第二章基础静态分析进阶:x86反汇编
作者:互联网
第二章基础静态分析进阶:x86反汇编
《基于数据科学的恶意软件分析》
Malware Data Science Attack Detection and Attribution
Joshua Saxe Hillary Sanders著 何能强 严寒冰 译
代码清单2-2 反汇编ircbot.exe
#终端输入
pip install pefile
pip install capstone
#!/usr/bin/python3
#-*- coding:utf-8 -*-
import pefile
from capstone import *
# load the target PE file
#加载目标PE文件
pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch2/ircbot.exe")
# get the address of the program entry point from the program header
#从程序头中获取程序入口点的地址
entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
# compute memory address where the entry code will be loaded into memory
#计算入口代码被加载到内存中的内存地址
entrypoint_address = entrypoint+pe.OPTIONAL_HEADER.ImageBase
# get the binary code from the PE file object
#从PE文件对象获取二进制代码
binary_code = pe.get_memory_mapped_image()[entrypoint:entrypoint+100]
# initialize disassembler to disassemble 32 bit x86 binary code
#初始化反汇编程序以反汇编32位x86二进制代码
disassembler = Cs(CS_ARCH_X86, CS_MODE_32)
# disassemble the code
#反汇编代码
for instruction in disassembler.disasm(binary_code, entrypoint_address):
print("%s\t%s"%(instruction.mnemonic, instruction.op_str))
result:
python SyntaxError: invalid character in identifier
#disassemble the code
#反汇编代码
for instruction in disassembler.disasm(binary_code, entrypoint_address):
print("%s\t%s"%(instruction.mnemonic, instruction.op_str))
#确保代码行内没有夹杂中文空格
#推荐学习:https://blog.csdn.net/justdoitjs/article/details/78988225
认真是一种态度更是一种责任
标签:code,x86,instruction,entrypoint,反汇编,PE,address,进阶 来源: https://blog.csdn.net/weixin_47038938/article/details/121542948