MalwareAnalysis/GetDllLoadedAndAPICalls.py at main · pdabhiargus/MalwareAnalysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import os
import json
import sys

def extract_dll_loaded(report_path):
    total_dll_loaded = 0
    dll_loaded = []
    try:
        with open(report_path, 'r') as report_file:
            report_data = json.load(report_file)
            target_filename = report_data["target"]["file"]["name"]
            behavior = report_data.get('behavior', {})
            summary = behavior.get('summary', {})
            dll_loaded = summary.get('dll_loaded', [])
            total_dll_loaded = len(dll_loaded)
    except Exception as e:
        print(f"Error processing {report_path}: {e}")
    return total_dll_loaded, dll_loaded, target_filename

def extract_api_stats(report_path):
    total_api = 0
    api = []
    try:
        with open(report_path, 'r') as report_file:
            report_data = json.load(report_file)
            target_filename = report_data["target"]["file"]["name"]
            apistats = report_data.get('behavior', {}).get('apistats', {})
            for process_id, api_stat in apistats.items():
                for api_call, count in api_stat.items():
                    api.append(api_call)

            total_api = len(api)
    except Exception as e:
        print(f"Error processing {report_path}: {e}")
    return total_api, api, target_filename

def traverse_directory(directory_path):
    total_dll_loaded_overall = 0
    total_api_overall = 0

    for root, dirs, files in os.walk(directory_path):
        for file in files:
            if file == 'report.json':
                report_path = os.path.join(root, file)
                total_dll_loaded, dll_loaded, target_filename = extract_dll_loaded(report_path)
                total_api, api, target_filename = extract_api_stats(report_path)
                if dll_loaded:
                    total_dll_loaded_overall += total_dll_loaded
                    print(f"\nDll loaded by {target_filename} at {report_path} count {total_dll_loaded}:")
                    for file_name in dll_loaded:
                        print(file_name)
                if api:
                    total_api_overall += total_api
                    print(f"\nAPI calls by {target_filename} at {report_path} count {total_api} :")
                    for api_name in api:
                        print(api_name)
                # else:
                #     print(f"\nNo Dll loaded by {target_filename} at {report_path}")
    print(f"\nTotal number of Dll loaded: {total_dll_loaded_overall}")
    print(f"\nTotal number of API calls: {total_api_overall}")


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python script.py <directory_path>")
        sys.exit(1)

    directory_path = sys.argv[1]
    traverse_directory(directory_path)