X64dbg脚本实现自动DUMP运行中解密出的PE文件

最新推荐文章于 2024-02-23 13:45:09 发布

摔不死的笨鸟

最新推荐文章于 2024-02-23 13:45:09 发布

阅读量1.1k

点赞数

分类专栏： Windows逆向文章标签： x64dbg

原文链接：https://n1ght-w0lf.github.io/tutorials/writing-x64dbg-scripts/

版权

Windows逆向专栏收录该内容

46 篇文章 12 订阅 ¥59.90 ¥99.00

订阅专栏

超级会员免费看

X64dbg脚本实现自动DUMP运行中解密出的PE文件

// define a variable to hold allocated mem address
var mem_addr
// define a variable to hold allocated mem size
var mem_size

// set breakpoint on VirtualAlloc
bp VirtualAlloc
// set callback on breakpoint hit
SetBreakpointCommand VirtualAlloc, "scriptcmd call cb_virtual_alloc"
// set breakpoint on VirtualProtect
bp VirtualProtect
// set callback on breakpoint hit
SetBreakpointCommand VirtualProtect, "scriptcmd call cb_virtual_protect"

// go to main label
goto main

// define VirtualAlloc callback label
cb_virtual_alloc:
    // run until return (stepout)
    rtr
    // set mem_addr value to cax value (return value)
    set mem_addr, cax
    // log memory address
    log "Allocated memory address: {x:mem_addr}"
    // set mem_size value to VirtualAlloc's second arg value (region size)
    set mem_size, arg.get(1)
    // log memory size
    log "Allocated memory size: {x:mem_size}"
    // go to main label
    goto main

// define VirtualProtect callback label
cb_virtual_protect:
    // log VirtualProtect's second arg value (new protection)
    log "New protection: {x:arg.get(2)}"
    // compare the first 2 bytes at mem_addr address to "MZ"
    cmp word(mem_addr), 5a4d
    // if not equal, jump to main label
    jne main
    // dump data at mem_addr address to disk
    savedata :memdump:, mem_addr, mem_size

// define main label
main:
    // run the program
    run

// end the script
ret