本文整理汇总了Python中PE.peFromMemoryObject方法的典型用法代码示例。如果您正苦于以下问题:Python PE.peFromMemoryObject方法的具体用法?Python PE.peFromMemoryObject怎么用?Python PE.peFromMemoryObject使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类PE的用法示例。
在下文中一共展示了PE.peFromMemoryObject方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: safeseh
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def safeseh(vdb, line):
"""
Show the SafeSEH status of all the loaded DLLs or list the
handlers for a particular dll by normalized name.
Usage: safeseh [libname]
"""
t = vdb.getTrace()
libs = t.getMeta("LibraryBases")
if len(line):
base = libs.get(line)
if base == None:
vdb.vprint("Unknown library: %s" % line)
return
vdb.vprint("%s:" % line)
try:
p = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (line, base, e))
return
if p.IMAGE_LOAD_CONFIG != None:
va = int(p.IMAGE_LOAD_CONFIG.SEHandlerTable)
if va != 0:
count = int(p.IMAGE_LOAD_CONFIG.SEHandlerCount)
for h in t.readMemoryFormat(va, "<%dL" % count):
vdb.vprint("\t0x%.8x %s" % (base+h, vdb.reprPointer(base+h)))
return
vdb.vprint("None...")
else:
lnames = list(libs.keys())
lnames.sort()
for name in lnames:
base = libs.get(name)
try:
p = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (name, base, e))
continue
enabled = False
if p.IMAGE_LOAD_CONFIG != None:
va = int(p.IMAGE_LOAD_CONFIG.SEHandlerTable)
if va != 0:
enabled = True
vdb.vprint("%16s\t%s" % (name, enabled))示例2: platformParseBinary
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def platformParseBinary(self, filename, baseaddr, normname):
try:
pe = PE.peFromMemoryObject(self, baseaddr)
for rva, ord, name in pe.getExports():
self.addSymbol(e_resolv.Symbol(name, baseaddr + rva, 0, normname))
except Exception, e:
print ("Error Parsing Binary (%s): %s" % (normname, e))示例3: showaslr
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def showaslr(vdb, base, libname):
t = vdb.getTrace()
try:
p = PE.peFromMemoryObject(t, base)
except Exception, e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
return示例4: platformParseBinaryPe
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def platformParseBinaryPe(self, filename, baseaddr, normname):
# If we're on windows, fake out the PE header and use dbghelp
if False:
# FIXME this code is stolen and should be a function!
import vtrace.platforms.win32 as vt_win32
fakepe = self.readMemory(baseaddr, 1024)
tfile = tempfile.NamedTemporaryFile(delete=False)
tfilename = tfile.name
import ctypes
pebuf = ctypes.create_string_buffer(fakepe)
try:
try:
tfile.write(fakepe)
tfile.close()
#parser = vt_win32.Win32SymbolParser(-1, tfilename, baseaddr)
parser = vt_win32.Win32SymbolParser(-1, None, ctypes.addressof(pebuf))
parser.parse()
parser.loadSymsIntoTrace(self, normname)
finally:
os.unlink(tfilename)
except Exception as e:
print(e)
else:
pe = PE.peFromMemoryObject(self, baseaddr)
for rva, ord, name in pe.getExports():
self.addSymbol(e_resolv.Symbol(name, baseaddr+rva, 0, normname))示例5: printIAT
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def printIAT(trace, fileName, verbose=False):
#print "FileName: %s" % fileName
libs = trace.getMeta("LibraryPaths")
libBase = trace.getMeta("LibraryBases")
#print "Lib Base: %s" % libBase
#print "File Name: %s" % fileName
base = libBase[fileName.lower()]
p = PE.peFromMemoryObject(trace, base)
IMAGE_DIRECTORY_ENTRY_IMPORT =1 # Import Directory
IMAGE_DIRECTORY_ENTRY_IAT =12 # Import Address Table
idir = p.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = p.rvaToOffset(idir.VirtualAddress)
psize = idir.Size
# Once you have VirtualAddress BP on that and you can stop
# the program before any external call.
p.parseImports()
if verbose == True:
for i in p.imports:
print("Address: %s \tLibrary: %s \tFirstThunk: %s" % (hex(base+i[0]), i[1], i[2]))
return base, p.imports示例6: showaslr
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def showaslr(vdb, base, libname):
t = vdb.getTrace()
p = PE.peFromMemoryObject(t, base)
enabled = False
c = p.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics
if c & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE:
enabled = True
vdb.vprint("%16s\t%s" % (libname, enabled))示例7: loadSymbols
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def loadSymbols(trace, library, pdb=None):
import PE as PE
SYMBOLS_PATH = os.getenv('_NT_SYMBOL_PATH')
if SYMBOLS_PATH == None:
SYMBOLS_PATH = "C:\\Symbols"
baseaddr = trace.getMeta('LibraryBases').get(library)
if baseaddr == None:
#raise Exception("%s library not loaded" % library)
return 2
else:
pe = PE.peFromMemoryObject(trace, baseaddr)
oh = pe.IMAGE_NT_HEADERS.OptionalHeader
deb = pe.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[PE.IMAGE_DIRECTORY_ENTRY_DEBUG]
virtaddr = deb.vsGetField('VirtualAddress')
virtsize = deb.vsGetField('Size')
poff = pe.rvaToOffset(virtaddr)
if poff == 0:
return 1
imageDebugDirectory = pe.readStructAtOffset(poff, 'pe.IMAGE_DEBUG_DIRECTORY')
addrRawData = imageDebugDirectory.vsGetField('AddressOfRawData')
cvInfoPdb = pe.readStructAtOffset(addrRawData, 'pe.CV_INFO_PDB70')
cvGuid = cvInfoPdb.vsGetField('GuidSignature')
cvSig = cvInfoPdb.vsGetField('CvSignature')
tmpGuid = cvGuid.vsGetFields()
tmpGuid.sort()
guid = bytearray(16)
for elem in range(len(tmpGuid)):
guid[elem] = tmpGuid[elem][1].vsGetValue()
guid_str = str(guid).encode('hex')
if pdb == None:
sympath = os.getenv('_NT_SYMBOL_PATH')
if sympath == None:
# Guess that the symbols are in the typical spot for windows.
sympath = SYMBOLS_PATH
filename = sympath + "\\" + library + ".pdb\\" + guid_str + "1\\" + library + ".pdb"
else:
filename = pdb
if os.path.isfile(filename):
try:
trace.parseWithDbgHelp(filename, baseaddr, library)
return 0
except:
return 1
else:
return 1示例8: showaslr
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def showaslr(vdb, base, libname):
t = vdb.getTrace()
try:
p = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
return
enabled = False
c = p.IMAGE_NT_HEADERS.OptionalHeader.DllCharacteristics
if c & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE:
enabled = True
vdb.vprint("%16s\t%s" % (libname, enabled))示例9: platformParseBinary
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def platformParseBinary(self, filename, baseaddr, normname):
try:
pe = PE.peFromMemoryObject(self, baseaddr)
vhash = e_symcache.symCacheHashFromPe(pe)
symcache = self.symcache.getCacheSyms(vhash)
if symcache == None:
# Symbol type 0 for now...
symcache = [ ( rva, 0, name, e_resolv.SYMSTOR_SYM_SYMBOL ) for rva,ord,name in pe.getExports() ]
self.symcache.setCacheSyms( vhash, symcache )
self.impSymCache( symcache, symfname=normname, baseaddr=baseaddr )
except Exception as e:
import traceback;traceback.print_exc()
print(('Error Parsing Binary (%s): %s' % (normname, e)))示例10: get_pe_obj
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def get_pe_obj(va):
"""
Gets a vivisect PE object from a virtual address.
Parameters:
va : virtual address
Returns: vivisect PE object
"""
pu = flaredbg.ProcessUtils()
va = pu.get_allocation_base(va)
pbytes = pu.get_process_region_bytes(va)
memobj = envi.memory.MemoryObject()
memobj.addMemoryMap(va, envi.memory.MM_RWX, "", pbytes)
pe = PE.peFromMemoryObject(memobj, va)
return pe示例11: getOEP
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def getOEP(trace, filepath):
base = None
libs = trace.getMeta("LibraryPaths")
for k, v in libs.iteritems():
if filepath in v:
base = k
if base is None:
p = PE.peFromFileName(filepath)
base = p.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
else:
p = PE.peFromMemoryObject(trace, base)
ep = p.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
oep = base + ep
return oep示例12: getIATLocation
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def getIATLocation(trace, fileName, verbose=False):
#print "FileName: %s" % fileName
libs = trace.getMeta("LibraryPaths")
libBase = trace.getMeta("LibraryBases")
#print "Lib Base: %s" % libBase
#print "File Name: %s" % fileName
base = libBase[fileName.lower()]
p = PE.peFromMemoryObject(trace, base)
IMAGE_DIRECTORY_ENTRY_IMPORT =1 # Import Directory
IMAGE_DIRECTORY_ENTRY_IAT =12 # Import Address Table
idir = p.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = p.rvaToOffset(idir.VirtualAddress)
psize = idir.Size
# Once you have VirtualAddress BP on that and you can stop
# the program before any external call.
return base, poff, psize示例13: hookIat
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def hookIat(trace, libname, implib='*', impfunc='*', fast=False):
'''
Hook the IAT with special "breakpoint" like objects which
handle the memory access errors and document the calls...
Set fast=True for them to be "Fastbreak" breakpoints.
This returns a list of (name, bpid) tuples...
Example:
for impname, bpid in hookIat(t, 'ws2_32')
t.setBreakpointCode(bpid, codestr)
...
'''
ret = []
baseaddr = trace.parseExpression(libname)
pe = PE.peFromMemoryObject(trace, baseaddr)
origs = {}
implib = implib.lower()
impfunc = impfunc.lower()
for rva, ilib, ifunc in pe.getImports():
ilib = ilib.lower().replace('.dll', '')
if ilib != implib and implib != '*':
continue
if ifunc.lower() != impfunc and impfunc!='*':
continue
iatname = '%s.%s.%s' % (libname, ilib, ifunc)
wp = IatHook(baseaddr + rva, iatname)
wp.fastbreak = fast
bpid = trace.addBreakpoint(wp)
ret.append( (iatname, bpid) )
return ret示例14: pe
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
def pe(vdb, line):
"""
Show extended info about loaded PE binaries.
Usage: pe [opts] [<libname>...]
-I Show PE import files.
-m Toggle inmem/ondisk behavior (directly mapped DLLs)
-N Show full NT header
-t Show PE timestamp information
-E Show PE exports
-S Show PE sections
-v Show FileVersion from VS_VERSIONINFO
-V Show all keys from VS_VERSIONINFO
NOTE: "libname" may be a vtrace expression:
Examples:
# Show the imports from a PE loaded at 0x777c0000
pe -I 0x777c0000
# Show the exports from advapi32.dll
pe -E advapi32
# Show the build timestamp of the PE pointed to by a register
pe -t esi
"""
#-v Show PE version information
argv = e_cli.splitargs(line)
try:
opts,args = getopt.getopt(argv, "EImNStvV")
except Exception as e:
return vdb.do_help('pe')
inmem = True
showsecs = False
showvers = False
showtime = False
showimps = False
shownthd = False
showexps = False
showvsin = False
for opt,optarg in opts:
if opt == '-I':
showimps = True
elif opt == '-t':
showtime = True
elif opt == '-v':
showvers = True
elif opt == '-V':
showvsin = True
elif opt == '-N':
shownthd = True
elif opt == '-m':
inmem = False
elif opt == '-S':
showsecs = True
elif opt == '-E':
showexps = True
t = vdb.trace
bases = t.getMeta("LibraryBases")
paths = t.getMeta("LibraryPaths")
names = args
if len(names) == 0:
names = t.getNormalizedLibNames()
names.sort()
names = e_cli.columnstr(names)
for libname in names:
base = bases.get(libname.strip(), None)
if base == None:
base = vdb.trace.parseExpression(libname)
path = paths.get(base, "unknown")
try:
pobj = PE.peFromMemoryObject(t, base)
except Exception as e:
vdb.vprint('Error: %s (0x%.8x) %s' % (libname, base, e))
continue
if showimps:
ldeps = {}
try:
for rva,lname,fname in pobj.getImports():
ldeps[lname.lower()] = True
lnames = list(ldeps.keys())
lnames.sort()
vdb.vprint('0x%.8x - %.30s' % (base, libname))
for lname in lnames:
vdb.vprint(' %s' % lname)
except Exception as e:
vdb.vprint('Import Parser Error On %s: %s' % (libname, e))
elif showvers:
version = 'Unknown!'
vs = pobj.getVS_VERSIONINFO()
#.........这里部分代码省略.........
示例15: int
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromMemoryObject [as 别名]
if p.IMAGE_LOAD_CONFIG != None:
va = int(p.IMAGE_LOAD_CONFIG.SEHandlerTable)
if va != 0:
count = int(p.IMAGE_LOAD_CONFIG.SEHandlerCount)
for h in t.readMemoryFormat(va, "<%dL" % count):
vdb.vprint("\t0x%.8x %s" % (base+h, vdb.reprPointer(base+h)))
return
vdb.vprint("None...")
else:
lnames = libs.keys()
lnames.sort()
for name in lnames:
base = libs.get(name)
try:
p = PE.peFromMemoryObject(t, base)
except Exception, e:
vdb.vprint('Error: %s (0x%.8x) %s' % (name, base, e))
continue
enabled = False
if p.IMAGE_LOAD_CONFIG != None:
va = int(p.IMAGE_LOAD_CONFIG.SEHandlerTable)
if va != 0:
enabled = True
vdb.vprint("%16s\t%s" % (name, enabled))
def validate_heaps(db):
"""
A simple routine that works like the built in windows