PE import-table analysis for malware analysts and CTI engineers: explain DLL/API usage, flag suspicious API combinations, and turn imports into capability and detection leads.
Use this when a Windows binary needs fast capability triage. Import tables are not proof of behavior, but they are useful leads for ATT&CK mapping, sandbox planning, YARA ideas, and analyst reporting.
| Output | Use |
|---|---|
| DLL/API list | Capability triage |
| API explanations | Analyst context |
| Dangerous API flags | Detection and review priorities |
| HTML / text / JSON | Reports and automation |
| LLM-ready output | Structured follow-up analysis |
A command-line utility to analyze the import table of PE files. Provides detailed DLL descriptions, API function explanations, and flexible output formats (HTML, plain text, JSON). Ideal for malware analysts, reverse engineers, and forensic investigators.
π PE Import Analyzer: A Practical Guide for Malware Analysts and Reverse Engineers (Medium) β installation, usage, risk classification, suspicious combination detection, and LLM-ready output.
- Import Table Extraction: Uses LIEF to parse PE files and extract all imported DLLs and their functions.
- Delay-Load Imports: Optional parsing of delay-load import table (LIEF 0.12+); shown as
DLL_NAME (delay-load). - DLL Summaries: Built-in explanations for core Windows DLLs (e.g.
kernel32.dll,user32.dll,advapi32.dll,ntdll.dll,ws2_32.dll,wininet.dll, and more). - API Explanations: Case-insensitive lookup; per-DLL limit (default 20) or
--all-apisfor full lists. - All DLLs Included: Unknown DLLs are no longer skipped; they appear with βNo description availableβ and full API lists.
- Dangerous Function Flagging: Optional section for high-risk APIs, with categories (injection, persistence, network/C2, crypto/evasion, etc.). Expanded list for malware and hardening analysis.
- Multiple Output Formats: HTML (styled report), plain text, and JSON (for scripting and tooling).
- Non-Interactive Mode: Use
--no-promptwith--html/--txt/--json,--dangerous, and-o FILEfor automation. - Robustness: File existence and readability checks; clear errors for non-PE or corrupt files.
# From PyPI
pip install pe-import-analyzer
# Clone the repository
git clone https://github.com/anpa1200/PE-Import-Analyzer.git && cd PE-Import-Analyzer
# Create and activate virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txtRequires only LIEF (lief>=0.14.0) and Python 3.8+.
pip install -e ".[dev]" # lief + pytest
pytest tests/ -v # run tests (CLI tests need lief)python3 PE-Import-Analyzer.py <path_to_pe_file> [options]
# Or after PyPI install:
pe-import-analyzer <path_to_pe_file> [options]| Option | Description |
|---|---|
--html |
Output HTML report. |
--txt |
Output plain text report. |
--json |
Output JSON (for scripting). |
--dangerous |
Include dangerous/suspicious API section. |
--no-dangerous |
Exclude dangerous API section. |
-o FILE, --output FILE |
Output file path. |
--no-prompt |
Non-interactive: use defaults and CLI flags only. |
--all-apis |
Show all APIs per DLL (default: first 20). |
--no-delay-load |
Skip delay-load import table. |
-q, --quiet |
Minimal output (errors only). |
-v, --verbose |
Verbose logging. |
--version |
Show version and exit. |
Interactive (prompts for format and options):
python3 PE-Import-Analyzer.py sample.exeNon-interactive, HTML report with dangerous APIs:
python3 PE-Import-Analyzer.py sample.exe --html --dangerous --no-prompt -o report.htmlJSON for tooling:
python3 PE-Import-Analyzer.py sample.exe --json --no-prompt -o report.jsonFull API list, text and HTML:
python3 PE-Import-Analyzer.py sample.exe --txt --html --all-apis --no-prompt| Code | Meaning |
|---|---|
| 0 | Success |
| 2 | File not found |
| 3 | Permission denied |
| 4 | Invalid or corrupt PE |
| 5 | Output write error |
| Function | Description |
|---|---|
extract_and_sort_imports(file_path, include_delay_load=True) |
Parses PE and returns DLL β sorted list of imports; optional delay-load. |
get_api_explanation(dll_info, api_name) |
Case-insensitive API explanation lookup. |
generate_text_output(...) |
Plain text report. |
generate_html_output(...) |
HTML report. |
generate_json_output(...) |
JSON structure with summary and dangerous categories. |
dll_api_explanations |
Nested dict: DLL name β explanation + apis. |
DANGEROUS_API_LIST |
Dict of categories β list of dangerous API names (lowercase). |
See CHANGELOG.md for version history.
| Resource | Link |
|---|---|
| PE-Import-Analyzer (this repo) | GitHub Β· Medium: PE Import Analyzer Guide |
| Static-malware-Analysis-Orchestrator | GitHub β one-command pipeline (triage, strings, PE imports, unpack) Β· Medium: Full workflow |
| Unpacker | GitHub Β· Medium: Unpacker Guide |
| String-Analyzer | GitHub Β· Medium: String Analyzer Guide |
| Basic-File-Information-Gathering-Script | GitHub Β· Medium: File Metadata & Static Analysis |
| Author | Medium @1200km |
Distributed under the MIT License. See LICENSE for details.
This project is part of the 1200km security research ecosystem. Use AdversaryGraph for CTI-to-detection workflows, ATT&CK/ATLAS mapping, actor relevance, IOC enrichment, and analyst-ready reporting.