
A python tool for rapidly triaging interesting Windows binaries

Primary LanguagePython

PE-Imports Language Shields tag


This script requires that the pefile library is installed.

python3 imports.py [-h] [-i IMPORTS] [-o OUTPUT] [-d DELIM] [-s STRINGS] basepath

Here's a breakdown of PE-Import's acceptable arguments:

  • imports: The path to a newline-separated file of strings that represent imports to be flagged.
  • output: The path to a file where a complete log of all imports should be written.
  • delim: The path to a file whose contents are the delimiter for the file referenced by the strings argument.
  • strings: The path to a delim-separated file of bytes that should be flagged if located.
  • basepath: The path to a file or directory which should be recursively scanned.
  • extension: The extension (excluding leading dot) of files to be searched (default: 'sys').

Example Output

	ntoskrnl.exe!RtlInitUnicodeString/null @ 0x00402000
	ntoskrnl.exe!ProbeForRead/null @ 0x00402004
	ntoskrnl.exe!MmProbeAndLockPages/null @ 0x00402008
	ntoskrnl.exe!MmUnlockPages/null @ 0x0040200C
	ntoskrnl.exe!MmMapLockedPagesSpecifyCache/null @ 0x00402010
	ntoskrnl.exe!IoAllocateMdl/null @ 0x00402014
	ntoskrnl.exe!IofCompleteRequest/null @ 0x00402018
	ntoskrnl.exe!IoCreateDevice/null @ 0x0040201C
	ntoskrnl.exe!IoCreateSymbolicLink/null @ 0x00402020
	ntoskrnl.exe!IoDeleteDevice/null @ 0x00402024
	ntoskrnl.exe!IoDeleteSymbolicLink/null @ 0x00402028
	ntoskrnl.exe!IoFreeMdl/null @ 0x0040202C
	ntoskrnl.exe!memcpy/null @ 0x00402030
	ntoskrnl.exe!RtlUnwind/null @ 0x00402034
	ntoskrnl.exe!ExRegisterCallback/null @ 0x0005E000
	ntoskrnl.exe!ObfDereferenceObject/null @ 0x0005E008
	ntoskrnl.exe!ExCreateCallback/null @ 0x0005E010
	ntoskrnl.exe!RtlStringFromGUID/null @ 0x0005E018
	ntoskrnl.exe!ZwQueryValueKey/null @ 0x0005E020
	ntoskrnl.exe!ZwClose/null @ 0x0005E028
	ntoskrnl.exe!ZwOpenKey/null @ 0x0005E030
	ntoskrnl.exe!MmUnmapLockedPages/null @ 0x0005E038
	ntoskrnl.exe!MmAllocatePagesForMdlEx/null @ 0x0005E040
	... *snip* ...
	msrpc.sys!NdrMesTypeDecode3/null @ 0x0005E608
	msrpc.sys!MesHandleFree/null @ 0x0005E610
	msrpc.sys!MesDecodeBufferHandleCreate/null @ 0x0005E618
	msrpc.sys!RpcExceptionFilter/null @ 0x0005E620
	ntoskrnl.exe!KeInitializeDpc/null @ 0x1C000B018
	ntoskrnl.exe!ZwDeviceIoControlFile/null @ 0x1C000B020
	ntoskrnl.exe!ZwCreateFile/null @ 0x1C000B028
	ntoskrnl.exe!IoGetRelatedDeviceObject/null @ 0x1C000B030
	ntoskrnl.exe!ObfDereferenceObject/null @ 0x1C000B038
	ntoskrnl.exe!RtlFreeUnicodeString/null @ 0x1C000B040
	ntoskrnl.exe!RtlInitUnicodeString/null @ 0x1C000B048
	ntoskrnl.exe!ExQueueWorkItem/null @ 0x1C000B050
	ntoskrnl.exe!ExWaitForRundownProtectionRelease/null @ 0x1C000B058

Feel free to use this CyberChef query to list drivers which import IoCreateDevice, IoCreateSymbolicLink, ZwMapViewOfSection, and IofCompleteRequest via postprocessing (using an output/-o file).

Additionally, ^[\/\w][^\n]+\n(\s+[^\n]+\n){0,5}(?=[^\s]) may be used as a regular expression to identify drivers with less than five imports, common signal of obfuscation/packing.


  • Running this on Linux (or WSL) makes it much easier to do a wider-range of scanning across drivers as the root /mnt/ path can be used to have the program enumerate imports from all drives (allowing for a more generic scanning process) but the tool is compatible with all operating-systems that support PEFile and Python 3.

  • Following the above point, a well-configured Qiling rootfs can be an adequate starting point for becoming accustomed to the tool.

  • The output argument/file is used to store every import that the tool comes across so that searching the same file again with a different 'Key imports' list/parameter doesn't require a full re-analysis and so that the user can just manually look through the output file for their new criteria without spending time re-scanning entire files.