funcspy Windows可执行文件静态分析工具分析

系统整体概述
funcspy是一个专业的Windows可执行文件静态分析工具,专门用于检测PE文件中可能被恶意软件利用的API函数调用。系统通过解析PE文件结构,比对预定义的恶意API特征库,帮助安全分析人员快速识别可疑的二进制文件。

详细功能分析

  1. 核心功能模块
    PE文件解析引擎

使用pefile库深度解析PE文件格式

提取所有导入的DLL及函数列表

def analyze_exe(exe_path):
    IMPORTS = {}
    DLLS = []
    try:
        pe = pefile.PE(exe_path)
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            DLLS.append(entry.dll.decode())
        for entry in pe.DIRECTORY_ENTRY_IMPORT:
            dllName = entry.dll.decode()
            IMPORTS[dllName] = None
            tempFuncs = []
            for func in entry.imports:
                if func.name is not None:
                    tempFuncs.append(func.name.decode())
            IMPORTS[dllName] = tempFuncs
    except Exception as e:
        print(f"Error analyzing {exe_path}: {e}")
    return IMPORTS

恶意API特征库

包含600+个高风险Windows API

按功能分类:进程注入、内存操作、反调试等

MALAPIFUNCS = ['CreateToolhelp32Snapshot', 'EnumDeviceDrivers', 'EnumProcesses', 'EnumProcessModules', 'EnumProcessModulesEx', 'FindFirstFileA', 'FindNextFileA', 'GetLogicalProcessorInformation', 'GetLogicalProcessorInformationEx', 'GetModuleBaseNameA', 'GetSystemDefaultLangId', 'GetVersionExA', 'GetWindowsDirectoryA', 'IsWoW64Process', 'Module32First', 'Module32Next', 'Process32First', 'Process32Next', 'ReadProcessMemory', 'Thread32First', 'Thread32Next', 'GetSystemDirectoryA', 'GetSystemTime', 'ReadFile', 'GetComputerNameA', 'VirtualQueryEx', 'GetProcessIdOfThread', 'GetProcessId', 'GetCurrentThread', 'GetCurrentThreadId', 'GetThreadId', 'GetThreadInformation', 'GetCurrentProcess', 'GetCurrentProcessId', 'SearchPathA', 'GetFileTime', 'GetFileAttributesA', 'LookupPrivilegeValueA', 'LookupAccountNameA', 'GetCurrentHwProfileA', 'GetUserNameA', 'RegEnumKeyExA', 'RegEnumValueA', 'RegQueryInfoKeyA', 'RegQueryMultipleValuesA', 'RegQueryValueExA', 'NtQueryDirectoryFile', 'NtQueryInformationProcess', 'NtQuerySystemEnvironmentValueEx', 'EnumDesktopWindows', 'EnumWindows', 'NetShareEnum', 'NetShareGetInfo', 'NetShareCheck', 'GetAdaptersInfo', 'PathFileExistsA', 'GetNativeSystemInfo', 'RtlGetVersion', 'GetIpNetTable', 'GetLogicalDrives', 'GetDriveTypeA', 'RegEnumKeyA', 'WNetEnumResourceA', 'WNetCloseEnum', 'FindFirstUrlCacheEntryA', 'FindNextUrlCacheEntryA', 'WNetAddConnection2A', 'WNetAddConnectionA', 'EnumResourceTypesA', 'EnumResourceTypesExA', 'GetSystemTimeAsFileTime', 'GetThreadLocale', 'EnumSystemLocalesA', 'CreateFileMappingA', 'CreateProcessA', 'CreateRemoteThread', 'CreateRemoteThreadEx', 'GetModuleHandleA', 'GetProcAddress', 'GetThreadContext', 'HeapCreate', 'LoadLibraryA', 'LoadLibraryExA', 'LocalAlloc', 'MapViewOfFile', 'MapViewOfFile2', 'MapViewOfFile3', 'MapViewOfFileEx', 'OpenThread', 'Process32First', 'Process32Next', 'QueueUserAPC', 'ReadProcessMemory', 'ResumeThread', 'SetProcessDEPPolicy', 'SetThreadContext', 'SuspendThread', 'Thread32First', 'Thread32Next', 'Toolhelp32ReadProcessMemory', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'WriteProcessMemory', 'VirtualAllocExNuma', 'VirtualAlloc2', 'VirtualAlloc2FromApp', 'VirtualAllocFromApp', 'VirtualProtectFromApp', 'CreateThread', 'WaitForSingleObject', 'OpenProcess', 'OpenFileMappingA', 'GetProcessHeap', 'GetProcessHeaps', 'HeapAlloc', 'HeapReAlloc', 'GlobalAlloc', 'AdjustTokenPrivileges', 'CreateProcessAsUserA', 'OpenProcessToken', 'CreateProcessWithTokenW', 'NtAdjustPrivilegesToken', 'NtAllocateVirtualMemory', 'NtContinue', 'NtCreateProcess', 'NtCreateProcessEx', 'NtCreateSection', 'NtCreateThread', 'NtCreateThreadEx', 'NtCreateUserProcess', 'NtDuplicateObject', 'NtMapViewOfSection', 'NtOpenProcess', 'NtOpenThread', 'NtProtectVirtualMemory', 'NtQueueApcThread', 'NtQueueApcThreadEx', 'NtQueueApcThreadEx2', 'NtReadVirtualMemory', 'NtResumeThread', 'NtUnmapViewOfSection', 'NtWaitForMultipleObjects', 'NtWaitForSingleObject', 'NtWriteVirtualMemory', 'RtlCreateHeap', 'LdrLoadDll', 'RtlMoveMemory', 'RtlCopyMemory', 'SetPropA', 'WaitForSingleObjectEx', 'WaitForMultipleObjects', 'WaitForMultipleObjectsEx', 'KeInsertQueueApc', 'Wow64SetThreadContext', 'NtSuspendProcess', 'NtResumeProcess', 'DuplicateToken', 'NtReadVirtualMemoryEx', 'CreateProcessInternal', 'EnumSystemLocalesA', 'UuidFromStringA', 'CreateFileMappingA', 'DeleteFileA', 'GetModuleHandleA', 'GetProcAddress', 'LoadLibraryA', 'LoadLibraryExA', 'LoadResource', 'SetEnvironmentVariableA', 'SetFileTime', 'Sleep', 'WaitForSingleObject', 'SetFileAttributesA', 'SleepEx', 'NtDelayExecution', 'NtWaitForMultipleObjects', 'NtWaitForSingleObject', 'CreateWindowExA', 'RegisterHotKey', 'timeSetEvent', 'IcmpSendEcho', 'WaitForSingleObjectEx', 'WaitForMultipleObjects', 'WaitForMultipleObjectsEx', 'SetWaitableTimer', 'CreateTimerQueueTimer', 'CreateWaitableTimer', 'SetWaitableTimer', 'SetTimer', 'Select', 'ImpersonateLoggedOnUser', 'SetThreadToken', 'DuplicateToken', 'SizeOfResource', 'LockResource', 'CreateProcessInternal', 'TimeGetTime', 'EnumSystemLocalesA', 'UuidFromStringA', 'AttachThreadInput', 'CallNextHookEx', 'GetAsyncKeyState', 'GetClipboardData', 'GetDC', 'GetDCEx', 'GetForegroundWindow', 'GetKeyboardState', 'GetKeyState', 'GetMessageA', 'GetRawInputData', 'GetWindowDC', 'MapVirtualKeyA', 'MapVirtualKeyExA', 'PeekMessageA', 'PostMessageA', 'PostThreadMessageA', 'RegisterHotKey', 'RegisterRawInputDevices', 'SendMessageA', 'SendMessageCallbackA', 'SendMessageTimeoutA', 'SendNotifyMessageA', 'SetWindowsHookExA', 'SetWinEventHook', 'UnhookWindowsHookEx', 'BitBlt', 'StretchBlt', 'GetKeynameTextA', 'WinExec', 'FtpPutFileA', 'HttpOpenRequestA', 'HttpSendRequestA', 'HttpSendRequestExA', 'InternetCloseHandle', 'InternetOpenA', 'InternetOpenUrlA', 'InternetReadFile', 'InternetReadFileExA', 'InternetWriteFile', 'URLDownloadToFile', 'URLDownloadToCacheFile', 'URLOpenBlockingStream', 'URLOpenStream', 'Accept', 'Bind', 'Connect', 'Gethostbyname', 'Inet_addr', 'Recv', 'Send', 'WSAStartup', 'Gethostname', 'Socket', 'WSACleanup', 'Listen', 'ShellExecuteA', 'ShellExecuteExA', 'DnsQuery_A', 'DnsQueryEx', 'WNetOpenEnumA', 'FindFirstUrlCacheEntryA', 'FindNextUrlCacheEntryA', 'InternetConnectA', 'InternetSetOptionA', 'WSASocketA', 'Closesocket', 'WSAIoctl', 'ioctlsocket', 'HttpAddRequestHeaders', 'CreateToolhelp32Snapshot', 'GetLogicalProcessorInformation', 'GetLogicalProcessorInformationEx', 'GetTickCount', 'OutputDebugStringA', 'CheckRemoteDebuggerPresent', 'Sleep', 'GetSystemTime', 'GetComputerNameA', 'SleepEx', 'IsDebuggerPresent', 'GetUserNameA', 'NtQueryInformationProcess', 'ExitWindowsEx', 'FindWindowA', 'FindWindowExA', 'GetForegroundWindow', 'GetTickCount64', 'QueryPerformanceFrequency', 'QueryPerformanceCounter', 'GetNativeSystemInfo', 'RtlGetVersion', 'GetSystemTimeAsFileTime', 'CountClipboardFormats', 'CryptAcquireContextA', 'EncryptFileA', 'CryptEncrypt', 'CryptDecrypt', 'CryptCreateHash', 'CryptHashData', 'CryptDeriveKey', 'CryptSetKeyParam', 'CryptGetHashParam', 'CryptSetKeyParam', 'CryptDestroyKey', 'CryptGenRandom', 'DecryptFileA', 'FlushEfsCache', 'GetLogicalDrives', 'GetDriveTypeA', 'CryptStringToBinary', 'CryptBinaryToString', 'CryptReleaseContext', 'CryptDestroyHash', 'EnumSystemLocalesA', 'ConnectNamedPipe', 'CopyFileA', 'CreateFileA', 'CreateMutexA', 'CreateMutexExA', 'DeviceIoControl', 'FindResourceA', 'FindResourceExA', 'GetModuleBaseNameA', 'GetModuleFileNameA', 'GetModuleFileNameExA', 'GetTempPathA', 'IsWoW64Process', 'MoveFileA', 'MoveFileExA', 'PeekNamedPipe', 'WriteFile', 'TerminateThread', 'CopyFile2', 'CopyFileExA', 'CreateFile2', 'GetTempFileNameA', 'TerminateProcess', 'SetCurrentDirectory', 'FindClose', 'SetThreadPriority', 'UnmapViewOfFile', 'ControlService', 'ControlServiceExA', 'CreateServiceA', 'DeleteService', 'OpenSCManagerA', 'OpenServiceA', 'RegOpenKeyA', 'RegOpenKeyExA', 'StartServiceA', 'StartServiceCtrlDispatcherA', 'RegCreateKeyExA', 'RegCreateKeyA', 'RegSetValueExA', 'RegSetKeyValueA', 'RegDeleteValueA', 'RegOpenKeyExA', 'RegEnumKeyExA', 'RegEnumValueA', 'RegGetValueA', 'RegFlushKey', 'RegGetKeySecurity', 'RegLoadKeyA', 'RegLoadMUIStringA', 'RegOpenCurrentUser', 'RegOpenKeyTransactedA', 'RegOpenUserClassesRoot', 'RegOverridePredefKey', 'RegReplaceKeyA', 'RegRestoreKeyA', 'RegSaveKeyA', 'RegSaveKeyExA', 'RegSetKeySecurity', 'RegUnLoadKeyA', 'RegConnectRegistryA', 'RegCopyTreeA', 'RegCreateKeyTransactedA', 'RegDeleteKeyA', 'RegDeleteKeyExA', 'RegDeleteKeyTransactedA', 'RegDeleteKeyValueA', 'RegDeleteTreeA', 'RegDeleteValueA', 'RegCloseKey', 'NtClose', 'NtCreateFile', 'NtDeleteKey', 'NtDeleteValueKey', 'NtMakeTemporaryObject', 'NtSetContextThread', 'NtSetInformationProcess', 'NtSetInformationThread', 'NtSetSystemEnvironmentValueEx', 'NtSetValueKey', 'NtShutdownSystem', 'NtTerminateProcess', 'NtTerminateThread', 'RtlSetProcessIsCritical', 'DrawTextExA', 'GetDesktopWindow', 'SetClipboardData', 'SetWindowLongA', 'SetWindowLongPtrA', 'OpenClipboard', 'SetForegroundWindow', 'BringWindowToTop', 'SetFocus', 'ShowWindow', 'NetShareSetInfo', 'NetShareAdd', 'NtQueryTimer', 'GetIpNetTable', 'GetLogicalDrives', 'GetDriveTypeA', 'CreatePipe', 'RegEnumKeyA', 'WNetOpenEnumA', 'WNetEnumResourceA', 'WNetAddConnection2A', 'CallWindowProcA', 'NtResumeProcess', 'lstrcatA', 'ImpersonateLoggedOnUser', 'SetThreadToken', 'SizeOfResource', 'LockResource', 'UuidFromStringA']

可视化报告系统

彩色终端输出区分不同风险等级
清晰展示DLL与可疑API的关联关系
2. 关键技术指标
技术维度 实现方案
文件解析 pefile库
特征检测 精确字符串匹配
结果展示 Colorama彩色输出
性能优化 单次扫描完成分析
  1. 典型应用场景
    恶意软件分析实验室
    快速筛查可疑样本
    辅助编写检测规则
    企业安全运维
    审计内部软件安全
    应急响应调查
    安全产品集成
    作为静态分析引擎组件
    结合动态分析形成完整方案

github链接地址:https://github.com/n0mi1k/funcspy.git
更多更新内容 请关注公众号

posted @ 2025-04-05 10:33  qife  阅读(53)  评论(0)    收藏  举报