PE 文件格式在 AddressOfEntryPoint 中出错?
PE File format got wrong in AddressOfEntryPoint?
我阅读了本书:"Malware Data Science Attack Detection and Attribution" 第一章并使用 pefile python 模块检查 AddressOfEntryPoint,
我找到了样本:当我执行 pe.dump_info() 时,ircbot.exe 的 AddressOfEntryPoint 是 0xCC00FFEE。这个值很大,看起来不对。
ircbot.exe's OPTIONAL Header
md5: 17fa7ec63b129f171511a9f96f90d0d6
如何修复这个 AddressOfEntryPoint?
这个问题是"normal"。当您从本书的 URL malwaredatascience.com/code-and-data 下载示例时,下载的 ZIP 文件的名称为 malware_data_science_entrypoints_edited.zip。正如本书第 221 页所述,作者故意这样做是为了 "disable it from executing."
根据@user5742815 的评论,我用入口点的真实地址更新了代码。下面更新的脚本产生与书中脚本相同的输出:
#!/usr/bin/python
import pefile
from capstone import *
# load the target PE file
pe = pefile.PE("ircbot.exe")
# get the address of the program entry point from the program header
# entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
# see:
entrypoint = 0x0017b00
# compute memory address where the entry code will be loaded into memory
entrypoint_address = entrypoint+pe.OPTIONAL_HEADER.ImageBase
# get the binary code from the PE file object
binary_code = pe.get_memory_mapped_image()[entrypoint:entrypoint+100]
# initialize disassembler to disassemble 32 bit x86 binary code
disassembler = Cs(CS_ARCH_X86, CS_MODE_32)
# disassemble the code
for instruction in disassembler.disasm(binary_code, entrypoint_address):
print "%s\t%s" %(instruction.mnemonic, instruction.op_str)
我阅读了本书:"Malware Data Science Attack Detection and Attribution" 第一章并使用 pefile python 模块检查 AddressOfEntryPoint, 我找到了样本:当我执行 pe.dump_info() 时,ircbot.exe 的 AddressOfEntryPoint 是 0xCC00FFEE。这个值很大,看起来不对。
ircbot.exe's OPTIONAL Header md5: 17fa7ec63b129f171511a9f96f90d0d6
如何修复这个 AddressOfEntryPoint?
这个问题是"normal"。当您从本书的 URL malwaredatascience.com/code-and-data 下载示例时,下载的 ZIP 文件的名称为 malware_data_science_entrypoints_edited.zip。正如本书第 221 页所述,作者故意这样做是为了 "disable it from executing."
根据@user5742815 的评论,我用入口点的真实地址更新了代码。下面更新的脚本产生与书中脚本相同的输出:
#!/usr/bin/python
import pefile
from capstone import *
# load the target PE file
pe = pefile.PE("ircbot.exe")
# get the address of the program entry point from the program header
# entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
# see:
entrypoint = 0x0017b00
# compute memory address where the entry code will be loaded into memory
entrypoint_address = entrypoint+pe.OPTIONAL_HEADER.ImageBase
# get the binary code from the PE file object
binary_code = pe.get_memory_mapped_image()[entrypoint:entrypoint+100]
# initialize disassembler to disassemble 32 bit x86 binary code
disassembler = Cs(CS_ARCH_X86, CS_MODE_32)
# disassemble the code
for instruction in disassembler.disasm(binary_code, entrypoint_address):
print "%s\t%s" %(instruction.mnemonic, instruction.op_str)