• Stars
    star
    342
  • Rank 123,697 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 2 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

IATelligence is a Python script that will extract the IAT of a PE file and request GPT to get more information about the API and the ATT&CK matrix related

IATelligence

IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI's GPT-3 model to provide details about each Windows API imported by the file. The script also searches for related MITRE ATT&CK techniques and explains how the API could potentially be used by attackers.

It also displays the hashes of the file and estimates the cost of the GPT-3 requests. IATelligence is a proof of concept for using GPT-3 for malware analysis and quickly assessing the behavior of a malware based on its IAT.

Below is a quick example of the result you'll get. Notice that the request can take longer depending of the size of the IAT.

iatellifence

Getting Started

Prerequisites

To run this tool you will need an access to the OpenAi API, you will then need to modify the script to add your own API.

# Authenticate with the OpenAI API
openai.api_key = ""

You will also need to install the requirements.

pip install -r requirements.txt

Usage

To run the tool just simply specify a PE file as argument to the script.

python iatelligence.py sample.exe

The script will also calculate the hashes as well as the estimated cost of the request.

[+] IAT Request from the file: .\sample.exe
[+] 33 functions will be requested to GPT!
[+] MD5: 2f82623f9523c0d167862cad0eff6806
[+] SHA1: 5d77804b87735e66d7d1e263c31c4ef010f16153
[+] SHA256: 9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb
[+] Imphash: 8eeaa9499666119d13b3f44ecd77a729
[!] Estimated cost of requests: $0.0693

The result can be visualize in a table. Below is a truncated extract.

+------------------------------------------+-----------------------------+------------------------------------------+
| Libraries                                | API                         | GPT Verdict                              |
+------------------------------------------+-----------------------------+------------------------------------------+
| SHELL32.dll                              | ShellExecuteW               | The purpose of this API, ShellExecuteW,  |
|                                          |                             | is to launch an application or open a    |
|                                          |                             | file in the Windows operating system. It |
|                                          |                             | is associated with MITRE ATT&CK          |
|                                          |                             | technique T1218 - Execution Through      |
|                                          |                             | Module Load. This technique involves     |
|                                          |                             | using shell32.dll to execute malicious   |
|                                          |                             | code without directly invoking the       |
|                                          |                             | executable file itself, which can help   |
|                                          |                             | attackers evade detection and gain       |
|                                          |                             | access to systems.                       |
|                                          |                             |                                          |
| KERNEL32.dll                             | GetCurrentThreadId          | The purpose of this API is to retrieve   |
|                                          |                             | the identifier of the calling thread. It |
|                                          |                             | is associated with MITRE ATT&CK          |
|                                          |                             | technique T1155 - Thread Execution,      |
|                                          |                             | which involves creating and running      |
|                                          |                             | threads within a process or code         |
|                                          |                             | injection into an existing thread. The   |
|                                          |                             | GetCurrentThreadId() function allows     |
|                                          |                             | attackers to identify and target         |
|                                          |                             | specific threads for malicious           |
|                                          |                             | activities.                              |
|                                          |                             |                                          |
| KERNEL32.dll                             | GetSystemTimeAsFileTime     | The purpose of this API is to retrieve   |
|                                          |                             | the current system time as a file time   |
|                                          |                             | format. It is associated with the MITRE  |
|                                          |                             | ATT&CK technique T1124 - System Time     |
|                                          |                             | Discovery, which is used by adversaries  |
|                                          |                             | to gain insight into when certain        |
|                                          |                             | activities occurred or are scheduled to  |
|                                          |                             | occur. This allows them to perform       |
|                                          |                             | timing-based attacks and evade           |
|                                          |                             | detection.                               |
|                                          |                             |                                          |
| KERNEL32.dll                             | GetTickCount                | The purpose of this API is to retrieve   |
|                                          |                             | the number of milliseconds since Windows |
|                                          |                             | was started. It is associated with MITRE |
|                                          |                             | ATT&CK technique T1082 - System Time     |
|                                          |                             | Discovery, which involves an adversary   |
|                                          |                             | querying system information to gain      |
|                                          |                             | insight into file and system times or to |
|                                          |                             | determine valid accounts. This can be    |
|                                          |                             | used for various malicious activities    |
|                                          |                             | such as enumeration, credential dumping, |
|                                          |                             | and lateral movement.                    |
|                                          |                             |                                          |
| KERNEL32.dll                             | RtlCaptureContext           | The purpose of this API is to capture    |
|                                          |                             | the Context Record of a thread in order  |
|                                          |                             | to provide information about its state.  |
|                                          |                             | This can be used for debugging, logging  |
|                                          |                             | or other purposes. The associated MITRE  |
|                                          |                             | ATT&CK technique is T1113 - Process      |
|                                          |                             | Injection, as this API can be used to    |
|                                          |                             | inject code into a running process.      |
|                                          |                             |                                          |
| KERNEL32.dll                             | GetCurrentProcessId         | The purpose of this API is to retrieve   |
|                                          |                             | the current process identifier (PID) for |
|                                          |                             | a process running on Windows. This can   |
|                                          |                             | be used to identify which processes are  |
|                                          |                             | currently active and running on a        |
|                                          |                             | system. It is associated with MITRE      |
|                                          |                             | ATT&CK technique T1057 - Process         |
|                                          |                             | Discovery, as it allows an adversary to  |
|                                          |                             | gain knowledge about the processes that  |
|                                          |                             | are running on a system.                 |
|                                          |                             |                                          |
| KERNEL32.dll                             | RtlVirtualUnwind            | The purpose of this API is to provide an |
|                                          |                             | unwinding mechanism that can be used to  |
|                                          |                             | traverse the stack frames of a program.  |
|                                          |                             | It is associated with the MITRE ATT&CK   |
|                                          |                             | technique called "Stack Walking"         |
|                                          |                             | (T1063). This technique involves using   |
|                                          |                             | APIs like RtlVirtualUnwind() to walk     |
|                                          |                             | through the stack frames, which can help |
|                                          |                             | attackers gain access to sensitive       |
|                                          |                             | information or bypass security controls. |
|                                          |                             |                                          |
| KERNEL32.dll                             | UnhandledExceptionFilter    | The purpose of this API is to provide an |
|                                          |                             | exception handler for unhandled          |
|                                          |                             | exceptions in the Windows operating      |
|                                          |                             | system. It is associated with the MITRE  |
|                                          |                             | ATT&CK technique T1136 - Create or       |
|                                          |                             | Modify System Process, as it allows a    |
|                                          |                             | program to be able to handle unexpected  |
|                                          |                             | events that may occur during its         |
|                                          |                             | execution.                               |

Limitations

The cost of using OpenAI's GPT-3 to analyze the imported Windows APIs in a PE file can vary depending on the size of the IAT. While the cost of individual requests is not expensive, the total cost can quickly add up for larger files. The estimated cost provided by the script is an approximation and may vary.

Due to the design of the script, the analysis is performed one API at a time, which can make the process slow. A progress bar is displayed to show the progress of the analysis.

It is important to note that GPT-3 is a language model, so the results may not always be accurate. Additionally, the script provides details about related MITRE ATT&CK techniques without any context, so the information should be carefully considered by a malware analyst.

Build with

Contact

Twitter: @fr0gger_

More Repositories

1

Awesome-GPT-Agents

A curated list of GPT agents for cybersecurity
4,833
star
2

awesome-ida-x64-olly-plugin

A curated list of IDA x64DBG, Ghidra and OllyDBG plugins.
1,123
star
3

Awesome_Malware_Techniques

This is a repository of resource about Malware techniques
622
star
4

vthunting

Vthunting is a tiny script used to generate report about Virus Total hunting and send it by email, slack or telegram.
Python
156
star
5

jupyter-collection

Collection of Jupyter Notebooks by @fr0gger_
HTML
127
star
6

Unprotect_Submission

Repository to publish your evasion techniques and contribute to the project
C++
121
star
7

unprotect

Unprotect is a python tool for parsing PE malware and extract evasion techniques.
Python
107
star
8

RocProtect-V1

Emulating Virtual Environment to stay protected against advanced malware
C++
98
star
9

MalwareMuncher

Malware Muncher is a proof-of-concept Python script that utilizes the Frida framework for binary instrumentation and API hooking, enabling users to conduct malware analysis.
JavaScript
40
star
10

SuperPeHasher

SuperPeHasher is a wrapper for several hash algorithms dedicated to PE file.
Python
27
star
11

Yara-Unprotect

This repository regroups the Yara Rules for the Unprotect Project
YARA
25
star
12

JupyterUniverse

Jupyter Univere is a search engine for all infosec jupyter notebooks
18
star
13

hash.py

hash.py is a python script that calculates a fingerprint (MD5, SHA256, SHA512). The script also allows you to compare two fingerprints to check if it is consistent. It can be used in digital forensics.
Python
10
star
14

Check-Domain-Availability

Tiny script to verify if a domain or a list of domain is available.
Python
9
star
15

shellcode2exe_package

x64 Windows package of the shellcode2exe tool
7
star
16

strings_similarity

This is a short Jupyter Notebook to demonstrate Strings extraction to generate a graph.
Jupyter Notebook
6
star
17

fr0gger

5
star
18

Scripts_and_Snippets

Scripts and Snippets
Python
5
star
19

scapside.py

A scapside.py is a pretty little tool to perform basic network attacks using Scapy
Python
5
star
20

Timer

Gym Timer
C++
2
star
21

Jupyter-Universe

A repository to centralise Jupyter Notebook about Cybersecurity
1
star