Created
September 28, 2012 03:58
-
-
Save annidy/bbfc132dec9416cdc4c0 to your computer and use it in GitHub Desktop.
反文件透明加密
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding:utf-8 -*- | |
| from pydbg import * | |
| from pydbg.defines import * | |
| import os | |
| import sys | |
| __author__ = 'fengxing <anndiy(at)gmail.com>' | |
| __date__ = '2012-9-28' | |
| def handler_MapViewOfFile(dbg): | |
| module = dbg.addr_to_module(dbg.get_arg(0)) | |
| if module.szModule == 'notepad.exe': | |
| # dump process | |
| map_size = dbg.get_arg(5) | |
| ptr = dbg.get_register('EAX') | |
| write_new_file(dbg.read_process_memory(ptr, map_size), dbg.file_mirror) | |
| dbg.terminate_process() # close the process | |
| return DBG_CONTINUE | |
| def func_ret_MapViewOfFileEx(dbg): | |
| base = dbg.func_resolve('kernel32.dll', 'MapViewOfFile') | |
| return base + 0x1C | |
| def handler_load_dll(dbg): | |
| last_dll = dbg.get_system_dll(-1) | |
| if last_dll.name == 'kernel32.dll': | |
| dbg.bp_set(func_ret_MapViewOfFileEx(dbg), handler=handler_MapViewOfFile) | |
| return DBG_CONTINUE | |
| def write_new_file(file_content, file_mirror): | |
| if file_mirror: | |
| with open(file_mirror, 'wb+') as fd: | |
| fd.write(file_content) | |
| else: | |
| print file_content | |
| def dump_file(file_origin, file_mirror): | |
| try: | |
| if os.path.getsize(file_origin) == 0: | |
| write_new_file("", file_mirror) | |
| return # notepad not call MapViewOfFile if size is 0 or no-exist | |
| except OSError: | |
| return | |
| dbg = pydbg() | |
| dbg.file_mirror = file_mirror | |
| dbg.set_callback(LOAD_DLL_DEBUG_EVENT, handler_load_dll) | |
| dbg.load(r"c:\windows\system32\notepad.exe", command_line=file_origin, show_window=False) | |
| dbg.run() | |
| if __name__ == '__main__': | |
| if len(sys.argv) < 2: | |
| print 'Usage: %s file_origin <file_mirror>'%sys.argv[0] | |
| exit(1) | |
| elif len(sys.argv) == 2: | |
| dump_file(sys.argv[1], None) | |
| else: | |
| dump_file(sys.argv[1], sys.argv[2]) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import notepad2 | |
| if len(sys.argv) != 3: | |
| print '%s path1 path2'%sys.argv[0] | |
| exit(1) | |
| def walk_visit(arg, dirname, names): | |
| for fn in names: | |
| path = os.path.join(dirname, fn) | |
| newpath = path.replace(sys.argv[1], sys.argv[2]) | |
| if os.path.isfile(path): | |
| print path | |
| notepad2.dump_file(path, newpath) | |
| if os.path.isdir(path): | |
| os.mkdir(newpath) | |
| sys.argv[1] = os.path.normpath(sys.argv[1]) | |
| sys.argv[2] = os.path.normpath(sys.argv[2]) | |
| os.path.walk(sys.argv[1], walk_visit, sys.argv[2]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment