| |
| |
| |
| Malpimp - Advanced API Tracing Tool
|
|
|
| |
| |
| |
| |
| |
|
|
| |
| |
| |
|
|
|
| |
| |
|
Malpimp is an advanced API tracing tool and designed to automate the reverse engineering process.
In the backend it uses pydbg to hook the APIs. It provides include and exclude policies to increase the control on the application in execution.
Being command-line tool makes it perfect for automation of malware as well as API tracing of normal applications.
Currently it works on Windows XP & 2003 platforms only.
|
| |
| |
| |
|
- Allows advanced congiguration through Include and Exclude policies to hook DLLs and APIs selectively
- Loop detection and dynamic hook removing abilities
- Provides good control over application
- API calls logging with return address
- Command-line tool makes it perfect for scripting and automation
|
| |
| |
|
|
Malpimp uses a configuration file in which you can define policies for API tracing.
Currently it supports two type of policies,
|
| |
|
| In TraceExclude policy you can add DLLs and APIs that you don't want to hook. Please note that both DLLs and APIs have different meanings means if you exclude a DLL then all APIs of that DLL will be excluded on the other hand if you exlude only an API then only that API will be excluded rest of the APIs will be hooked. |
| |
|
| In TraceInclude policy you can add DLLs and APIs that you want to hook. If the entries of this policy have some values then the values in TraceExclude will be ignored means TraceExlclude policy will only work when you have empty entries in Tracenclude policy. |
| |
Note: Some DLLs may be loaded at run time for example networking DLLs. In those cases make sure that you hook LoadLibraryA,after that malpimp will automatically indentify the newly loaded DLL and check it against the policies for hooking.
For example, in case of TraceInclude, in DLLs if you only want to hook on ws2_32.dll then also hook kernel32!LoadLibraryA so that malpimp can detect newly loaded DLLs.
|
| |
| |
| |
|
|
Malpimp is very simple and easy to use. Since it is command-line/console based tool, you have to launch it from the command prompt (cmd.exe).
Here is the simple usage information
|
|
Malpimp.exe <sample_exe> <address>
<sample_exe>: Full path of application EXE file
<address>: Start address for the API tracing. If you want to
trace directly from entry point then use zero.
Examples:
Malpimp.exe c:\windows\test.exe 0
|
|
| |
|
|
|
|
|
| Here is the screenshot of Malpimp showing the API Trace of a application.
|
| |
 |
| |
| |
| |
|
| Support for attaching to running process and trace the API calls. Ability to pass the arguments to binary and log the calls for certain range of address. |
| |
| First public release of Malpimp |
| |
| |
|
| |
|
Malpimp tool is released "as is" without any warranty of any kind,
neither SecurityXploded nor the author is responsible for any damage due
to use or misuse of this tool.
Read complete License & Disclaimer terms
here. |
| |
| |
| |
|
|
|
| |
| |
| |
|
|
|
