- Quick Security Assessment - Instant risk scoring (0-100)
- 18 Detailed Analysis Options - Deep dive into every aspect
- Real-time Threat Detection - Identify malware immediately
- Windows Console Compatible - No encoding issues
- UPX Detection & Unpacking - Automatically unpack UPX-packed malware
- Packed Section Analysis - Find hidden code regions
- Entry Point Analysis - Locate real malicious code
- Hidden String Extraction - Extract strings from packed regions
- Entropy Distribution - Visualize packed vs unpacked areas
- 186+ URL Extraction - Find all C&C servers
- IP Address Discovery - Direct connection endpoints
- Registry Key Analysis - Persistence mechanisms
- API Pattern Detection - Anti-analysis techniques
- Critical Risk Scoring - 80/100 for dangerous files
- Timeline Analysis - Future timestamp detection
- Certificate Verification - Digital signature analysis
- Code Pattern Analysis - Anti-debug, anti-VM, anti-sandbox
- Configuration Management - Centralized settings with JSON persistence
- Professional Logging - Rotating logs with security event tracking
- Plugin System - Extensible architecture for custom analysis
- Database Storage - SQLite for persistent analysis results
- Web Dashboard - Flask-based interface for visualization
- Testing Framework - Automated unit and integration tests
- Build Automation - Windows batch scripts for development
# Clone the repository
git clone https://github.com/z0uz/dll-analyzer.git
cd dll-analyzer
# Install with development dependencies
.\build.bat install-dev
# Or install manually
pip install -r requirements.txt
pip install -e .# Clone the repository
git clone https://github.com/z0uz/dll-analyzer.git
cd dll-analyzer
# Install dependencies
pip install -r requirements.txt
pip install -e .pefile>=2023.2.7
capstone>=4.0.2
Flask>=2.3.0
python>=3.7
# Windows
.\build.bat run
# Linux/Mac
python dll_analyzer.py
# Example output:
# QUICK SECURITY ASSESSMENT
# • Risk Score: 80/100
# • Risk Level: CRITICAL
# • Action: DO NOT EXECUTE - Analyze in isolated sandbox
# • Packed: Yes WARNING
# • Signed: No WARNING
# • URLs Found: 186 WARNING# Start web interface
.\build.bat web
# Open browser to http://localhost:5000
# Features:
# - Real-time analysis results
# - IOC search and filtering
# - Export capabilities (JSON/CSV)
# - Statistics and reporting# Basic DLL analysis
python dll_analyzer.py "C:\Windows\System32\kernel32.dll"
# Export to JSON
python dll_analyzer.py "malware.exe" -o analysis.json -f json
# Export to text report
python dll_analyzer.py "malware.exe" -o report.txt -f txt
# Targeted analysis
python dll_analyzer.py "file.exe" --strings-only
python dll_analyzer.py "file.dll" --exports-only
python dll_analyzer.py "file.dll" --imports-only# Development setup
.\build.bat install-dev
# Run tests
.\build.bat test
# Code formatting
.\build.bat format
# Linting
.\build.bat lint
# Clean project
.\build.bat clean
# Security audit
.\build.bat security-audit
# Create plugin
.\build.bat create-plugin
# Performance benchmark
.\build.bat benchmark# Development setup
make install-dev
# Run tests
make test
# Code formatting
make format
# Clean project
make cleanfrom config import config
# Access settings
max_size = config.get('analysis.max_file_size')
risk_threshold = config.get('security.risk_threshold_high')
# Update settings
config.set('analysis.enable_deep_analysis', True)
config.save_config()from logger import logger
# Log analysis events
logger.log_analysis_start(file_path, file_size)
logger.log_security_event("suspicious_import", {"function": "CreateRemoteThread"})
logger.error("Analysis failed", exception=e, context={"file": file_path})from plugin_system import AnalysisPlugin
class CustomPlugin(AnalysisPlugin):
@property
def name(self):
return "custom_plugin"
def analyze(self, pe_file, config):
return {"custom_result": "analysis_data"}from database import AnalysisDatabase
# Store analysis results
db = AnalysisDatabase()
analysis_id = db.store_analysis(results)
# Search IOCs
ioc_results = db.search_iocs("malicious.com")
# Get statistics
stats = db.get_statistics()- Real-time Statistics - Analysis overview and trends
- Recent Analyses - Latest processed files
- Risk Distribution - Visual risk level breakdown
- IOC Search - Search for indicators across all analyses
- Comprehensive Reports - Full analysis breakdown
- Export Options - JSON, CSV, and text formats
- Plugin Results - Custom plugin analysis data
- Timeline View - Analysis history and trends
# Run all tests
.\build.bat test
# Run specific test
python -m pytest tests.py::TestDLLAnalyzer::test_file_loading
# Coverage report
python -m pytest tests.py --cov=. --cov-report=html- Real PE file analysis
- Database operations
- Plugin system validation
- Web interface testing
- Entropy Analysis - Advanced entropy calculation and visualization
- YARA Rules - Malware pattern matching (requires yara-python)
- Custom Plugins - Easy plugin development framework
# Create plugin template
.\build.bat create-plugin
# Edit plugins/custom_plugin.py
# Plugin automatically loads on next run{
"dll_info": {
"file_path": "malware.exe",
"machine_type": "AMD64",
"is_64bit": true,
"file_size": 1024576
},
"characteristics": {
"is_packed": true,
"is_signed": false,
"is_dotnet": false,
"has_high_entropy": true
},
"embedded_urls": [
"https://api.malware[.]com/update"
],
"ip_addresses": [
"203.0.113.45"
],
"security_score": 80,
"risk_level": "CRITICAL",
"plugin_results": {
"entropy_analysis": {
"average_entropy": 7.2,
"packed_sections": [".text"]
}
}
}- Sandbox Pre-analysis - Quick triage before sandbox
- Threat Intelligence - Extract IOCs and indicators
- Family Identification - Compare with known malware
- Behavior Prediction - Anticipate malware actions
- API Analysis - Understand software dependencies
- Function Discovery - Find exported functions
- Import Analysis - See what libraries are used
- Structure Analysis - Understand PE file layout
- Vulnerability Research - Find security issues
- Digital Forensics - Analyze suspicious files
- Incident Response - Quick malware identification
- Security Auditing - Verify file authenticity
- Only analyze software you own or have explicit permission
- Respect license agreements and terms of service
- Follow local laws and regulations
- Use for educational purposes and legitimate security research
- Do not distribute copyrighted material
- Analyze malware in isolated environments only
- pefile: PE file format parsing
- capstone: Disassembly framework
- Python 3.7+: Core runtime requirement
- Flask: Web framework
- Jinja2: Template engine
- pytest: Testing framework
- black: Code formatting
- flake8: Linting
- mypy: Type checking
- yara-python: YARA rule matching
- sphinx: Documentation generation
- "DLL not found": Check file path and permissions
- "Access denied": Run as administrator for system files
- "Capstone not available": Install with
pip install capstone - "Invalid PE file": Verify file is a valid Windows DLL/EXE
- "Unicode errors": Tool handles Windows console encoding
- "Web interface not starting": Check port 5000 availability
- Use
.\build.batcommands instead ofmake - Run PowerShell/CMD as Administrator for system files
- Check Windows Defender exclusions for malware analysis
from dll_analyzer import DLLAnalyzer
from database import AnalysisDatabase
from plugin_system import PluginManager
# Create analyzer instance
analyzer = DLLAnalyzer("suspicious.exe")
analyzer.load_dll()
results = analyzer.full_analysis()
# Store in database
db = AnalysisDatabase()
analysis_id = db.store_analysis(results)
# Run plugins
plugin_manager = PluginManager()
plugin_results = plugin_manager.run_all_plugins(analyzer.pe, config.config)import os
from dll_analyzer import DLLAnalyzer
# Analyze all files in directory
for file_path in os.listdir("malware_samples"):
if file_path.endswith(('.exe', '.dll')):
analyzer = DLLAnalyzer(f"malware_samples/{file_path}")
analyzer.load_dll()
results = analyzer.full_analysis()
# Export high-risk files
if results.get('security_score', 0) > 70:
with open(f"reports/{file_path}_report.json", 'w') as f:
json.dump(results, f, indent=2)- 🔒 Analyze in isolated environments (VMs, sandboxes)
⚠️ Be cautious with malicious files- 🖥️ Use virtual machines for suspicious samples
- 🔄 Keep analysis tools updated
- 📝 Document findings for threat intelligence
- 🚫 Never execute malware on host systems
git clone https://github.com/z0uz/dll-analyzer.git
cd dll-analyzer
.\build.bat install-dev- Bug Reports: Issues with file analysis
- Feature Requests: New analysis capabilities
- Plugin Development: Custom analysis modules
- Documentation: Enhanced README and examples
- Testing: Additional test cases
- Follow PEP 8 style guidelines
- Add unit tests for new features
- Update documentation
- Use
.\build.bat formatbefore commits
This project is provided for educational and legitimate security research purposes only. Users are responsible for ensuring compliance with applicable laws and regulations.
- ✅ Enterprise-grade logging with rotation
- ✅ Persistent database storage
- ✅ Extensible plugin architecture
- ✅ Web dashboard interface
- ✅ Automated testing framework
- ✅ Professional configuration management
- ✅ Cross-platform compatibility
- ✅ Comprehensive documentation
🔥 Ready to analyze malware? Start with the web dashboard:
.\build.bat web
# Open http://localhost:5000Stay safe, analyze smart! 🛡️
---
## 🎮 **Usage Examples**
### **🔥 Interactive Mode (NEW!)**
```bash
# Interactive analysis with menu-driven options
python dll_analyzer.py "suspicious_file.exe"
# Example output:
# QUICK SECURITY ASSESSMENT
# • Risk Score: 80/100
# • Risk Level: CRITICAL
# • Action: DO NOT EXECUTE - Analyze in isolated sandbox
# • Packed: Yes WARNING
# • Signed: No WARNING
# • URLs Found: 186 WARNING
# Basic DLL analysis
python dll_analyzer.py C:\Windows\System32\kernel32.dll
# Export to JSON
python dll_analyzer.py "malware.exe" -o analysis.json -f json
# Export to text report
python dll_analyzer.py "malware.exe" -o report.txt -f txt# Extract only strings
python dll_analyzer.py "file.exe" --strings-only
# Extract only exports
python dll_analyzer.py "file.dll" --exports-only
# Extract only imports
python dll_analyzer.py "file.dll" --imports-onlyWhen you run the tool in interactive mode, you'll see this menu:
DETAILED ANALYSIS OPTIONS:
1. Show all embedded URLs
2. Analyze suspicious imports
3. Show dependency details
4. Extract and analyze strings
5. Check for .NET metadata
6. Show file hashes for malware checking
7. Analyze entropy distribution
8. Detect packing algorithms
9. Extract IP addresses
10. Analyze code patterns (anti-analysis)
11. File timeline analysis
12. Certificate analysis
13. Attempt UPX unpacking
14. Analyze packed sections
15. Extract hidden strings
16. Entry point analysis
17. Generate comprehensive security report
18. Exit
FINAL ASSESSMENT:
• Security Score: 80/100
• Risk Level: CRITICAL
• Action: DO NOT EXECUTE - Analyze in isolated sandbox
ISSUES FOUND:
1. Packed/obfuscated executable
2. No digital signature
3. High number of embedded URLs (186)
4. Suspicious future timestamp
RECOMMENDATIONS:
• Unpack using UPX or manual unpacking
• Decompile with dnSpy to view source
• Investigate embedded URLs
• Submit to VirusTotal for malware analysis
• Run in sandbox (Cuckoo, Any.Run)
Advanced malware analysis tool with:
- Interactive Mode - Menu-driven analysis
- Security Scoring - 0-100 risk assessment
- Unpacking Capabilities - UPX detection and extraction
- Network Intelligence - URL/IP extraction
- Threat Detection - Anti-analysis techniques
- Timeline Analysis - Timestamp anomalies
- Certificate Analysis - Digital signature verification
- Entropy Analysis - Packed region detection
- Hidden String Extraction - Extract from packed areas
- Entry Point Analysis - Find real malicious code
Advanced analysis tool with:
- Function disassembly (requires Capstone)
- Pattern recognition
- Import heuristics analysis
- Section entropy analysis
- Function signature generation
- Suspicious API detection
- UPX Detection: Automatically detects UPX-packed malware
- Manual Unpacking: Attempts to extract original code
- Entry Point Analysis: Finds real malicious code location
- Packed Sections: Identifies hidden/encrypted regions
- URL Extraction: Finds all HTTP/HTTPS endpoints
- IP Discovery: Direct connection endpoints
- C&C Detection: Command & Control server identification
- Protocol Analysis: HTTP, WebSocket, custom protocols
- Anti-Analysis: Detects debuggers, VMs, sandboxes
- Persistence: Registry, services, scheduled tasks
- Evasion: Sleep delays, time checks, API hooks
- Injection: Process injection, DLL injection
- Security Scoring: 0-100 risk assessment
- Timeline Analysis: Future timestamp detection
- Certificate Analysis: Digital signature verification
- Entropy Analysis: Packed vs unpacked regions
{
"dll_info": {
"file_path": "malware.exe",
"machine_type": "AMD64",
"is_64bit": true,
"file_size": 1024576
},
"characteristics": {
"is_packed": true,
"is_signed": false,
"is_dotnet": false,
"has_high_entropy": true
},
"embedded_urls": [
"https://api.chatgpt[.]malware[.]com/update",
"https://c2-server[.]xyz/heartbeat"
],
"ip_addresses": [
"203.0.113.45",
"198.51.100.23"
],
"security_score": 80,
"risk_level": "CRITICAL"
}Human-readable reports with:
- Security Assessment Summary
- Detailed Technical Analysis
- Recommendations for Next Steps
- Threat Intelligence Indicators
- Sandbox Pre-analysis: Quick triage before sandbox
- Threat Intelligence: Extract IOCs and indicators
- Family Identification: Compare with known malware
- Behavior Prediction: Anticipate malware actions
- API Analysis: Understand software dependencies
- Function Discovery: Find exported functions
- Import Analysis: See what libraries are used
- Structure Analysis: Understand PE file layout
- Vulnerability Research: Find security issues
- Digital Forensics: Analyze suspicious files
- Incident Response: Quick malware identification
- Security Auditing: Verify file authenticity
- Only analyze software you own or have explicit permission
- Respect license agreements and terms of service
- Follow local laws and regulations
- Use for educational purposes and legitimate security research
- Do not distribute copyrighted material
- Analyze malware in isolated environments only
- pefile: PE file format parsing
- capstone: Disassembly framework (optional for advanced features)
- Python 3.7+: Core runtime requirement
- "DLL not found": Check file path and permissions
- "Access denied": Run as administrator for system files
- "Capstone not available": Install with
pip install capstone - "Invalid PE file": Verify file is a valid Windows DLL/EXE
- "Unicode errors": Tool handles Windows console encoding
- Use absolute paths for system files
- Run as admin for system DLL analysis
- Large files may take time to analyze
- Export results for large analyses
- Use interactive mode for suspicious files
from dll_analyzer import DLLAnalyzer
# Create analyzer instance
analyzer = DLLAnalyzer("suspicious.exe")
# Load and analyze
analyzer.load_dll()
results = analyzer.full_analysis()
# Check security score
if results['security_score'] > 50:
print("HIGH RISK DETECTED!")
print(f"URLs found: {len(results['embedded_urls'])}")
print(f"IP addresses: {len(results['ip_addresses'])}")
# Unpacking analysis
upx_result = analyzer.attempt_upx_unpack()
if upx_result['upx_detected']:
print("UPX-packed malware detected!")import os
from dll_analyzer import DLLAnalyzer
# Analyze all files in directory
for file_path in os.listdir("malware_samples"):
if file_path.endswith(('.exe', '.dll')):
analyzer = DLLAnalyzer(f"malware_samples/{file_path}")
results = analyzer.full_analysis()
# Export high-risk files
if results.get('security_score', 0) > 70:
with open(f"reports/{file_path}_report.json", 'w') as f:
json.dump(results, f, indent=2)- 🔒 Analyze in isolated environments (VMs, sandboxes)
⚠️ Be cautious with malicious files- 🖥️ Use virtual machines for suspicious samples
- 🔄 Keep analysis tools updated
- 📝 Document findings for threat intelligence
- 🚫 Never execute malware on host systems
Feel free to submit issues and enhancement requests for legitimate security research use cases:
- Bug Reports: Issues with file analysis
- Feature Requests: New analysis capabilities
- Improvements: Better detection algorithms
- Documentation: Enhanced README and examples
This project is provided for educational and legitimate security research purposes only. Users are responsible for ensuring compliance with applicable laws and regulations.
🔥 Ready to analyze malware? Start with interactive mode:
python dll_analyzer.py "suspicious_file.exe"Stay safe, analyze smart! 🛡️