Malpimp is an advanced API tracing tool and designed to automate the reverse engineering process.
In the backend it uses pydbg to hook the APIs. It provides include and exclude policies to increase the control on the application in execution.
Being command-line tool makes it perfect for automation of malware as well as API tracing of normal applications.
Currently it works on Windows XP & 2003 platforms only.
- Allows advanced congiguration through Include and Exclude policies to hook DLLs and APIs selectively
- Loop detection and dynamic hook removing abilities
- Provides good control over application
- API calls logging with return address
- Command-line tool makes it perfect for scripting and automation
Malpimp Policy Configuration
Malpimp uses a configuration file in which you can define policies for API tracing.
Currently it supports two type of policies :
- TraceExclude : In TraceExclude policy you can add DLLs and APIs that you don’t want to hook. Please note that both DLLs and APIs have different meanings means if you exclude a DLL then all APIs of that DLL will be excluded on the other hand if you exlude only an API then only that API will be excluded rest of the APIs will be hooked.
- TraceInclude : In TraceInclude policy you can add DLLs and APIs that you want to hook. If the entries of this policy have some values then the values in TraceExclude will be ignored means TraceExlclude policy will only work when you have empty entries in Tracenclude policy.
Note: Some DLLs may be loaded at run time for example networking DLLs. In those cases make sure that you hook LoadLibraryA,after that malpimp will automatically indentify the newly loaded DLL and check it against the policies for hooking.
For example, in case of TraceInclude, in DLLs if you only want to hook on ws2_32.dll then also hook kernel32!LoadLibraryA so that malpimp can detect newly loaded DLLs.