Capstone是一個輕量級的多平臺、多架構的反彙編框架,該模塊支持目前所有通用操作系統,反彙編架構幾乎全部支持。
capstone使用起來非常簡單,如果只需要靜態反彙編,則幾行代碼即可完成該功能了。
from capstone import *
# powerby LyShark
def Disassembly(path,BaseAddr,FileOffset,ReadByte):
with open(path,"rb") as fp:
fp.seek(int(FileOffset))
opcode = fp.read(int(ReadByte))
md = Cs(CS_ARCH_X86, CS_MODE_32)
for item in md.disasm(opcode, 0):
addr = int(BaseAddr) + item.address
dic = {"Addr": str(addr) , "OpCode": item.mnemonic + " " + item.op_str}
print(dic)
if __name__ == "__main__":
# 文件名 內存地址 開始位置 長度
Disassembly("d://Win32Project.exe",401000,0,1024)
如果需要針對.text節進行反彙編,則需要通過pefile模塊找到該節所對應到文件中的位置,並從該位置開始向下反編譯即可,代碼如下:
from capstone import *
import pefile
# 遍歷整個可執行文件並返回彙編代碼,有一個小Bug
# powerby LyShark
def FOA_Disassembly(FilePath):
opcode_list = []
pe = pefile.PE(FilePath)
ImageBase = pe.OPTIONAL_HEADER.ImageBase
for item in pe.sections:
if str(item.Name.decode('UTF-8').strip(b'\x00'.decode())) == ".text":
# print("虛擬地址: 0x%.8X 虛擬大小: 0x%.8X" %(item.VirtualAddress,item.Misc_VirtualSize))
VirtualAddress = item.VirtualAddress
VirtualSize = item.Misc_VirtualSize
ActualOffset = item.PointerToRawData
StartVA = ImageBase + VirtualAddress
StopVA = ImageBase + VirtualAddress + VirtualSize
with open(FilePath,"rb") as fp:
fp.seek(ActualOffset)
HexCode = fp.read(VirtualSize)
md = Cs(CS_ARCH_X86, CS_MODE_32)
for item in md.disasm(HexCode, 0):
addr = hex(int(StartVA) + item.address)
dic = {"Addr": str(addr) , "OpCode": item.mnemonic + " " + item.op_str}
print("[+] 反彙編地址: {} 參數: {}".format(addr,dic))
opcode_list.append(dic)
return opcode_list
if __name__ == "__main__":
ref = FOA_Disassembly("d://Win32Project.exe")
print(ref)
