本案例将学习使用LyScript计算特定程序中特定段的Hash特征值,并通过第三方模块xlsxwriter将计算出的哈希值存储到excel表中。例子中的知识点可以说是具备输出简单表格的能力,如果时间充裕,还可以实现自动生成报表。插件地址:https://github.com/lyshark/Ly...第一步是计算特定段的特征值。这种代码实现了用户传入一个rva相对地址并读入指令长度的原理,利用内置的hashlib库实现了对内存段指令特征的计算。下面的代码首先实现了对二段指令的特征计算。importhashlibimportzlib,binasciifromLyScript32importMyDebug#计算哈希defcalc_hash(dbg,rva,size):read_list=bytearray()ref_hash={"va":None,"size":None,"md5":None,"sha256":None,"sha512":None,"crc32":None}#得到地址base=dbg.get_local_module_base()#读入数据forindexinrange(0,size):readbyte=dbg.read_memory_byte(base+rva+index)read_list.append(readbyte)#计算特征md5hash=hashlib.md5(read_list)sha512hash=hashlib.sha512(read_list)sha256hash=hashlib.sha256(read_list)#crc32hash=binascii.crc32(read_list)&0xffffffffref_hash["va"]=hex(base+rva)ref_hash["size"]=sizeref_hash["md5"]=md5hash.hexdigest()ref_hash["sha256"]=sha256hash.hexdigest()ref_hash["sha512"]=sha512hash.hexdigest()ref_hash["crc32"]=hex(zlib.crc32(read_list))returnref_hashif__name__=="__main__":dbg=MyDebug()connect=dbg.connect()#传入相对地址,计算计算字节ref=calc_hash(dbg,0x19fd,10)print(ref)#计算第二段ref=calc_hash(dbg,0x1030,26)print(ref)dbg.close()计算后输出字典格式:第二部分使用第三方库将读取的hash参数写入表中,A下面生成哈希图例,方便观察importhashlibimporttimeimportzlib,binasciifromLyScript32importMyDebugimportxlsxwriter#计算哈希defcalc_hash(dbg,rva,size):read_list=bytearray()ref_hash={"va":None,"size":None,"md5":None,"sha256":None,"sha512":None,"crc32":None}#得到地址base=dbg.get_local_module_base()#读入数据forindexinrange(0,size):readbyte=dbg.read_memory_byte(base+rva+index)read_list.append(readbyte)#计算特征md5hash=hashlib.md5(read_list)sha512hash=hashlib.sha512(read_list)sha256hash=hashlib.sha256(read_list)#crc32hash=binascii.crc32(read_list)&0xffffffffref_hash["va"]=hex(base+rva)ref_hash["size"]=sizeref_hash["md5"]=md5hash.hexdigest()ref_hash["sha256"]=sha256hash.hexdigest()ref_hash["sha512"]=sha512hash.hexdigest()ref_hash["crc32"]=hex(zlib.crc32(read_list))returnref_hashif__name__=="__main__":dbg=MyDebug()connect=dbg.connect()#打开一个被调试的进程dbg.open_debug("D:\\Win32Project.exe")#传入相对地址并计算字节数ref=calc_hash(dbg,0x19fd,10)print(ref)ref2=calc_hash(dbg,0x1030,26)print(ref2)ref3=calc_hash(dbg,0x15EB,46)print(ref3)ref4=calc_hash(dbg,0x172B,8)print(ref4)#写表格workbook=xlsxwriter.Workbook("pe_hash.xlsx")worksheet=workbook.add_worksheet()headings=["VAaddress","计算长度","MD5","SHA256","SHA512","CRC32"]data=[[ref.get("va"),ref.get("size"),ref.get("md5"),参考。得到(“sha256”),参考。得到(“sha512”),参考。得到(“crc32”)],[ref2。得到(“va”),ref2。得到(“大小”),ref2.get(“md5”),ref2.get(“sha256”),ref2.get("sha512"),ref2.get("crc32")],[ref3.get("va"),ref3.get("size"),ref3.get("md5"),ref3.get("sha256"),ref3.get("sha512"),ref3.get("crc32")],[ref4.get("va"),ref4.get("size"),ref4.get("md5"),ref4.get("sha256"),ref4.get("sha512"),ref4.get("crc32")]]#定义表格样式head_style=workbook.add_format({"bold":True,"align":"center","fg_color":"#D7E4BC"})worksheet.set_column("A1:F1",15)#一条一条写入数据worksheet.write_row("A1",headings,head_style)foriinrange(0,len(data)):worksheet.write_row("A{}".format(i+2),data[i])#添加条形图显示前十个元素chart=workbook.add_chart({"type":"线"})chart.add_series({"name":"=Sheet1!$B$1",#Legenditem"categories":"=Sheet1!$A$2:$A$10",#X-axisItemname"values":"=Sheet1!$B$2:$B$10"#X-axisItemvalue})复制代码图表。add_series({"name":"=Sheet1!$C$1","categories":"=Sheet1!$A$2:$A$10","values":"=Sheet1!$C$2:$C$10"})chart.add_series({"name":"=Sheet1!$D$1","categories":"=Sheet1!$A$2:$A$10","values":"=Sheet1!$D$2:$D$10"})#添加柱形图标题chart.set_title({"name":"计算HASH统计图表"})#chart.set_style(8)chart.set_size({'width':500,'height':250})chart.set_legend({'position':'top'})#Drawworksheet.insert_chart("H2",chart)atF2workbook.close()#关闭调试进程time.sleep(1)dbg.close_debug()dbg.close()生成的图例效果如下:
