IATelligence: extract the IAT of a PE file

extract PE file

IATelligence

IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI’s GPT-3 model to provide details about each Windows API imported by the file. The script also searches for related MITRE ATT&CK techniques and explains how the API could potentially be used by attackers.

It also displays the hashes of the file and estimates the cost of the GPT-3 requests. IATelligence is a proof of concept for using GPT-3 for malware analysis and quickly assessing the behavior of malware based on its IAT.

Below is a quick example of the result you’ll get. Notice that the request can take longer depending on the size of the IAT.

Limitations

The cost of using OpenAI’s GPT-3 to analyze the imported Windows APIs in a PE file can vary depending on the size of the IAT. While the cost of individual requests is not expensive, the total cost can quickly add up for larger files. The estimated cost provided by the script is an approximation and may vary.

Due to the design of the script, the analysis is performed one API at a time, which can make the process slow. A progress bar is displayed to show the progress of the analysis.

It is important to note that GPT-3 is a language model, so the results may not always be accurate. Additionally, the script provides details about related MITRE ATT&CK techniques without any context, so the information should be carefully considered by a malware analyst.

Install & Use

Copyright (C) 2022 fr0gger