我浏览了第一章中的"恶意软件数据科学攻击检测和归因"一书,并使用pefile python模块检查AddressOfEntryPoint, 我找到了示例:ircbot.exe 的 AddressOfEntryPoint 在我执行 pe.dump_info(( 时0xCC00FFEE。这个值很大,看起来不对。
ircbot.exe的可选标头 MD5: 17FA7EC63B129F171511A9F96F90D0D6
如何修复此地址入口点?
这个问题是"正常的"。从图书的 URL malwaredatascience.com/code-and-data 下载示例时,下载的 ZIP 文件的名称malware_data_science_entrypoints_edited.zip。正如本书第221页所述,这是作者故意这样做的,以"禁止执行它"。
根据@user5742815的评论,我用入口点的真实地址更新了代码。下面的更新脚本生成与书中相同的输出:
#!/usr/bin/python
import pefile
from capstone import *
# load the target PE file
pe = pefile.PE("ircbot.exe")
# get the address of the program entry point from the program header
# entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
# see: https://stackoverflow.com/questions/52810422/pe-file-format-got-wrong-in-addressofentrypoint
entrypoint = 0x0017b00
# compute memory address where the entry code will be loaded into memory
entrypoint_address = entrypoint+pe.OPTIONAL_HEADER.ImageBase
# get the binary code from the PE file object
binary_code = pe.get_memory_mapped_image()[entrypoint:entrypoint+100]
# initialize disassembler to disassemble 32 bit x86 binary code
disassembler = Cs(CS_ARCH_X86, CS_MODE_32)
# disassemble the code
for instruction in disassembler.disasm(binary_code, entrypoint_address):
print "%st%s" %(instruction.mnemonic, instruction.op_str)