通过对LyScript自动化插件进行二次封装,实现从内存中读入指标过程解码后的机器码,并通过Python代码在这些机器码中寻找特定的十六进制字符数组,或间接检索是否存在间断的反汇编指令片段等性能。
- 插件地址:https://github.com/lyshark/Ly...
搜寻内存中的机器码: 内存机器码须要配合LyScript32插件,从内存中寻找指令片段。
from LyScript32 import MyDebug# 将可执行文件中的复数转换为 0x00 格局def ReadHexCode(code): hex_code = [] for index in code: if index >= 0 and index <= 15: #print("0" + str(hex(index).replace("0x",""))) hex_code.append("0" + str(hex(index).replace("0x",""))) else: hex_code.append(hex(index).replace("0x","")) #print(hex(index).replace("0x","")) return hex_code# 获取到内存中的机器码def GetCode(): try: ref_code = [] dbg = MyDebug() connect_flag = dbg.connect() if connect_flag != 1: return None start_address = dbg.get_local_base() end_address = start_address + dbg.get_local_size() # 循环失去机器码 for index in range(start_address,end_address): read_bytes = dbg.read_memory_byte(index) ref_code.append(read_bytes) dbg.close() return ref_code except Exception: return False# 在字节数组中匹配是否与特色码统一def SearchHexCode(Code,SearchCode,ReadByte): SearchCount = len(SearchCode) #print("特色码总长度: {}".format(SearchCount)) for item in range(0,ReadByte): count = 0 # 对十六进制数切片,每次向后遍历SearchCount OpCode = Code[ 0+item :SearchCount+item ] #print("切割数组: {} --> 比照: {}".format(OpCode,SearchCode)) try: for x in range(0,SearchCount): if OpCode[x] == SearchCode[x]: count = count + 1 #print("寻找特色码计数: {} {} {}".format(count,OpCode[x],SearchCode[x])) if count == SearchCount: # 如果找到了,就返回True,否则返回False return True exit(0) except Exception: pass return Falseif __name__ == "__main__": # 读取到内存机器码 ref_code = GetCode() if ref_code != False: # 转为十六进制 hex_code = ReadHexCode(ref_code) code_size = len(hex_code) # 指定要搜寻的特色码序列 search = ['c0', '74', '0d', '66', '3b', 'c6', '77', '08'] # 搜寻特色: hex_code = exe的字节码,search=搜寻特色码,code_size = 搜寻大小 ret = SearchHexCode(hex_code, search, code_size) if ret == True: print("特色码 {} 存在".format(search)) else: print("特色码 {} 不存在".format(search)) else: print("读入失败")输入成果:
搜寻内存反汇编代码: 通过LyScript插件读入内存机器码,并在该机器码中寻找指令片段,找到后返回内存首地址。
from LyScript32 import MyDebug# 检索指定序列中是否存在一段特定的指令集def SearchOpCode(OpCodeList,SearchCode,ReadByte): SearchCount = len(SearchCode) for item in range(0,ReadByte): count = 0 OpCode_Dic = OpCodeList[ 0 + item : SearchCount + item ] # print("切割字典: {}".format(OpCode_Dic)) try: for x in range(0,SearchCount): if OpCode_Dic[x].get("opcode") == SearchCode[x]: #print(OpCode_Dic[x].get("addr"),OpCode_Dic[x].get("opcode")) count = count + 1 if count == SearchCount: #print(OpCode_Dic[0].get("addr")) return OpCode_Dic[0].get("addr") exit(0) except Exception: passif __name__ == "__main__": dbg = MyDebug() connect_flag = dbg.connect() print("连贯状态: {}".format(connect_flag)) # 失去EIP地位 eip = dbg.get_register("eip") # 反汇编前1000行 disasm_dict = dbg.get_disasm_code(eip,1000) # 搜寻一个指令序列,用于疾速查找构建破绽利用代码 SearchCode = [ ["push 0xC0000409", "call 0x003F1B38", "pop ecx"], ["push ecx", "push ebx"] ] # 检索内存指令集 for item in range(0,len(SearchCode)): Search = SearchCode[item] # disasm_dict = 返回汇编指令 Search = 寻找指令集 1000 = 向下检索长度 ret = SearchOpCode(disasm_dict,Search,1000) if ret != None: print("指令集: {} --> 首次呈现地址: {}".format(SearchCode[item],hex(ret))) dbg.close()输入成果: