🚨 WARNING / DİKKAT
This tool is intended for educational malware analysis and defensive security research only. Use dynamic analysis only inside an isolated Windows virtual machine. Do not run suspicious files on your main system.
Bu araç eğitim, zararlı yazılım analizi ve savunma amaçlı güvenlik araştırmaları için geliştirilmiştir. Dinamik analiz modunu sadece izole edilmiş Windows sanal makinesinde kullanın. Şüpheli dosyaları ana sisteminizde çalıştırmayın.
MalwareAnalysisTool is a Windows-focused malware analysis project that combines a C++ PE analysis engine with a modern Tauri desktop GUI.
The project supports static PE analysis, experimental dynamic analysis, TXT/JSON report generation, risk scoring, SHA-256 hashing, suspicious API detection, suspicious DLL summaries, section entropy analysis, and a Matrix-themed desktop interface.
The main goal of this project is to provide a lightweight malware analysis workflow for learning, triage, and defensive research.
Static analysis inspects PE files without executing the target file.
It can extract and report:
- DOS header validation
- PE header validation
- Section information
- Section entropy values
- Section risk levels
- Imported DLLs
- Imported APIs
- Suspicious API usage
- Suspicious API categories
- Suspicious API severity levels
- Suspicious DLL summary
- Target file size
- SHA-256 hash
- Static risk score
- Static risk level
- TXT and JSON reports
Static mode is safer because it does not execute the analyzed file.
Dynamic analysis executes the target file using Windows debugging APIs.
It can capture runtime-related events such as:
- Process-related events
- File-related events
- Captured API activity
- Event timestamps
- Event IDs
- Analysis duration
- Timeout status
Dynamic analysis is experimental.
Use this mode only inside an isolated Windows virtual machine.
The project includes a modern Tauri-based desktop GUI.
The GUI provides:
- Static analysis mode
- Dynamic analysis mode
- Native file selection
- TR/EN language switching
- Matrix-themed interface
- Clean / suspicious / high-risk verdict display
- Risk score display
- Risk level display
- SHA-256 display
- File size display
- TXT/JSON report preview
- Dynamic mode timeout input
- Validation for dynamic analysis file type
The GUI uses the existing pe_analyzer.exe analysis engine in the background.
MalwareAnalysisTool/
├── include/
│ └── analyzer/
│ ├── pe_parser.hpp
│ └── dynamic_analyzer.hpp
├── src/
│ ├── main.cpp
│ ├── pe_parser.cpp
│ └── dynamic_analyzer.cpp
├── gui/
│ ├── src/
│ │ ├── main.ts
│ │ └── styles.css
│ └── src-tauri/
│ ├── src/
│ │ └── lib.rs
│ ├── capabilities/
│ └── tauri.conf.json
├── assets/
│ ├── 1.png
│ ├── 2.png
│ └── 3.png
├── CMakeLists.txt
├── README.md
└── LICENSE
- Windows
- CMake
- C++17 compatible compiler
- Visual Studio Build Tools or Visual Studio Community
- Node.js
- npm
- Rust
- Cargo
- Tauri dependencies for Windows
- WebView2 Runtime
From the project root:
cmake -B build
cmake --build build --config ReleaseThe CLI executable will be generated at:
build/Release/pe_analyzer.exe
.\build\Release\pe_analyzer.exe -helpYou can also use:
.\build\Release\pe_analyzer.exe --help
.\build\Release\pe_analyzer.exe -h.\build\Release\pe_analyzer.exe -static C:\Windows\System32\notepad.exeWith a custom output directory:
.\build\Release\pe_analyzer.exe -static C:\Windows\System32\notepad.exe -out reportsStatic analysis does not execute the target file.
.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exeWith timeout:
.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exe -timeout 30With timeout and custom output directory:
.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exe -timeout 30 -out reportsDynamic analysis executes the target file.
Use it only inside an isolated Windows VM.
From the project root:
cd gui
npm install
npm run tauri devTo build the GUI:
cd gui
npm run build
npm run tauri buildThe GUI uses the C++ CLI engine in the background.
Before running GUI analysis, make sure the CLI has been built:
cmake -B build
cmake --build build --config ReleaseStatic analysis generates:
static_analysis_report.txt
static_analysis_report.json
When using -out reports, the files are generated under:
reports/
├── static_analysis_report.txt
└── static_analysis_report.json
Example JSON metadata:
{
"targetFileSize": 360448,
"sha256": "ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf"
}Example risk summary:
{
"summary": {
"risk": {
"score": 39,
"level": "Medium"
}
}
}Dynamic analysis generates:
dynamic_analysis_report.txt
dynamic_analysis_report.json
When using -out reports, the files are generated under:
reports/
├── dynamic_analysis_report.txt
└── dynamic_analysis_report.json
Dynamic reports can include captured runtime events such as:
- Event ID
- Timestamp
- API name
- Captured event count
- Timeout status
- Analysis duration
The static risk score is calculated using suspicious API severity and section risk indicators.
| Indicator | Score |
|---|---|
| High severity suspicious API | +5 |
| Medium severity suspicious API | +2 |
| Low severity suspicious API | +1 |
| High section risk | +3 |
| Medium section risk | +1 |
The score is capped at 100.
Risk levels:
| Score Range | Risk Level |
|---|---|
| 0-19 | Low |
| 20-49 | Medium |
| 50+ | High |
Example:
Overall Risk
Risk Score: 39
Risk Level: Medium
The static analyzer checks imported APIs and classifies suspicious functions by category and severity.
Example categories include:
- File activity
- Registry activity
- Process activity
- Memory activity
- Network activity
- Service activity
- Anti-analysis related activity
Example JSON output:
{
"api": "CreateFileW",
"dll": "api-ms-win-core-file-l1-1-0.dll",
"category": "File",
"severity": "Medium"
}The analyzer also summarizes suspicious DLL usage.
Example TXT output:
Suspicious DLL Summary
api-ms-win-core-file-l1-1-0.dll: 5
api-ms-win-core-registry-l1-1-0.dll: 3
api-ms-win-core-processthreads-l1-1-0.dll: 2
Example JSON output:
{
"suspiciousDlls": {
"api-ms-win-core-file-l1-1-0.dll": 5,
"api-ms-win-core-registry-l1-1-0.dll": 3,
"api-ms-win-core-processthreads-l1-1-0.dll": 2
}
}Static reports include file metadata for identification and comparison.
TXT reports include:
Target File Size: 360448 bytes
SHA-256: ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf
JSON reports include:
{
"targetFileSize": 360448,
"sha256": "ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf"
}This helps identify analyzed files even if the file name changes.
- Static analysis does not execute the target file.
- Dynamic analysis executes the target file.
- Dynamic mode should only be used inside an isolated Windows VM.
- Do not run unknown or suspicious files on your main system.
- This project is for educational and defensive research purposes.
- This is not a replacement for professional malware sandboxing solutions.
- Dynamic analysis is experimental.
- Dynamic mode is Windows-only.
- DLL files should be analyzed with static mode.
- Dynamic mode is intended for executable files.
- API capture coverage is limited to implemented hooks.
- The tool does not perform full behavioral sandboxing.
- The tool does not replace antivirus or EDR products.
Possible future improvements:
- Open TXT/JSON report buttons in GUI
- Export GUI results as PDF
- More suspicious API categories
- More detailed process behavior tracking
- Network behavior summary
- Registry behavior summary
- YARA rule support
- Hash database lookup
- Improved dynamic analysis stability
- Better report visualization in GUI
- Installer support for GUI builds
This project is released under the MIT License.
This project was developed with AI-assisted guidance for planning, code organization, documentation, debugging, UI iteration, and technical explanations.


