exe --txt --html --all-apis --no-prompt

Exit codes

Code Meaning
0 Success
2 File not found
3 Permission denied
4 Invalid or corrupt PE
5 Output write error

πŸ› οΈ Function Reference

Function Description
extract_and_sort_imports(file_path, include_delay_load=True) Parses PE and returns DLL β†’ sorted list of imports; optional delay-load.
get_api_explanation(dll_info, api_name) Case-insensitive API explanation lookup.
generate_text_output(...) Plain text report.
generate_html_output(...) HTML report.
generate_json_output(...) JSON structure with summary and dangerous categories.
dll_api_explanations Nested dict: DLL name β†’ explanation + apis.
DANGEROUS_API_LIST Dict of categories β†’ list of dangerous API names (lowercase).

πŸ“„ Changelog

See CHANGELOG.md for version history.

Related repositories & articles

Resource Link
PE-Import-Analyzer (this repo) GitHub Β· Medium: PE Import Analyzer Guide
Static-malware-Analysis-Orchestrator GitHub β€” one-command pipeline (triage, strings, PE imports, unpack) Β· Medium: Full workflow
Unpacker GitHub Β· Medium: Unpacker Guide
String-Analyzer GitHub Β· Medium: String Analyzer Guide
Basic-File-Information-Gathering-Script GitHub Β· Medium: File Metadata & Static Analysis
Author Medium @1200km

πŸ“œ License

Distributed under the MIT License. See LICENSE for details.

1200km Ecosystem

This project is part of the 1200km security research ecosystem. Use AdversaryGraph for CTI-to-detection workflows, ATT&CK/ATLAS mapping, actor relevance, IOC enrichment, and analyst-ready reporting.

About

PE import-table analysis for malware triage, API capability review, suspicious function flags, and detection leads.

Topics

Resources

License

Contributing

Security policy

Stars

2 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages