本文整理汇总了Python中vstruct.getStructure函数的典型用法代码示例。如果您正苦于以下问题:Python getStructure函数的具体用法?Python getStructure怎么用?Python getStructure使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了getStructure函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: parseSections
def parseSections(self):
self.sections = []
off = self.IMAGE_DOS_HEADER.e_lfanew + len(self.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sbytes = self.readAtOffset(off, secsize * self.IMAGE_NT_HEADERS.FileHeader.NumberOfSections)
while sbytes:
s = vstruct.getStructure("pe.IMAGE_SECTION_HEADER")
s.vsParse(sbytes[:secsize])
self.sections.append(s)
sbytes = sbytes[secsize:]
开发者ID:jakebarnwell,项目名称:PythonGenerator,代码行数:12,代码来源:__init__.py
示例2: __init__
def __init__(self, fd, inmem=False):
object.__init__(self)
self.inmem = inmem
fd.seek(0)
self.fd = fd
self.pe32p = False
self.psize = 4
self.high_bit_mask = 0x80000000
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = self.readAtOffset(0, len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine in [ IMAGE_FILE_MACHINE_AMD64, IMAGE_FILE_MACHINE_IA64 ]:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.high_bit_mask = 0x8000000000000000
self.IMAGE_NT_HEADERS = nt
开发者ID:Fitblip,项目名称:vdb-fork,代码行数:27,代码来源:__init__.py
示例3: getStruct
def getStruct(self, sname, va=None):
"""
Retrieve a vstruct structure optionally populated with memory from
the specified address. Returns a standard vstruct object.
"""
# Check if we need to parse symbols for a library
libbase = sname.split('.')[0]
self._loadBinaryNorm(libbase)
if self.vsbuilder.hasVStructNamespace(libbase):
vs = self.vsbuilder.buildVStruct(sname)
# FIXME this is deprecated and should die...
else:
vs = vstruct.getStructure(sname)
if vs == None:
return None
if va == None:
return vs
bytez = self.readMemory(va, len(vs))
vs.vsParse(bytez)
return vs
开发者ID:Fitblip,项目名称:SocketSniff,代码行数:25,代码来源:__init__.py
示例4: __init__
def __init__(self, fd, inmem=False):
"""
Construct a PE object. use inmem=True if you are
using a MemObjFile or other "memory like" image.
"""
object.__init__(self)
self.inmem = inmem
self.fd = fd
self.fd.seek(0)
self.pe32p = False
self.psize = 4
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = fd.read(len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew, "pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew, "pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.IMAGE_NT_HEADERS = nt
开发者ID:jakebarnwell,项目名称:PythonGenerator,代码行数:25,代码来源:__init__.py
示例5: readStructAtRva
def readStructAtRva(self, rva, structname, check=False):
s = vstruct.getStructure(structname)
slen = len(s)
if check and not self.checkRva(rva, size=slen):
return None
bytes = self.readAtRva(rva, len(s))
s.vsParse(bytes)
return s
开发者ID:Fitblip,项目名称:vdb-fork,代码行数:8,代码来源:__init__.py
示例6: readStructAtOffset
def readStructAtOffset(self, offset, structname):
s = vstruct.getStructure(structname)
sbytes = self.readAtOffset(offset, len(s))
if not sbytes:
return None
s.vsParse(sbytes)
return s
开发者ID:bl4ckw0rm,项目名称:vivisect,代码行数:8,代码来源:__init__.py
示例7: getStruct
def getStruct(self, sname, address):
"""
Retrieve a vstruct structure populated with memory from
the specified address. Returns a standard vstruct object.
"""
vs = vstruct.getStructure(sname)
bytes = self.readMemory(address, len(vs))
vs.vsParse(bytes)
return vs
开发者ID:mwollenweber,项目名称:rebridge,代码行数:9,代码来源:__init__.py
示例8: parseImports
def parseImports(self):
self.imports = []
idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = self.rvaToOffset(idir.VirtualAddress)
if poff == 0:
return
x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY")
isize = len(x)
x.vsParse(self.readAtOffset(poff, isize))
while x.Name != 0:
liboff = self.rvaToOffset(x.Name)
libname = self.readAtOffset(liboff, 256).split("\x00")[0]
idx = 0
noff = self.rvaToOffset(x.OriginalFirstThunk)
aoff = self.rvaToOffset(x.FirstThunk)
while True:
ava = self.readPointerAtOffset(aoff + (self.psize * idx))
if ava == 0:
break
nva = self.readPointerAtOffset(noff + (self.psize * idx))
# FIXME high bit testing for 64 bit
if nva & 0x80000000:
name = ordlookup.ordLookup(libname, nva & 0x7FFFFFFF)
else:
nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint"
name = self.readAtOffset(nameoff, 256).split("\x00")[0]
self.imports.append((x.FirstThunk + (idx * self.psize), libname, name))
idx += 1
poff += isize
x.vsParse(self.readAtOffset(poff, len(x)))
开发者ID:jakebarnwell,项目名称:PythonGenerator,代码行数:40,代码来源:__init__.py
示例9: getSignature
def getSignature(self):
'''
Returns the SignatureEntry vstruct if the pe has an embedded
certificate, None if the magic bytes are NOT set in the security
directory entry AND the size of the signature entry is less than 0.
'''
ds = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_SECURITY)
va = ds.VirtualAddress
size = ds.Size
if size <= 0:
return None
bytez = self.readAtOffset(va, size)
if not bytez:
return None
se = vstruct.getStructure('pe.SignatureEntry')
se.vsParse(bytez)
if se.magic != "\x00\x02\x02\x00":
return None
return se
开发者ID:bl4ckw0rm,项目名称:vivisect,代码行数:24,代码来源:__init__.py
示例10: __init__
def __init__(self, fd, inmem=False):
"""
Construct a PE object. use inmem=True if you are
using a MemObjFile or other "memory like" image.
"""
object.__init__(self)
self.inmem = inmem
self.filesize = None
if not inmem:
fd.seek(0, os.SEEK_END)
self.filesize = fd.tell()
fd.seek(0)
self.fd = fd
self.pe32p = False
self.psize = 4
self.high_bit_mask = 0x80000000
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = self.readAtOffset(0, len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine in [ IMAGE_FILE_MACHINE_AMD64, IMAGE_FILE_MACHINE_IA64 ]:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.high_bit_mask = 0x8000000000000000
self.IMAGE_NT_HEADERS = nt
开发者ID:bl4ckw0rm,项目名称:vivisect,代码行数:36,代码来源:__init__.py
示例11: len
vsver = vs.getVersionValue('FileVersion')
if vsver != None and len(vsver):
# add check to split seeing samples with spaces and nothing else..
parts = vsver.split()
if len(parts):
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS),("Library", VASET_STRING)))
vw.addVaSet('pe:ordinals', (('Address', VASET_ADDRESS),('Ordinal',VASET_INTEGER)))
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion
开发者ID:atlas0fd00m,项目名称:vivisect,代码行数:31,代码来源:pe.py
示例12: loadPeIntoWorkspace
def loadPeIntoWorkspace(vw, pe, filename=None):
mach = pe.IMAGE_NT_HEADERS.FileHeader.Machine
arch = arch_names.get(mach)
if arch is None:
raise Exception("Machine %.4x is not supported for PE!" % mach)
vw.setMeta('Architecture', arch)
vw.setMeta('Format', 'pe')
platform = 'windows'
# Drivers are platform "winkern" so impapi etc works
subsys = pe.IMAGE_NT_HEADERS.OptionalHeader.Subsystem
if subsys == PE.IMAGE_SUBSYSTEM_NATIVE:
platform = 'winkern'
vw.setMeta('Platform', platform)
defcall = defcalls.get(arch)
if defcall:
vw.setMeta("DefaultCall", defcall)
# Set ourselvs up for extended windows binary analysis
baseaddr = pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
entry = pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint + baseaddr
entryrva = entry - baseaddr
codebase = pe.IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode
codesize = pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode
codervamax = codebase + codesize
fvivname = filename
# This will help linkers with files that are re-named
dllname = pe.getDllName()
if dllname != None:
fvivname = dllname
if fvivname == None:
fvivname = "pe_%.8x" % baseaddr
fhash = "unknown hash"
if os.path.exists(filename):
fhash = v_parsers.md5File(filename)
fname = vw.addFile(fvivname.lower(), baseaddr, fhash)
symhash = e_symcache.symCacheHashFromPe(pe)
vw.setFileMeta(fname, 'SymbolCacheHash', symhash)
# Add file version info if VS_VERSIONINFO has it
vs = pe.getVS_VERSIONINFO()
if vs != None:
vsver = vs.getVersionValue('FileVersion')
if vsver != None and len(vsver):
# add check to split seeing samples with spaces and nothing else..
parts = vsver.split()
if len(parts):
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS), ("Library", VASET_STRING)))
vw.addVaSet('pe:ordinals', (('Address', VASET_ADDRESS), ('Ordinal', VASET_INTEGER)))
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(
pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(
pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion
subsys_minver = pe.IMAGE_NT_HEADERS.OptionalHeader.MinorSubsystemVersion
secrem = len(header) % secalign
if secrem != 0:
header += b"\x00" * (secalign - secrem)
vw.addMemoryMap(baseaddr, e_mem.MM_READ, fname, header)
vw.addSegment(baseaddr, len(header), "PE_Header", fname)
hstruct = vw.makeStructure(baseaddr, "pe.IMAGE_DOS_HEADER")
magicaddr = hstruct.e_lfanew
if vw.readMemory(baseaddr + magicaddr, 2) != b"PE":
raise Exception("We only support PE exe's")
#.........这里部分代码省略.........
开发者ID:bat-serjo,项目名称:vivisect,代码行数:101,代码来源:pe.py
示例13: readStructAtOffset
def readStructAtOffset(self, offset, structname):
s = vstruct.getStructure(structname)
bytes = self.readAtOffset(offset, len(s))
# print "%s: %s" % (structname, bytes.encode('hex'))
s.vsParse(bytes)
return s
开发者ID:jakebarnwell,项目名称:PythonGenerator,代码行数:6,代码来源:__init__.py
示例14: writeBeingDebugged
def writeBeingDebugged(self, trace, val):
peb = trace.parseExpression('peb')
ps = vstruct.getStructure('win32.PEB')
off = ps.vsGetOffset('BeingDebugged')
trace.writeMemoryFormat(peb+off, '<B', val)
开发者ID:Fitblip,项目名称:SocketSniff,代码行数:5,代码来源:win32stealth.py
示例15: parseImports
def parseImports(self):
self.imports = []
idir = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT)
# RP BUG FIX - invalid IAT entry will point of range of file
irva = idir.VirtualAddress
x = self.readStructAtRva(irva, 'pe.IMAGE_IMPORT_DIRECTORY', check=True)
if x == None:
return
isize = len(x)
while self.checkRva(x.Name):
# RP BUG FIX - we can't assume that we have 256 bytes to read
libname = self.readStringAtRva(x.Name, maxsize=256)
idx = 0
imp_by_name = x.OriginalFirstThunk
if imp_by_name == 0:
imp_by_name = x.FirstThunk
if not self.checkRva(imp_by_name):
break
while True:
arrayoff = self.psize * idx
if self.filesize != None and arrayoff > self.filesize:
self.imports = [] # we probably put grabage in here..
return
ibn_rva = self.readPointerAtRva(imp_by_name+arrayoff)
if ibn_rva == 0:
break
if ibn_rva & self.high_bit_mask:
funcname = ordlookup.ordLookup(libname, ibn_rva & 0x7fffffff)
else:
# RP BUG FIX - we can't use this API on this call because we can have binaries that put their import table
# right at the end of the file, statically saying the imported function name is 128 will cause use to potentially
# over run our read and traceback...
diff = self.getMaxRva() - ibn_rva - 2
ibn = vstruct.getStructure("pe.IMAGE_IMPORT_BY_NAME")
ibn.vsGetField('Name').vsSetLength( min(diff, 128) )
bytes = self.readAtRva(ibn_rva, len(ibn), shortok=True)
if not bytes:
break
try:
ibn.vsParse(bytes)
except:
idx+=1
continue
funcname = ibn.Name
self.imports.append((x.FirstThunk+arrayoff,libname,funcname))
idx += 1
irva += isize
# RP BUG FIX - if the import table is at the end of the file we can't count on the ending to be null
if not self.checkRva(irva, size=isize):
break
x.vsParse(self.readAtRva(irva, isize))
开发者ID:bl4ckw0rm,项目名称:vivisect,代码行数:70,代码来源:__init__.py
示例16: writeBeingDebugged
def writeBeingDebugged(trace, val):
peb = trace.parseExpression("peb")
ps = vstruct.getStructure("win32.PEB")
off = ps.vsGetOffset("BeingDebugged")
trace.writeMemoryFormat(peb+off, "<B", val)
开发者ID:IDA-RE-things,项目名称:toolbag,代码行数:5,代码来源:win32stealth.py
示例17: loadPeIntoWorkspace
def loadPeIntoWorkspace(vw, pe, filename=None):
mach = pe.IMAGE_NT_HEADERS.FileHeader.Machine
arch = arch_names.get(mach)
if arch == None:
raise Exception("Machine %.4x is not supported for PE!" % mach )
vw.setMeta('Architecture', arch)
vw.setMeta('Format', 'pe')
platform = 'windows'
# Drivers are platform "winkern" so impapi etc works
subsys = pe.IMAGE_NT_HEADERS.OptionalHeader.Subsystem
if subsys == PE.IMAGE_SUBSYSTEM_NATIVE:
platform = 'winkern'
vw.setMeta('Platform', platform)
defcall = defcalls.get(arch)
if defcall:
vw.setMeta("DefaultCall", defcall)
# Set ourselvs up for extended windows binary analysis
baseaddr = pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
entry = pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint + baseaddr
entryrva = entry - baseaddr
codebase = pe.IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode
codesize = pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode
codervamax = codebase+codesize
fvivname = filename
# This will help linkers with files that are re-named
dllname = pe.getDllName()
if dllname != None:
fvivname = dllname
if fvivname == None:
fvivname = "pe_%.8x" % baseaddr
fhash = "unknown hash"
if os.path.exists(filename):
fhash = v_parsers.md5File(filename)
fname = vw.addFile(fvivname.lower(), baseaddr, fhash)
symhash = e_symcache.symCacheHashFromPe(pe)
vw.setFileMeta(fname, 'SymbolCacheHash', symhash)
# Add file version info if VS_VERSIONINFO has it
vs = pe.getVS_VERSIONINFO()
if vs != None:
vsver = vs.getVersionValue('FileVersion')
if vsver != None:
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS),("Library", VASET_STRING)))
# Tell vivisect about ntdll functions that don't exit...
vw.addNoReturnApi("ntdll.RtlExitUserThread")
vw.addNoReturnApi("kernel32.ExitProcess")
vw.addNoReturnApi("kernel32.ExitThread")
vw.addNoReturnApi("kernel32.FatalExit")
vw.addNoReturnApi("msvcrt._CxxThrowException")
vw.addNoReturnApi("msvcrt.abort")
vw.addNoReturnApi("ntoskrnl.KeBugCheckEx")
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion
subsys_minver = pe.IMAGE_NT_HEADERS.OptionalHeader.MinorSubsystemVersion
secrem = len(header) % secalign
if secrem != 0:
header += "\x00" * (secalign - secrem)
vw.addMemoryMap(baseaddr, e_mem.MM_READ, fname, header)
#.........这里部分代码省略.........
开发者ID:Fitblip,项目名称:SocketSniff,代码行数:101,代码来源:pe.py
示例18: unpack
esp = tr.getRegisterByName('esp')
reta = unpack('I',tr.readMemory(esp,4))[0]
print '[*] OpenProcess called from ' + hex(reta)
for hit in tr.searchMemory("\x00\x00\x5b"):
if hit >= reta-0x10000 and hit<= reta+0x10000:
if tr.readMemory(hit+3,1) not in ['\x00','\x25']:
print self.decodecf(tr,hit+2)
def decodecf(self,tr,addr):
key,size = unpack('II',tr.readMemory(addr-12,8))
mem = tr.readMemory(addr,size)
print '[+] Found Config[0..%d] @ 0x%x with key: %X' % (size,addr,key)
return ''.join([chr(ord(mem[i]) ^ (key % (i+1))) for i in range(0,size)])
t = vtrace.getTrace()
t.execute(sys.argv[1])
peb = t.parseExpression('peb')
off = vstruct.getStructure('win32.PEB').vsGetOffset('BeingDebugged')
t.writeMemory(peb+off,"\x00")
notif = Notifier()
t.registerNotifier(vtrace.NOTIFY_ALL,notif)
bp = WorkDbg(t.parseExpression('kernel32.OpenProcess'))
t.addBreakpoint(bp)
#print t.getBreakpoints()
t.run()
开发者ID:mak,项目名称:random-stuff,代码行数:29,代码来源:alu_getCfg.py
示例19: readStructAtRva
def readStructAtRva(self, rva, structname):
s = vstruct.getStructure(structname)
bytes = self.readAtRva(rva, len(s))
# print "%s: %s" % (structname, bytes.encode('hex'))
s.vsParse(bytes)
return s
开发者ID:jakebarnwell,项目名称:PythonGenerator,代码行数:6,代码来源:__init__.py
示例20: loadPeIntoWorkspace
def loadPeIntoWorkspace(vw, pe, filename=None):
mach = pe.IMAGE_NT_HEADERS.FileHeader.Machine
arch = arch_names.get(mach)
if arch == None:
raise Exception("Machine %.4x is not supported for PE!" % mach )
vw.setMeta('Architecture', arch)
vw.setMeta('Format', 'pe')
platform = 'windows'
# Drivers are platform "winkern" so impapi etc works
subsys = pe.IMAGE_NT_HEADERS.OptionalHeader.Subsystem
if subsys == PE.IMAGE_SUBSYSTEM_NATIVE:
platform = 'winkern'
vw.setMeta('Platform', platform)
defcall = defcalls.get(arch)
if defcall:
vw.setMeta("DefaultCall", defcall)
# Set ourselvs up for extended windows binary analysis
baseaddr = pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
entry = pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint + baseaddr
entryrva = entry - baseaddr
codebase = pe.IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode
codesize = pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode
codervamax = codebase+codesize
fvivname = filename
# This will help linkers with files that are re-named
dllname = pe.getDllName()
if dllname != None:
fvivname = dllname
if fvivname == None:
fvivname = "pe_%.8x" % baseaddr
fhash = "unknown hash"
if os.path.exists(filename):
fhash = md5File(filename)
fname = vw.addFile(fvivname.lower(), baseaddr, fhash)
symhash = e_symcache.symCacheHashFromPe(pe)
vw.setFileMeta(fname, 'SymbolCacheHash', symhash)
# Add file version info if VS_VERSIONINFO has it
vs = pe.getVS_VERSIONINFO()
if vs != None:
vsver = vs.getVersionValue('FileVersion')
if vsver != None and len(vsver):
# add check to split seeing samples with spaces and nothing else..
parts = vsver.split()
if len(parts):
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS),("Library", VASET_STRING)))
vw.addVaSet('pe:ordinals', (('Address', VASET_ADDRESS),('Ordinal',VASET_INTEGER)))
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion
subsys_minver = pe.IMAGE_NT_HEADERS.OptionalHeader.MinorSubsystemVersion
secrem = len(header) % secalign
if secrem != 0:
header += "\x00" * (secalign - secrem)
vw.addMemoryMap(baseaddr, e_mem.MM_READ, fname, header)
vw.addSegment(baseaddr, len(header), "PE_Header", fname)
hstruct = vw.makeStructure(baseaddr, "pe.IMAGE_DOS_HEADER")
magicaddr = hstruct.e_lfanew
if vw.readMemory(baseaddr + magicaddr, 2) != "PE":
raise Exception("We only support PE exe's")
#.........这里部分代码省略.........
开发者ID:pbarnet,项目名称:vivisect,代码行数:101,代码来源:pe.py
注:本文中的vstruct.getStructure函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论