{ "cells": [ { "cell_type": "code", "execution_count": 26, "metadata": {}, "outputs": [], "source": [ "import pefile" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [], "source": [ "import os\n", "import os.path\n", "\n", "import logging\n", "logging.basicConfig(level=logging.DEBUG)\n", "\n", "logger = logging.getLogger('get-windows-apis')" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [], "source": [ "def enumerate_files(basepath):\n", " for directory, _, files in os.walk(basepath):\n", " for file in files:\n", " yield os.path.join(directory, file)" ] }, { "cell_type": "code", "execution_count": 29, "metadata": {}, "outputs": [], "source": [ "def enumerate_dlls(basepath):\n", " for path in enumerate_files(basepath):\n", " if not path.lower().endswith('.dll'):\n", " continue\n", " yield path" ] }, { "cell_type": "code", "execution_count": 30, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['C:/windows/system32\\\\aadauthhelper.dll',\n", " 'C:/windows/system32\\\\aadcloudap.dll',\n", " 'C:/windows/system32\\\\aadjcsp.dll',\n", " 'C:/windows/system32\\\\aadtb.dll',\n", " 'C:/windows/system32\\\\AboutSettingsHandlers.dll',\n", " 'C:/windows/system32\\\\AboveLockAppHost.dll',\n", " 'C:/windows/system32\\\\accessibilitycpl.dll',\n", " 'C:/windows/system32\\\\accountaccessor.dll',\n", " 'C:/windows/system32\\\\AccountsRt.dll',\n", " 'C:/windows/system32\\\\AcGenral.dll']" ] }, "execution_count": 30, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(enumerate_dlls('C:/windows/system32'))[:10]" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [], "source": [ "pe = pefile.PE('C:/windows/system32/kernel32.dll')" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [], "source": [ "def get_version_strings(pe):\n", " '''\n", " extract all the version strings as a dictionary from string to string.\n", " \n", " note:\n", " supposedly there might be multiple version info structures.\n", " in this case, we pick an arbitrary order and overwrite previous colliding entries.\n", " '''\n", " strings = {}\n", " if not hasattr(pe, 'FileInfo'):\n", " return {}\n", " \n", " for info in pe.FileInfo:\n", " if info.Key != b'StringFileInfo':\n", " continue\n", " \n", " for table in info.StringTable:\n", " for k, v in table.entries.items():\n", " try:\n", " strings[k.decode('utf-8')] = v.decode('utf-8')\n", " except UnicodeDecodeError:\n", " continue\n", " return strings" ] }, { "cell_type": "code", "execution_count": 33, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'CompanyName': 'Microsoft Corporation',\n", " 'FileDescription': 'Windows NT BASE API Client DLL',\n", " 'FileVersion': '10.0.16299.15 (WinBuild.160101.0800)',\n", " 'InternalName': 'kernel32',\n", " 'LegalCopyright': '© Microsoft Corporation. All rights reserved.',\n", " 'OriginalFilename': 'kernel32',\n", " 'ProductName': 'Microsoft® Windows® Operating System',\n", " 'ProductVersion': '10.0.16299.15'}" ] }, "execution_count": 33, "metadata": {}, "output_type": "execute_result" } ], "source": [ "get_version_strings(pe)" ] }, { "cell_type": "code", "execution_count": 34, "metadata": {}, "outputs": [], "source": [ "def get_dll_company_name(path):\n", " pe = pefile.PE(path)\n", " return get_version_strings(pe).get('CompanyName', '')" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [], "source": [ "def is_ms_pe(pe):\n", " '''return true if the given PE appears to be from microsoft'''\n", " return 'Microsoft' in get_version_strings(pe).get('CompanyName', '')" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [], "source": [ "def get_exported_symbols(pe):\n", " '''enumerate the exported symbol names in the given PE.'''\n", " if not hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):\n", " return\n", " for sym in pe.DIRECTORY_ENTRY_EXPORT.symbols:\n", " if sym.name is None:\n", " continue\n", " yield sym.name.decode('ascii')" ] }, { "cell_type": "code", "execution_count": 37, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['AcquireSRWLockExclusive',\n", " 'AcquireSRWLockShared',\n", " 'ActivateActCtx',\n", " 'ActivateActCtxWorker',\n", " 'AddAtomA',\n", " 'AddAtomW',\n", " 'AddConsoleAliasA',\n", " 'AddConsoleAliasW',\n", " 'AddDllDirectory',\n", " 'AddIntegrityLabelToBoundaryDescriptor']" ] }, "execution_count": 37, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(get_exported_symbols(pe))[:10]" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "name": "stderr", "output_type": "stream", "text": [ "DEBUG:get-windows-apis:processed: C:/Windows/System32/aadauthhelper.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/aadcloudap.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/aadjcsp.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/aadtb.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AboutSettingsHandlers.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AboveLockAppHost.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/accessibilitycpl.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/accountaccessor.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AccountsRt.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AcGenral.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AcLayers.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/acledit.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/aclui.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/acmigration.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ACPBackgroundManagerPolicy.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/acppage.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/acproxy.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AcSpecfc.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActionCenter.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActionCenterCPL.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActionQueue.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActivationClient.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActivationManager.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActivationVdev.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/activeds.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActiveSyncCsp.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/ActiveSyncProvider.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/actxprxy.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AcWinRT.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AcXtrnal.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AdaptiveCards.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AddressParser.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adhapi.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adhsvc.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/AdmTmpl.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adprovider.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adrclient.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adsldp.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adsldpc.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adsmsext.dll\n", "DEBUG:get-windows-apis:processed: C:/Windows/System32/adsnt.dll\n", "[...]\n" ] } ], "source": [ "symbols = set([])\n", "for dll in enumerate_dlls('C:/Windows/System32/'):\n", " try:\n", " pe = pefile.PE(dll)\n", " except Exception as e:\n", " logger.warn('failed to parse %s: %s', dll, e)\n", " continue\n", " if not is_ms_pe(pe):\n", " logger.debug('not a microsoft pe: %s', dll)\n", " continue\n", " symbols.update(get_exported_symbols(pe))\n", " logger.debug('processed: %s', dll)" ] }, { "cell_type": "code", "execution_count": 19, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "93679" ] }, "execution_count": 19, "metadata": {}, "output_type": "execute_result" } ], "source": [ "len(symbols)" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['x86BiosFreeBuffer',\n", " 'x86BiosReadMemory',\n", " 'x86BiosWriteMemory',\n", " 'xCreateCannedMediaType',\n", " 'xMediaSubTypeTransform',\n", " 'xp_AzManAddRole',\n", " 'xp_AzManAddUserToRole',\n", " 'xp_AzManDeleteRole',\n", " 'xp_AzManRemoveUserFromRole',\n", " 'xtime_get']" ] }, "execution_count": 21, "metadata": {}, "output_type": "execute_result" } ], "source": [ "list(sorted(symbols))[-10:]" ] }, { "cell_type": "code", "execution_count": 23, "metadata": {}, "outputs": [], "source": [ "with open('windows-api.txt', 'wb') as f:\n", " for symbol in sorted(symbols):\n", " f.write(symbol.encode('utf-8') + b'\\n')" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.3" } }, "nbformat": 4, "nbformat_minor": 2 }