,从内存中读取目标进程解码后的机器码,通过Python代码数组在这些机器码中找到特定的十六进制字符,或者直接检索是否有连续的反汇编指令片段等函数。插件地址:https://github.com/lyshark/Ly...内存中机器码搜索:内存中机器码需要配合LyScript32插件从内存中查找指令片段。fromLyScript32importMyDebug#将可执行文件中的单数转换为0x00格式defReadHexCode(code):hex_code=[]forindexincode:ifindex>=0andindex<=15:#print("0"+str(hex(index).replace("0x","")))hex_code.append("0"+str(hex(index).replace("0x","")))else:hex_code.append(hex(index).replace("0x",""))#print(hex(index).replace("0x",""))returnhex_code#获取内存中的机器码defGetCode():try:ref_code=[]dbg=MyDebug()connect_flag=dbg.connect()ifconnect_flag!=1:returnNonestart_address=dbg.get_local_base()end_address=start_address+dbg.get_local_size()#循环获取indexinrange(start_address,end_address):read_bytes=dbg.read_memory_byte(index)ref_code.append(read_bytes)dbg.close()returnref_codeexceptException:returnFalse#字节数组中的匹配是否与特征码一致defSearchHexCode(Code,SearchCode,ReadByte):SearchCount=len(SearchCode)#print("特征码总长度:{}".format(SearchCount))foriteminrange(0,ReadByte):count=0#对十六进制数进行切片,每次向后遍历SearchCountOpCode=Code[0+item:SearchCount+item]#print("Cutarray:{}-->Comparison:{}".format(OpCode,SearchCode))try:forxinrange(0,SearchCount):ifOpCode[x]==SearchCode[x]:count=count+1#print("Lookingforsignaturecount:{}{}{}".format(count,OpCode[x],SearchCode[x]))ifcount==SearchCount:#找到则返回True,否则返回FalsereturnTrue退出(0)exceptException:passreturnFalseif__name__=="__main__":#读取内存机器码ref_code=GetCode()ifref_code!=False:#转换为十六进制hex_code=ReadHexCode(ref_code)code_size=len(hex_code)#指定要搜索的特征码序列search=['c0','74','0d','66','3b','c6','77','08']#搜索特征:hex_code=exe的字节码,search=搜索特征代码,code_size=搜索大小ret=SearchHexCode(hex_code,search,code_size)ifret==True:print("签名{}存在".format(search))else:print("签名{}不存在".format(search))else:print("读取失败")输出效果:搜索内存反汇编代码:通过LyScript插件读入内存机器码,在机器码中寻找指令片段,找到后返回内存首地址fromLyScript32importMyDebug#获取指定序列中是否有特定指令集defSearchOpCode(OpCodeList,SearchCode,ReadByte):SearchCount=len(SearchCode)foriteminrange(0,ReadByte):count=0OpCode_Dic=OpCodeList[0+item:SearchCount+item]#print("切割字典:{}".format(OpCode_Dic))try:forxinrange(0,SearchCount):ifOpCode_Dic[x].get("opcode")==SearchCode[x]:#print(OpCode_Dic[x].get("addr"),OpCode_Dic[x].get("opcode"))count=count+1如果count==SearchCount:#print(OpCode_Dic[0].get("addr"))returnOpCode_Dic[0].get("addr")exit(0)除了异常:passif__name__=="__main__":dbg=MyDebug()connect_flag=dbg.connect()print("连接状态:{}".format(connect_flag))#获取EIP位置eip=dbg.get_register("eip")#反汇编前1000行disasm_dict=dbg.get_disasm_code(eip,1000)#搜索指令序列以快速查找和构建利用代码SearchCode=[["push0xC0000409","call0x003F1B38","popecx"],["pushecx","pushebx"]]#为范围内的项目搜索内存指令集(0,len(SearchCode)):Search=SearchCode[item]#disasm_dict=returnassemblyinstructionSearch=searchinstructionset1000=downsearchlengthret=SearchOpCode(disasm_dict,Search,1000)ifret!=None:print("指令集:{}-->第一次出现地址:{}".format(SearchCode[item],hex(ret)))dbg.close()输出效果:
