日本免费高清视频-国产福利视频导航-黄色在线播放国产-天天操天天操天天操天天操|www.shdianci.com

學無先后,達者為師

網(wǎng)站首頁 編程語言 正文

Python檢測PE所啟用保護方式詳解_python

作者:lyshark ? 更新時間: 2022-11-20 編程語言

Python 通過pywin32模塊調用WindowsAPI接口,實現(xiàn)對特定進程加載模塊的枚舉輸出并檢測該PE程序模塊所啟用的保護方式,此處枚舉輸出的是當前正在運行進程所加載模塊的DLL模塊信息,需要用戶傳入進程PID才可實現(xiàn)輸出。

  • 首先需要安裝兩個依賴包:
  • pip install pywin32
  • pip install pefile

然后再命令行模式下執(zhí)行命令啟動枚舉功能。

# By: LyShark
import win32process
import win32api,win32con,win32gui
import os,pefile,argparse

def Banner():
    print("  _          ____  _                _    ")
    print(" | |   _   _/ ___|| |__   __ _ _ __| | __")
    print(" | |  | | | \___ \| '_ \ / _` | '__| |/ /")
    print(" | |__| |_| |___) | | | | (_| | |  |   < ")
    print(" |_____\__, |____/|_| |_|\__,_|_|  |_|\_\\")
    print("       |___/                             \n")
    print("E-Mail: me@lyshark.com")

def GetProcessModules(pid):
    ModuleList = []
    handle   = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, False, pid )
    hModule  = win32process.EnumProcessModules(handle)
    for item in hModule:
        Module_Addr = hex(item)
        Module_Path = win32process.GetModuleFileNameEx(handle,item)
        Module_Name = os.path.basename(str(Module_Path))
        ModuleList.append([Module_Addr,Module_Name,Module_Path])
    win32api.CloseHandle(handle)
    return ModuleList

def CheckModulesProtect(ClassName):
    UNProtoModule = []
    if type(ClassName) is str:
        handle = win32gui.FindWindow(0,ClassName)
        threadpid, procpid = win32process.GetWindowThreadProcessId(handle)
        ProcessModule = GetProcessModules(int(procpid))
    else:
        ProcessModule = GetProcessModules(int(ClassName))
    print("-" * 100)
    print("映像基址\t\t模塊名稱\t基址隨機化\tDEP保護兼容\t強制完整性\tSEH異常保護")
    # By: LyShark.com
    print("-" * 100)

    for item in ProcessModule:
        pe = pefile.PE(item[2])
        DllFlage = pe.OPTIONAL_HEADER.DllCharacteristics
        print("%10s"%(item[0]),end="\t")
        print("%21s"%(item[1]),end="\t")

        # 隨機基址 => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x40 == 0x40
        if( (DllFlage & 64)==64 ):
            print(" True",end="\t\t") 
        else:
            print(" False",end="\t\t")
            UNProtoModule.append(item[2])
        if( (DllFlage & 256)==256 ):
            print("True",end="\t\t")
        else:
            print("False",end="\t\t")
        if ( (DllFlage & 128)==128 ):
            print("True",end="\t\t")
        else:
            print("False",end="\t\t")
        if ( (DllFlage & 1024)==1024 ):
            print("False",end="\t\t\n")
        else:
            print("True",end="\t\t\n")
    
    print("-" * 100)
    print("\n[+] 總模塊數(shù): {} 可利用模塊: {}".format(len(ProcessModule),len(UNProtoModule)),end="\n\n")
    for item in UNProtoModule:
        print("[-] {}".format(item))
    print("-" * 100)

if __name__ == "__main__":
    Banner()
    parser = argparse.ArgumentParser()
    parser.add_argument("-H","--handle",dest="handle",help="指定一個正在運行的進程Handle")
    parser.add_argument("-P","--pid",dest="pid",help="指定一個正在運行的進程PID")
    args = parser.parse_args()
    if args.handle or args.pid:
        if args.handle:
            CheckModulesProtect(str(args.handle))
        elif args.pid:
            CheckModulesProtect(int(args.pid))
    else:
        parser.print_help()

輸出枚舉效果如下:

原文鏈接:https://www.cnblogs.com/LyShark/p/16125498.html

欄目分類
最近更新