IATelligence
IATelligence is a Python script that will extract the IAT of a PE file and request GPT to get more information about the API and the ATT&CK matrix related
Install / Use
/learn @fr0gger/IATelligenceREADME
IATelligence
IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI's GPT-3 model to provide details about each Windows API imported by the file. The script also searches for related MITRE ATT&CK techniques and explains how the API could potentially be used by attackers.
It also displays the hashes of the file and estimates the cost of the GPT-3 requests. IATelligence is a proof of concept for using GPT-3 for malware analysis and quickly assessing the behavior of a malware based on its IAT.
Below is a quick example of the result you'll get. Notice that the request can take longer depending of the size of the IAT.
Getting Started
Prerequisites
To run this tool you will need an access to the OpenAi API, you will then need to modify the script to add your own API.
# Authenticate with the OpenAI API
openai.api_key = ""
You will also need to install the requirements.
pip install -r requirements.txt
Usage
To run the tool just simply specify a PE file as argument to the script.
python iatelligence.py sample.exe
The script will also calculate the hashes as well as the estimated cost of the request.
[+] IAT Request from the file: .\sample.exe
[+] 33 functions will be requested to GPT!
[+] MD5: 2f82623f9523c0d167862cad0eff6806
[+] SHA1: 5d77804b87735e66d7d1e263c31c4ef010f16153
[+] SHA256: 9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb
[+] Imphash: 8eeaa9499666119d13b3f44ecd77a729
[!] Estimated cost of requests: $0.0693
The result can be visualize in a table. Below is a truncated extract.
+------------------------------------------+-----------------------------+------------------------------------------+
| Libraries | API | GPT Verdict |
+------------------------------------------+-----------------------------+------------------------------------------+
| SHELL32.dll | ShellExecuteW | The purpose of this API, ShellExecuteW, |
| | | is to launch an application or open a |
| | | file in the Windows operating system. It |
| | | is associated with MITRE ATT&CK |
| | | technique T1218 - Execution Through |
| | | Module Load. This technique involves |
| | | using shell32.dll to execute malicious |
| | | code without directly invoking the |
| | | executable file itself, which can help |
| | | attackers evade detection and gain |
| | | access to systems. |
| | | |
| KERNEL32.dll | GetCurrentThreadId | The purpose of this API is to retrieve |
| | | the identifier of the calling thread. It |
| | | is associated with MITRE ATT&CK |
| | | technique T1155 - Thread Execution, |
| | | which involves creating and running |
| | | threads within a process or code |
| | | injection into an existing thread. The |
| | | GetCurrentThreadId() function allows |
| | | attackers to identify and target |
| | | specific threads for malicious |
| | | activities. |
| | | |
| KERNEL32.dll | GetSystemTimeAsFileTime | The purpose of this API is to retrieve |
| | | the current system time as a file time |
| | | format. It is associated with the MITRE |
| | | ATT&CK technique T1124 - System Time |
| | | Discovery, which is used by adversaries |
| | | to gain insight into when certain |
| | | activities occurred or are scheduled to |
| | | occur. This allows them to perform |
| | | timing-based attacks and evade |
| | | detection. |
| | | |
| KERNEL32.dll | GetTickCount | The purpose of this API is to retrieve |
| | | the number of milliseconds since Windows |
| | | was started. It is associated with MITRE |
| | | ATT&CK technique T1082 - System Time |
| | | Discovery, which involves an adversary |
| | | querying system information to gain |
| | | insight into file and system times or to |
| | | determine valid accounts. This can be |
| | | used for various malicious activities |
| | | such as enumeration, credential dumping, |
| | | and lateral movement. |
| | | |
| KERNEL32.dll | RtlCaptureContext | The purpose of this API is to capture |
| | | the Context Record of a thread in order |
| | | to provide information about its state. |
| | | This can be used for debugging, logging |
| | | or other purposes. The associated MITRE |
| | | ATT&CK technique is T1113 - Process |
| | | Injection, as this API can be used to |
| | | inject code into a running process. |
| | | |
| KERNEL32.dll | GetCurrentProcessId | The purpose of this API is to retrieve |
| | | the current process identifier (PID) for |
| | | a process running on Windows. This can |
| | | be used to identify which processes are |
| | | currently active and running on a |
| | | system. It is associated with MITRE |
| | | ATT&CK technique T1057 - Process |
| | | Discovery, as it allows an adversary to |
| | | gain knowledge about the processes that |
| | | are running on a system. |
|
Related Skills
node-connect
349.2kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
claude-opus-4-5-migration
109.5kMigrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5
frontend-design
109.5kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
model-usage
349.2kUse CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.
