Capstone 是一个轻量级的多平台、多架构的反汇编框架,该模块反对目前所有通用操作系统,反汇编架构简直全副反对,本篇文章将使用LyScript插件联合Capstone反汇编引擎实现一个钩子扫描器。
- 插件地址:https://github.com/lyshark/Ly...
要实现应用层钩子扫描,咱们须要失去程序内存文件的机器码以及磁盘中的机器码,并通过capstone这个第三方反汇编引擎,对两者进行反汇编,最初逐条比照汇编指令,实现过程钩子扫描的成果。
通过LyScript插件读取出内存中的机器码,而后交给第三方反汇编库执行,并将后果输入成字典格局。
#coding: utf-8import binascii,os,sysimport pefilefrom capstone import *from LyScript32 import MyDebug# 失去内存反汇编代码def get_memory_disassembly(address,offset,len): # 反汇编列表 dasm_memory_dict = [] # 内存列表 ref_memory_list = bytearray() # 读取数据 for index in range(offset,len): char = dbg.read_memory_byte(address + index) ref_memory_list.append(char) # 执行反汇编 md = Cs(CS_ARCH_X86,CS_MODE_32) for item in md.disasm(ref_memory_list,0x1): addr = int(pe_base) + item.address dasm_memory_dict.append({"address": str(addr), "opcode": item.mnemonic + " " + item.op_str}) return dasm_memory_dictif __name__ == "__main__": dbg = MyDebug() dbg.connect() pe_base = dbg.get_local_base() pe_size = dbg.get_local_size() print("模块基地址: {}".format(hex(pe_base))) print("模块大小: {}".format(hex(pe_size))) # 失去内存反汇编代码 dasm_memory_list = get_memory_disassembly(pe_base,0,pe_size) print(dasm_memory_list) dbg.close()成果如下:
咱们将文件反汇编也写一下,而后让其比照,这样就能够实现扫描内存与文件中的汇编指令是否统一。
#coding: utf-8import binascii,os,sysimport pefilefrom capstone import *from LyScript32 import MyDebug# 失去内存反汇编代码def get_memory_disassembly(address,offset,len): # 反汇编列表 dasm_memory_dict = [] # 内存列表 ref_memory_list = bytearray() # 读取数据 for index in range(offset,len): char = dbg.read_memory_byte(address + index) ref_memory_list.append(char) # 执行反汇编 md = Cs(CS_ARCH_X86,CS_MODE_32) for item in md.disasm(ref_memory_list,0x1): addr = int(pe_base) + item.address dic = {"address": str(addr), "opcode": item.mnemonic + " " + item.op_str} dasm_memory_dict.append(dic) return dasm_memory_dict# 反汇编文件中的机器码def get_file_disassembly(path): opcode_list = [] pe = pefile.PE(path) ImageBase = pe.OPTIONAL_HEADER.ImageBase for item in pe.sections: if str(item.Name.decode('UTF-8').strip(b'\x00'.decode())) == ".text": # print("虚拟地址: 0x%.8X 虚构大小: 0x%.8X" %(item.VirtualAddress,item.Misc_VirtualSize)) VirtualAddress = item.VirtualAddress VirtualSize = item.Misc_VirtualSize ActualOffset = item.PointerToRawData StartVA = ImageBase + VirtualAddress StopVA = ImageBase + VirtualAddress + VirtualSize with open(path,"rb") as fp: fp.seek(ActualOffset) HexCode = fp.read(VirtualSize) md = Cs(CS_ARCH_X86, CS_MODE_32) for item in md.disasm(HexCode, 0): addr = hex(int(StartVA) + item.address) dic = {"address": str(addr) , "opcode": item.mnemonic + " " + item.op_str} # print("{}".format(dic)) opcode_list.append(dic) return opcode_listif __name__ == "__main__": dbg = MyDebug() dbg.connect() pe_base = dbg.get_local_base() pe_size = dbg.get_local_size() print("模块基地址: {}".format(hex(pe_base))) print("模块大小: {}".format(hex(pe_size))) # 失去内存反汇编代码 dasm_memory_list = get_memory_disassembly(pe_base,0,pe_size) dasm_file_list = get_file_disassembly("d://win32project1.exe") # 循环比照内存与文件中的机器码 for index in range(0,len(dasm_file_list)): if dasm_memory_list[index] != dasm_file_list[index]: print("地址: {:8} --> 内存反汇编: {:32} --> 磁盘反汇编: {:32}". format(dasm_memory_list[index].get("address"),dasm_memory_list[index].get("opcode"),dasm_file_list[index].get("opcode"))) dbg.close()此处如果统一,则阐明没有钩子,如果不统一则输入,这里的输入后果不肯定精确,此处只是抛砖引玉。