本文整理汇总了Python中vstruct.getStructure函数的典型用法代码示例。如果您正苦于以下问题:Python getStructure函数的具体用法?Python getStructure怎么用?Python getStructure使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了getStructure函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: parseSections
def parseSections(self):
self.sections = []
off = self.IMAGE_DOS_HEADER.e_lfanew + len(self.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sbytes = self.readAtOffset(off, secsize * self.IMAGE_NT_HEADERS.FileHeader.NumberOfSections)
while sbytes:
s = vstruct.getStructure("pe.IMAGE_SECTION_HEADER")
s.vsParse(sbytes[:secsize])
self.sections.append(s)
sbytes = sbytes[secsize:]示例2: __init__
def __init__(self, fd, inmem=False):
object.__init__(self)
self.inmem = inmem
fd.seek(0)
self.fd = fd
self.pe32p = False
self.psize = 4
self.high_bit_mask = 0x80000000
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = self.readAtOffset(0, len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine in [ IMAGE_FILE_MACHINE_AMD64, IMAGE_FILE_MACHINE_IA64 ]:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.high_bit_mask = 0x8000000000000000
self.IMAGE_NT_HEADERS = nt示例3: getStruct
def getStruct(self, sname, va=None):
"""
Retrieve a vstruct structure optionally populated with memory from
the specified address. Returns a standard vstruct object.
"""
# Check if we need to parse symbols for a library
libbase = sname.split('.')[0]
self._loadBinaryNorm(libbase)
if self.vsbuilder.hasVStructNamespace(libbase):
vs = self.vsbuilder.buildVStruct(sname)
# FIXME this is deprecated and should die...
else:
vs = vstruct.getStructure(sname)
if vs == None:
return None
if va == None:
return vs
bytez = self.readMemory(va, len(vs))
vs.vsParse(bytez)
return vs示例4: __init__
def __init__(self, fd, inmem=False):
"""
Construct a PE object. use inmem=True if you are
using a MemObjFile or other "memory like" image.
"""
object.__init__(self)
self.inmem = inmem
self.fd = fd
self.fd.seek(0)
self.pe32p = False
self.psize = 4
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = fd.read(len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew, "pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew, "pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.IMAGE_NT_HEADERS = nt示例5: readStructAtRva
def readStructAtRva(self, rva, structname, check=False):
s = vstruct.getStructure(structname)
slen = len(s)
if check and not self.checkRva(rva, size=slen):
return None
bytes = self.readAtRva(rva, len(s))
s.vsParse(bytes)
return s示例6: readStructAtOffset
def readStructAtOffset(self, offset, structname):
s = vstruct.getStructure(structname)
sbytes = self.readAtOffset(offset, len(s))
if not sbytes:
return None
s.vsParse(sbytes)
return s示例7: getStruct
def getStruct(self, sname, address):
"""
Retrieve a vstruct structure populated with memory from
the specified address. Returns a standard vstruct object.
"""
vs = vstruct.getStructure(sname)
bytes = self.readMemory(address, len(vs))
vs.vsParse(bytes)
return vs示例8: parseImports
def parseImports(self):
self.imports = []
idir = self.IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
poff = self.rvaToOffset(idir.VirtualAddress)
if poff == 0:
return
x = vstruct.getStructure("pe.IMAGE_IMPORT_DIRECTORY")
isize = len(x)
x.vsParse(self.readAtOffset(poff, isize))
while x.Name != 0:
liboff = self.rvaToOffset(x.Name)
libname = self.readAtOffset(liboff, 256).split("\x00")[0]
idx = 0
noff = self.rvaToOffset(x.OriginalFirstThunk)
aoff = self.rvaToOffset(x.FirstThunk)
while True:
ava = self.readPointerAtOffset(aoff + (self.psize * idx))
if ava == 0:
break
nva = self.readPointerAtOffset(noff + (self.psize * idx))
# FIXME high bit testing for 64 bit
if nva & 0x80000000:
name = ordlookup.ordLookup(libname, nva & 0x7FFFFFFF)
else:
nameoff = self.rvaToOffset(nva) + 2 # Skip the short "hint"
name = self.readAtOffset(nameoff, 256).split("\x00")[0]
self.imports.append((x.FirstThunk + (idx * self.psize), libname, name))
idx += 1
poff += isize
x.vsParse(self.readAtOffset(poff, len(x)))示例9: getSignature
def getSignature(self):
'''
Returns the SignatureEntry vstruct if the pe has an embedded
certificate, None if the magic bytes are NOT set in the security
directory entry AND the size of the signature entry is less than 0.
'''
ds = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_SECURITY)
va = ds.VirtualAddress
size = ds.Size
if size <= 0:
return None
bytez = self.readAtOffset(va, size)
if not bytez:
return None
se = vstruct.getStructure('pe.SignatureEntry')
se.vsParse(bytez)
if se.magic != "\x00\x02\x02\x00":
return None
return se示例10: __init__
def __init__(self, fd, inmem=False):
"""
Construct a PE object. use inmem=True if you are
using a MemObjFile or other "memory like" image.
"""
object.__init__(self)
self.inmem = inmem
self.filesize = None
if not inmem:
fd.seek(0, os.SEEK_END)
self.filesize = fd.tell()
fd.seek(0)
self.fd = fd
self.pe32p = False
self.psize = 4
self.high_bit_mask = 0x80000000
self.IMAGE_DOS_HEADER = vstruct.getStructure("pe.IMAGE_DOS_HEADER")
dosbytes = self.readAtOffset(0, len(self.IMAGE_DOS_HEADER))
self.IMAGE_DOS_HEADER.vsParse(dosbytes)
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS")
# Parse in a default 32 bit, and then check for 64...
if nt.FileHeader.Machine in [ IMAGE_FILE_MACHINE_AMD64, IMAGE_FILE_MACHINE_IA64 ]:
nt = self.readStructAtOffset(self.IMAGE_DOS_HEADER.e_lfanew,
"pe.IMAGE_NT_HEADERS64")
self.pe32p = True
self.psize = 8
self.high_bit_mask = 0x8000000000000000
self.IMAGE_NT_HEADERS = nt示例11: len
vsver = vs.getVersionValue('FileVersion')
if vsver != None and len(vsver):
# add check to split seeing samples with spaces and nothing else..
parts = vsver.split()
if len(parts):
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS),("Library", VASET_STRING)))
vw.addVaSet('pe:ordinals', (('Address', VASET_ADDRESS),('Ordinal',VASET_INTEGER)))
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion示例12: loadPeIntoWorkspace
def loadPeIntoWorkspace(vw, pe, filename=None):
mach = pe.IMAGE_NT_HEADERS.FileHeader.Machine
arch = arch_names.get(mach)
if arch is None:
raise Exception("Machine %.4x is not supported for PE!" % mach)
vw.setMeta('Architecture', arch)
vw.setMeta('Format', 'pe')
platform = 'windows'
# Drivers are platform "winkern" so impapi etc works
subsys = pe.IMAGE_NT_HEADERS.OptionalHeader.Subsystem
if subsys == PE.IMAGE_SUBSYSTEM_NATIVE:
platform = 'winkern'
vw.setMeta('Platform', platform)
defcall = defcalls.get(arch)
if defcall:
vw.setMeta("DefaultCall", defcall)
# Set ourselvs up for extended windows binary analysis
baseaddr = pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase
entry = pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint + baseaddr
entryrva = entry - baseaddr
codebase = pe.IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode
codesize = pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode
codervamax = codebase + codesize
fvivname = filename
# This will help linkers with files that are re-named
dllname = pe.getDllName()
if dllname != None:
fvivname = dllname
if fvivname == None:
fvivname = "pe_%.8x" % baseaddr
fhash = "unknown hash"
if os.path.exists(filename):
fhash = v_parsers.md5File(filename)
fname = vw.addFile(fvivname.lower(), baseaddr, fhash)
symhash = e_symcache.symCacheHashFromPe(pe)
vw.setFileMeta(fname, 'SymbolCacheHash', symhash)
# Add file version info if VS_VERSIONINFO has it
vs = pe.getVS_VERSIONINFO()
if vs != None:
vsver = vs.getVersionValue('FileVersion')
if vsver != None and len(vsver):
# add check to split seeing samples with spaces and nothing else..
parts = vsver.split()
if len(parts):
vsver = vsver.split()[0]
vw.setFileMeta(fname, 'Version', vsver)
# Setup some va sets used by windows analysis modules
vw.addVaSet("Library Loads", (("Address", VASET_ADDRESS), ("Library", VASET_STRING)))
vw.addVaSet('pe:ordinals', (('Address', VASET_ADDRESS), ('Ordinal', VASET_INTEGER)))
# SizeOfHeaders spoofable...
curr_offset = pe.IMAGE_DOS_HEADER.e_lfanew + len(pe.IMAGE_NT_HEADERS)
secsize = len(vstruct.getStructure("pe.IMAGE_SECTION_HEADER"))
sec_offset = pe.IMAGE_DOS_HEADER.e_lfanew + 4 + len(
pe.IMAGE_NT_HEADERS.FileHeader) + pe.IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader
if sec_offset != curr_offset:
header_size = sec_offset + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
else:
header_size = pe.IMAGE_DOS_HEADER.e_lfanew + len(
pe.IMAGE_NT_HEADERS) + pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections * secsize
# Add the first page mapped in from the PE header.
header = pe.readAtOffset(0, header_size)
secalign = pe.IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment
subsys_majver = pe.IMAGE_NT_HEADERS.OptionalHeader.MajorSubsystemVersion
subsys_minver = pe.IMAGE_NT_HEADERS.OptionalHeader.MinorSubsystemVersion
secrem = len(header) % secalign
if secrem != 0:
header += b"\x00" * (secalign - secrem)
vw.addMemoryMap(baseaddr, e_mem.MM_READ, fname, header)
vw.addSegment(baseaddr, len(header), "PE_Header", fname)
hstruct = vw.makeStructure(baseaddr, "pe.IMAGE_DOS_HEADER")
magicaddr = hstruct.e_lfanew
if vw.readMemory(baseaddr + magicaddr, 2) != b"PE":
raise Exception("We only support PE exe's")
#.........这里部分代码省略.........
示例13: readStructAtOffset
def readStructAtOffset(self, offset, structname):
s = vstruct.getStructure(structname)
bytes = self.readAtOffset(offset, len(s))
# print "%s: %s" % (structname, bytes.encode('hex'))
s.vsParse(bytes)
return s示例14: writeBeingDebugged
def writeBeingDebugged(self, trace, val):
peb = trace.parseExpression('peb')
ps = vstruct.getStructure('win32.PEB')
off = ps.vsGetOffset('BeingDebugged')
trace.writeMemoryFormat(peb+off, '<B', val)示例15: parseImports
def parseImports(self):
self.imports = []
idir = self.getDataDirectory(IMAGE_DIRECTORY_ENTRY_IMPORT)
# RP BUG FIX - invalid IAT entry will point of range of file
irva = idir.VirtualAddress
x = self.readStructAtRva(irva, 'pe.IMAGE_IMPORT_DIRECTORY', check=True)
if x == None:
return
isize = len(x)
while self.checkRva(x.Name):
# RP BUG FIX - we can't assume that we have 256 bytes to read
libname = self.readStringAtRva(x.Name, maxsize=256)
idx = 0
imp_by_name = x.OriginalFirstThunk
if imp_by_name == 0:
imp_by_name = x.FirstThunk
if not self.checkRva(imp_by_name):
break
while True:
arrayoff = self.psize * idx
if self.filesize != None and arrayoff > self.filesize:
self.imports = [] # we probably put grabage in here..
return
ibn_rva = self.readPointerAtRva(imp_by_name+arrayoff)
if ibn_rva == 0:
break
if ibn_rva & self.high_bit_mask:
funcname = ordlookup.ordLookup(libname, ibn_rva & 0x7fffffff)
else:
# RP BUG FIX - we can't use this API on this call because we can have binaries that put their import table
# right at the end of the file, statically saying the imported function name is 128 will cause use to potentially
# over run our read and traceback...
diff = self.getMaxRva() - ibn_rva - 2
ibn = vstruct.getStructure("pe.IMAGE_IMPORT_BY_NAME")
ibn.vsGetField('Name').vsSetLength( min(diff, 128) )
bytes = self.readAtRva(ibn_rva, len(ibn), shortok=True)
if not bytes:
break
try:
ibn.vsParse(bytes)
except:
idx+=1
continue
funcname = ibn.Name
self.imports.append((x.FirstThunk+arrayoff,libname,funcname))
idx += 1
irva += isize
# RP BUG FIX - if the import table is at the end of the file we can't count on the ending to be null
if not self.checkRva(irva, size=isize):
break
x.vsParse(self.readAtRva(irva, isize))