日本免费高清视频-国产福利视频导航-黄色在线播放国产-天天操天天操天天操天天操|www.shdianci.com

學(xué)無先后,達(dá)者為師

網(wǎng)站首頁 編程語言 正文

LyScript實現(xiàn)指令查詢功能的示例代碼_python

作者:lyshark ? 更新時間: 2022-10-27 編程語言

通過對LyScript自動化插件進(jìn)行二次封裝,實現(xiàn)從內(nèi)存中讀入目標(biāo)進(jìn)程解碼后的機器碼,并通過Python代碼在這些機器碼中尋找特定的十六進(jìn)制字符數(shù)組,或直接檢索是否存在連續(xù)的反匯編指令片段等功能。

LyScript項目地址:https://github.com/lyshark/LyScript

搜索內(nèi)存中的機器碼

內(nèi)存機器碼需要配合LyScript32插件,從內(nèi)存中尋找指令片段。

from LyScript32 import MyDebug

# 將可執(zhí)行文件中的單數(shù)轉(zhuǎn)換為 0x00 格式
def ReadHexCode(code):
    hex_code = []

    for index in code:
        if index >= 0 and index <= 15:
            #print("0" + str(hex(index).replace("0x","")))
            hex_code.append("0" + str(hex(index).replace("0x","")))
        else:
            hex_code.append(hex(index).replace("0x",""))
            #print(hex(index).replace("0x",""))

    return hex_code

# 獲取到內(nèi)存中的機器碼
def GetCode():
    try:
        ref_code = []
        dbg = MyDebug()
        connect_flag = dbg.connect()
        if connect_flag != 1:
            return None

        start_address = dbg.get_local_base()
        end_address = start_address + dbg.get_local_size()

        # 循環(huán)得到機器碼
        for index in range(start_address,end_address):
            read_bytes = dbg.read_memory_byte(index)
            ref_code.append(read_bytes)

        dbg.close()
        return ref_code
    except Exception:
        return False

# 在字節(jié)數(shù)組中匹配是否與特征碼一致
def SearchHexCode(Code,SearchCode,ReadByte):
    SearchCount = len(SearchCode)
    #print("特征碼總長度: {}".format(SearchCount))
    for item in range(0,ReadByte):
        count = 0
        # 對十六進(jìn)制數(shù)切片,每次向后遍歷SearchCount
        OpCode = Code[ 0+item :SearchCount+item ]
        #print("切割數(shù)組: {} --> 對比: {}".format(OpCode,SearchCode))
        try:
            for x in range(0,SearchCount):
                if OpCode[x] == SearchCode[x]:
                    count = count + 1
                    #print("尋找特征碼計數(shù): {} {} {}".format(count,OpCode[x],SearchCode[x]))
                    if count == SearchCount:
                        # 如果找到了,就返回True,否則返回False
                        return True
                        exit(0)
        except Exception:
            pass
    return False

if __name__ == "__main__":
    # 讀取到內(nèi)存機器碼
    ref_code = GetCode()
    if ref_code != False:
        # 轉(zhuǎn)為十六進(jìn)制
        hex_code = ReadHexCode(ref_code)
        code_size = len(hex_code)

        # 指定要搜索的特征碼序列
        search = ['c0', '74', '0d', '66', '3b', 'c6', '77', '08']

        # 搜索特征: hex_code = exe的字節(jié)碼,search=搜索特征碼,code_size = 搜索大小
        ret = SearchHexCode(hex_code, search, code_size)
        if ret == True:
            print("特征碼 {} 存在".format(search))
        else:
            print("特征碼 {} 不存在".format(search))
    else:
        print("讀入失敗")

輸出效果:

搜索內(nèi)存反匯編代碼

通過LyScript插件讀入內(nèi)存機器碼,并在該機器碼中尋找指令片段,找到后返回內(nèi)存首地址。

from LyScript32 import MyDebug

# 檢索指定序列中是否存在一段特定的指令集
def SearchOpCode(OpCodeList,SearchCode,ReadByte):
    SearchCount = len(SearchCode)
    for item in range(0,ReadByte):
        count = 0
        OpCode_Dic = OpCodeList[ 0 + item : SearchCount + item ]
        # print("切割字典: {}".format(OpCode_Dic))
        try:
            for x in range(0,SearchCount):
                if OpCode_Dic[x].get("opcode") == SearchCode[x]:
                    #print(OpCode_Dic[x].get("addr"),OpCode_Dic[x].get("opcode"))
                    count = count + 1
                    if count == SearchCount:
                        #print(OpCode_Dic[0].get("addr"))
                        return OpCode_Dic[0].get("addr")
                        exit(0)
        except Exception:
            pass

if __name__ == "__main__":
    dbg = MyDebug()
    connect_flag = dbg.connect()
    print("連接狀態(tài): {}".format(connect_flag))

    # 得到EIP位置
    eip = dbg.get_register("eip")

    # 反匯編前1000行
    disasm_dict = dbg.get_disasm_code(eip,1000)

    # 搜索一個指令序列,用于快速查找構(gòu)建漏洞利用代碼
    SearchCode = [
        ["push 0xC0000409", "call 0x003F1B38", "pop ecx"],
        ["push ecx", "push ebx"]
    ]

    # 檢索內(nèi)存指令集
    for item in range(0,len(SearchCode)):
        Search = SearchCode[item]
        # disasm_dict = 返回匯編指令 Search = 尋找指令集 1000 = 向下檢索長度
        ret = SearchOpCode(disasm_dict,Search,1000)
        if ret != None:
            print("指令集: {} --> 首次出現(xiàn)地址: {}".format(SearchCode[item],hex(ret)))

    dbg.close()

輸出效果:

原文鏈接:https://www.cnblogs.com/LyShark/p/16645221.html

欄目分類
最近更新