python类PE的实例源码

revealpe.py 文件源码 项目:Reverse-Engineering-Arsenal 作者: vallejocc 项目源码 文件源码 阅读 15 收藏 0 点赞 0 评论 0
def doExtractPE(deccontent, pos, n):
    if pos>0x100: pos-=0x100
    else: pos=0
    pe = None
    if pos+n>len(deccontent):n=len(deccontent)-pos
    for i in range(pos, pos+n-2):
        if deccontent[i]=='M' and deccontent[i+1]=='Z':
            try:
                pe = pefile.PE(data = deccontent[i:])
                pe = deccontent[i:i+pe.sections[-1].PointerToRawData+pe.sections[-1].SizeOfRawData]
                break
            except:
                pass
    return pe

####################################################################
objects.py 文件源码 项目:cuckoo-ioc 作者: FafnerKeyZee 项目源码 文件源码 阅读 27 收藏 0 点赞 0 评论 0
def get_exported_functions(self):
        """Get the exported function names of this PE file."""
        filetype = self.get_type()
        if "MS-DOS" not in filetype and "PE32" not in self.get_type():
            return

        if not HAVE_PEFILE:
            if not File.notified_pefile:
                File.notified_pefile = True
                log.warning("Unable to import pefile (`pip install pefile`)")
            return

        try:
            pe = pefile.PE(self.file_path)
            if not hasattr(pe, "DIRECTORY_ENTRY_EXPORT"):
                return

            for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
                if export.name:
                    yield export.name
        except Exception as e:
            log.warning("Error enumerating exported functions: %s", e)
darkcomet.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 16 收藏 0 点赞 0 评论 0
def extract_config(raw_data, key):            
    config = BASE_CONFIG

    pe = pefile.PE(data=raw_data)

    rt_string_idx = [
        entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries
    ].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
    rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]

    for entry in rt_string_directory.directory.entries:
        if str(entry.name) == 'DCDATA':
            data_rva = entry.directory.entries[0].data.struct.OffsetToData
            size = entry.directory.entries[0].data.struct.Size
            data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
            config = v51_data(data, key)
        elif str(entry.name) in config.keys():
            data_rva = entry.directory.entries[0].data.struct.OffsetToData
            size = entry.directory.entries[0].data.struct.Size
            data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
            dec = rc4crypt(unhexlify(data), key)
            config[str(entry.name)] = filter(lambda x: x in string.printable, dec)

    return config
xrat.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 21 收藏 0 点赞 0 评论 0
def get_long_line(data):
    try:
        raw_config = None
        pe = pefile.PE(data=data)
        for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
            if str(entry.name) == "RT_RCDATA":
                new_dirs = entry.directory
                for entry in new_dirs.entries:
                    if str(entry.name) == '0':
                        data_rva = entry.directory.entries[0].data.struct.OffsetToData
                        size = entry.directory.entries[0].data.struct.Size
                        data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
                        raw_config = data
    except:
        raw_config = None
    if raw_config != None:
        return raw_config, 'V1'
    try:
        m = re.search('\x69\x00\x6F\x00\x6E\x00\x00\x59(.*)\x6F\x43\x00\x61\x00\x6E', data)
        raw_config = m.group(0)[4:-12]
        return raw_config, 'V2'
    except:
        return None, None
pandora.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 26 收藏 0 点赞 0 评论 0
def get_config(data):
    try:
        pe = pefile.PE(data=data)

        rt_string_idx = [
        entry.id for entry in 
        pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])

        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
        for entry in rt_string_directory.directory.entries:
            if str(entry.name) == "CFG":
                data_rva = entry.directory.entries[0].data.struct.OffsetToData
                size = entry.directory.entries[0].data.struct.Size
                data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
                cleaned = data.replace('\x00', '')
                raw_config = cleaned.split('##')
                return raw_config
    except:
        return
bozok.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 20 收藏 0 点赞 0 评论 0
def extract_config(raw_data):
    pe = pefile.PE(data=raw_data)

    try:
        rt_string_idx = [
            entry.id for entry in 
            pe.DIRECTORY_ENTRY_RESOURCE.entries
        ].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
    except:
        return None

    rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]

    for entry in rt_string_directory.directory.entries:
        if str(entry.name) == 'CFG':
            data_rva = entry.directory.entries[0].data.struct.OffsetToData
            size = entry.directory.entries[0].data.struct.Size
            data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
            return data
xtreme.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 17 收藏 0 点赞 0 评论 0
def extract_config(rawData):
    try:
        pe = pefile.PE(data=rawData)
        try:
          rt_string_idx = [
          entry.id for entry in 
          pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
        except ValueError:
            return None
        except AttributeError:
            return None
        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
        for entry in rt_string_directory.directory.entries:
            if str(entry.name) == 'XTREME':
                data_rva = entry.directory.entries[0].data.struct.OffsetToData
                size = entry.directory.entries[0].data.struct.Size
                data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
                return data
    except:
        return None
greame.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 17 收藏 0 点赞 0 评论 0
def get_config(data):
    try:
        pe = pefile.PE(data=data)

        rt_string_idx = [
        entry.id for entry in 
        pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])

        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
        for entry in rt_string_directory.directory.entries:
            if str(entry.name) == "GREAME":
                data_rva = entry.directory.entries[0].data.struct.OffsetToData
                size = entry.directory.entries[0].data.struct.Size
                data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
                raw_config = data.split('####@####')
                return raw_config
    except:
        return None
cybergate.py 文件源码 项目:Snakepit 作者: K4lium 项目源码 文件源码 阅读 17 收藏 0 点赞 0 评论 0
def extract_config(raw_data):
    try:
        pe = pefile.PE(data=raw_data)

        try:
            rt_string_idx = [
                entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries
            ].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
        except:
            return None

        rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]

        for entry in rt_string_directory.directory.entries:
            if str(entry.name) == 'XX-XX-XX-XX' or str(entry.name) == 'CG-CG-CG-CG':
                data_rva = entry.directory.entries[0].data.struct.OffsetToData
                size = entry.directory.entries[0].data.struct.Size
                data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
                config = data.split('####@####')
                return config
    except:
        return None
pe.py 文件源码 项目:s2e-env 作者: S2E 项目源码 文件源码 阅读 20 收藏 0 点赞 0 评论 0
def get_exports(self):
        """
        Get a list of exported symbols from the PE file.

        Returns:
            A list of exported symbol names. If a symbol name is not available,
            the ordinal number is used instead.
        """
        exports = []

        for export in self._pe.DIRECTORY_ENTRY_EXPORT.symbols:
            if export.name:
                exports.append(export.name)
            else:
                export.append('%d' % export.ordinal)

        return exports
bindiffer.py 文件源码 项目:AutoDiffAgent 作者: icewall 项目源码 文件源码 阅读 18 收藏 0 点赞 0 评论 0
def __setArch(self,filePath):
        if not self.__archFlag:
            self.__archFlag = True
        else:
            return

        pe = pefile.PE(filePath,fast_load = True)
        if pe.OPTIONAL_HEADER.Magic == 0x20b: #PE+ (x64)
            self.__IDA_PATH = Config.IDA_PATH.replace("idaq.exe","idaq64.exe")
            self.__BINDIFF_PLUGIN = Config.BINDIFF_PLUGIN.replace("zynamics_bindiff_4_0.plw","zynamics_bindiff_4_0.p64")
            self.__IDBEXT = ".i64"
        else:
            #PE (x86)
            self.__IDA_PATH = Config.IDA_PATH
            self.__BINDIFF_PLUGIN = Config.BINDIFF_PLUGIN
            self.__IDBEXT = ".idb"
image_meta.py 文件源码 项目:fibratus 作者: rabbitstack 项目源码 文件源码 阅读 15 收藏 0 点赞 0 评论 0
def __init__(self, enabled=True, imports=False, file_info=False):
        """Creates an instace of the image meta registry.

        Arguments
        ---------

        enabled: bool
            determines if image meta information should be added to the registry
        imports: bool
            it instructs the PE module to parse the directory entry import structure
        file_info: bool
            determines if file information meta data should be extracted from the PE
        """
        self.image_metas = {}
        self.imports = imports
        self.file_info = file_info
        self.enabled = enabled
        self.full_loaded = False
unpy2exe.py 文件源码 项目:rePy2exe 作者: 4w4k3 项目源码 文件源码 阅读 21 收藏 0 点赞 0 评论 0
def unpy2exe(filename, python_version=None, output_dir=None):
    """Process input params and produce output pyc files."""
    if python_version is None:
        version = __current_magic()
    else:
        version = versions.get(python_version, __current_magic())

    if output_dir is None:
        output_dir = '.'
    elif not os.path.exists(output_dir):
        os.makedirs(output_dir)

    pe = pefile.PE(filename)
    script_res = get_scripts_resource(pe)
    dump = resource_dump(pe, script_res)
    code_objects = get_co_from_dump(dump)
    for co in code_objects:
        save_co_to_pyc(co, version, output_dir)
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 20 收藏 0 点赞 0 评论 0
def __init__(self, filepath):
        self.path = filepath
        self.filename = os.path.basename(filepath)
        self.stream = open(filepath, 'r').read()
        if magic.Magic(mime=True).from_file(filepath) == 'application/x-dosexec':
            try:
                self.pe = pefile.PE(filepath)
                self.pedict = self.pe.dump_dict()
            except Exception as excp:
                print('Failed processing %s') % filepath




    # Magic
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 20 收藏 0 点赞 0 评论 0
def ssdeep(self):
        return pydeep.hash_file(self.path)

    # PE: impash #
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 22 收藏 0 点赞 0 评论 0
def imphash(self):
        return self.pe.get_imphash()

    # PE: pehash #
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 22 收藏 0 点赞 0 评论 0
def filesize(self):
        return os.path.getsize(self.path)

    ##########
    # PE     #
    ##########

    # PE : info #
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 21 收藏 0 点赞 0 评论 0
def PE_info(self):
        table=[]
        try:
            for fileinfo in self.pe.FileInfo:
                if fileinfo.Key == 'StringFileInfo':
                    for stringtable in fileinfo.StringTable:
                        for entry in stringtable.entries.items():
                            table.append({'Info':entry[0], 'Value':entry[1]})
            return table
        except Exception as excp:
            return 'None'

    # PE: type #
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 23 收藏 0 点赞 0 评论 0
def PE_OperatingSystem(self):
        if self.pe:
            return str(self.pedict['OPTIONAL_HEADER']['MajorOperatingSystemVersion']['Value']) + "." \
               + str(self.pedict['OPTIONAL_HEADER']['MinorOperatingSystemVersion']['Value'])

    # PE:Machine type #
File_analysis.py 文件源码 项目:Cortex-Analyzers 作者: CERT-BDF 项目源码 文件源码 阅读 21 收藏 0 点赞 0 评论 0
def PE_Machine(self):
        if self.pe:
            machinetype = self.pedict['FILE_HEADER']['Machine']['Value']
            mt = {'0x14c': 'x86', '0x0200': 'Itanium', '0x8664': 'x64'}
            if type(machinetype) is int:
                return mt[str(hex(machinetype))]
            else:
                return str(machinetype) + ' => Not x86/64 or Itanium'

    # PE:Entry Point #


问题


面经


文章

微信
公众号

扫码关注公众号