第二章基础静态分析进阶：x86反汇编

《基于数据科学的恶意软件分析》

Malware Data Science Attack Detection and Attribution
Joshua Saxe Hillary Sanders著 何能强 严寒冰 译

代码清单2-2 反汇编ircbot.exe

#终端输入
pip install pefile
pip install capstone

#!/usr/bin/python3
#-*- coding:utf-8 -*-

import pefile
from capstone import *

# load the target PE file
#加载目标PE文件
pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch2/ircbot.exe")

# get the address of the program entry point from the program header
#从程序头中获取程序入口点的地址
entrypoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint

# compute memory address where the entry code will be loaded into memory
#计算入口代码被加载到内存中的内存地址
entrypoint_address = entrypoint+pe.OPTIONAL_HEADER.ImageBase

# get the binary code from the PE file object
#从PE文件对象获取二进制代码
binary_code = pe.get_memory_mapped_image()[entrypoint:entrypoint+100]

# initialize disassembler to disassemble 32 bit x86 binary code
#初始化反汇编程序以反汇编32位x86二进制代码
disassembler = Cs(CS_ARCH_X86, CS_MODE_32)

# disassemble the code
#反汇编代码
for instruction in disassembler.disasm(binary_code, entrypoint_address):
    print("%s\t%s"%(instruction.mnemonic, instruction.op_str))

result:

python SyntaxError: invalid character in identifier

#disassemble the code
#反汇编代码
for instruction in disassembler.disasm(binary_code, entrypoint_address):
    print("%s\t%s"%(instruction.mnemonic, instruction.op_str))
#确保代码行内没有夹杂中文空格
#推荐学习：https://blog.csdn.net/justdoitjs/article/details/78988225

认真是一种态度更是一种责任