Created
November 8, 2022 11:05
-
-
Save helloobaby/51a809db14504ebcf862f96b91274dcb to your computer and use it in GitHub Desktop.
python 模拟执行部分代码
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import unicorn | |
| import pefile | |
| import capstone | |
| # 要分析的样本路径 | |
| sample_file_path = 'C:\\Users\\asdf\\Desktop\\a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620\\' \ | |
| 'a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620.malware' | |
| # 初始化unicorn | |
| uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32) | |
| # 初始化pe | |
| pe = pefile.PE(sample_file_path) | |
| address = 0x400000 # 32位PE文件起始地址 | |
| stack = 0x2000 # 初始rsp或者esp可以设置为0x10000 | |
| analyse_address = 0x422154 # 要分析的起始地址 | |
| analyse_address_end = 0x42219E # 尾地址 | |
| assert(pe.OPTIONAL_HEADER.ImageBase == address) | |
| uc.mem_map(address, 1024*1024*10) # 10MB | |
| uc.mem_map(stack,1024*1024) # 1M栈 | |
| buffer = pe.get_memory_mapped_image(); | |
| # 将样本映射 | |
| uc.mem_write(address,buffer) | |
| uc.reg_write(unicorn.x86_const.UC_X86_REG_ESP,0x10000) | |
| uc.emu_start(analyse_address,analyse_address_end) | |
| esp = uc.reg_read(unicorn.x86_const.UC_X86_REG_ESP) | |
| data = uc.mem_read(esp,0xf) | |
| print('{}'.format(data)) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment