Created
November 8, 2022 11:05
-
-
Save helloobaby/51a809db14504ebcf862f96b91274dcb to your computer and use it in GitHub Desktop.
Revisions
-
helloobaby created this gist
Nov 8, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,65 @@ import unicorn import pefile import capstone # 要分析的样本路径 sample_file_path = 'C:\\Users\\asdf\\Desktop\\a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620\\' \ 'a9542676ee9a25c64a9fec1466664511f6059b51d8192025f95855b02ffe9620.malware' # 初始化unicorn uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_32) # 初始化pe pe = pefile.PE(sample_file_path) address = 0x400000 # 32位PE文件起始地址 stack = 0x2000 # 初始rsp或者esp可以设置为0x10000 analyse_address = 0x422154 # 要分析的起始地址 analyse_address_end = 0x42219E # 尾地址 assert(pe.OPTIONAL_HEADER.ImageBase == address) uc.mem_map(address, 1024*1024*10) # 10MB uc.mem_map(stack,1024*1024) # 1M栈 buffer = pe.get_memory_mapped_image(); # 将样本映射 uc.mem_write(address,buffer) uc.reg_write(unicorn.x86_const.UC_X86_REG_ESP,0x10000) uc.emu_start(analyse_address,analyse_address_end) esp = uc.reg_read(unicorn.x86_const.UC_X86_REG_ESP) data = uc.mem_read(esp,0xf) print('{}'.format(data))