SecurityXploded.com
SecurityTrainings
Mailing List Join us on Google+ Twitter facebook RSS Feeds
Malpimp : Advanced API Tracing Tool
 
 
 
Malpimp - Advanced API Tracing Tool
Author: Amit Malik 
 
 
 
 
See Also
 
 
 
 
Contents
 
 
About Malpimp

Malpimp is an advanced API tracing tool and designed to automate the reverse engineering process.

In the backend it uses pydbg to hook the APIs. It provides include and exclude policies to increase the control on the application in execution.

Being command-line tool makes it perfect for automation of malware as well as API tracing of normal applications.

Currently it works on Windows XP & 2003 platforms only.

 
 
 
Features
  • Allows advanced congiguration through Include and Exclude policies to hook DLLs and APIs selectively
  • Loop detection and dynamic hook removing abilities
  • Provides good control over application
  • API calls logging with return address
  • Command-line tool makes it perfect for scripting and automation
 
 
Malpimp Policy Configuration

Malpimp uses a configuration file in which you can define policies for API tracing.

Currently it supports two type of policies,

 
TraceExclude
In TraceExclude policy you can add DLLs and APIs that you don't want to hook. Please note that both DLLs and APIs have different meanings means if you exclude a DLL then all APIs of that DLL will be excluded on the other hand if you exlude only an API then only that API will be excluded rest of the APIs will be hooked.
 
TraceInclude
In TraceInclude policy you can add DLLs and APIs that you want to hook. If the entries of this policy have some values then the values in TraceExclude will be ignored means TraceExlclude policy will only work when you have empty entries in Tracenclude policy.
 

Note: Some DLLs may be loaded at run time for example networking DLLs. In those cases make sure that you hook LoadLibraryA,after that malpimp will automatically indentify the newly loaded DLL and check it against the policies for hooking.

For example, in case of TraceInclude, in DLLs if you only want to hook on ws2_32.dll then also hook kernel32!LoadLibraryA so that malpimp can detect newly loaded DLLs.

 
 
 
Using Malpimp

Malpimp is very simple and easy to use. Since it is command-line/console based tool, you have to launch it from the command prompt (cmd.exe).

Here is the simple usage information

	Malpimp.exe <sample_exe> <address>        
            <sample_exe>: Full path of application EXE file
            <address>:    Start address for the API tracing. If you want to  
                          trace directly from entry point then use zero.

	Examples:
        	Malpimp.exe c:\windows\test.exe 0        
 
 
 
Screenshots
Here is the screenshot of Malpimp showing the API Trace of a application.
 
Malpimp analyzing PE file
 
 
 
Release History
Version 2.0 :  11th Mar 2013
Support for attaching to running process and trace the API calls. Ability to pass the arguments to binary and log the calls for certain range of address.
 
Version 1.0 :  7th Feb 2013
First public release of Malpimp
 
 
 
Disclaimer
Malpimp tool is released "as is" without any warranty of any kind, neither SecurityXploded nor the author is responsible for any damage due to use or misuse of this tool.

Read complete License & Disclaimer terms here.
 
 
 
Download Malpimp
FREE Download Malpimp v2.0

License  : Freeware
Platform : Windows XP (sp2, sp3), 2003

Download
 
 
See Also