这是JSON:
"behavior": { "processes": [ { "parent_id": 1396, "process_name": "virussign.com_0fb139b14aff7c13c22a609c14926740.vir", "process_id": 1540, "first_seen": "2014-05-15 17:12:41,749", "calls": [ { "category": "system", "status": true, "return": "0x00000000", "timestamp": "2014-05-15 17:12:41,849", "thread_id": "1544", "repeated": 0, "api": "LdrGetProcedureAddress", "arguments": [ { "name": "Ordinal", "value": "0" }, { "name": "FunctionName", "value": "LoadLibraryA" }, { "name": "FunctionAddress", "value": "0x7c801d7b" }, { "name": "ModuleHandle", "value": "0x7c800000" } ] }, { "category": "system", "status": true, "return": "0x00000000", "timestamp": "2014-05-15 17:12:41,849", "thread_id": "1544", "repeated": 0, "api": "LdrGetProcedureAddress", "arguments": [ { "name": "Ordinal", "value": "0" }, { "name": "FunctionName", "value": "CreateMutexA" }, { "name": "FunctionAddress", "value": "0x7c80e9cf" }, { "name": "ModuleHandle", "value": "0x7c800000" } ] },
线索:
问题:如何在这种情况下获得这些api?其他处理方法非常受欢迎。
这是我的单一打印代码:
step1 = parsed_input ['behavior'] ['processes'] [0] ['calls'] [0] ['api'] print step1
结果是LdrGetProcedureAddress
答案 0 :(得分:0)
列表中有列表,因此您使用嵌套循环:
for proc in parsed_input['behaviour']['processes']:
for call in proc['calls']:
print call['api']
您可以在列表理解中收集所有这些:
apis = [call['api']
for proc in parsed_input['behaviour']['processes']
for call in proc['calls']]