From e9e0579826bd0bf518f783ff3ae83124095e2c7b Mon Sep 17 00:00:00 2001 From: daigualu <1191056200@qq.com> Date: Mon, 13 Apr 2015 13:39:03 +0800 Subject: [PATCH 1/2] label 1 --- files.sqlite | Bin 8192 -> 8192 bytes json/50101C960A0874458D0664351E9A493B.json | 1 + plugins/checkStr.py | 239 --------------------- plugins/checkStr2.py | 98 --------- plugins/strings.py | 211 ++++++++++++++++++ pyew.py | 13 +- pyew_core.py | 6 +- 7 files changed, 229 insertions(+), 339 deletions(-) create mode 100644 json/50101C960A0874458D0664351E9A493B.json delete mode 100644 plugins/checkStr.py delete mode 100644 plugins/checkStr2.py create mode 100644 plugins/strings.py diff --git a/files.sqlite b/files.sqlite index a1e4f93ed1c6f6580576bc4ead6455fc302986d1..d8b5b90d60a3642eca95a267f2c0e9962b795ede 100644 GIT binary patch delta 309 zcmX}lJxT*X7{>9Pc_aCN6$FzN5`wX?5#^oTnRzo-DO51g7gCZpUxJf8TezdkRP-81$Jxlv3B delta 87 zcmZp0XmFSy%_zQ6<^?;mD3j4-b`I^uiY!c01#W@%;?rnj3FS= 5: - b = True - break - else: - count = 0 - if b: - output = '' - m = -1 - break - count = 0 - else: - print '%04X %s' % (m, output) - output = '' - m = -1 - weiyiArray[:] = [] - else: - print '%04X %s' % (m, output) - output = '' - m = -1 - - - - -def ipExtract(pyew, doprint= True): - moffset = pyew.offset - FILTER=''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) - pyew.seek(0) - buf = pyew.buf + pyew.f.read() - buf = buf.translate(FILTER) - a=re.findall(r'(\d+\.\d+\.\d+\.\d+)', buf) - return a - -def print_ip(pyew,doprint= True): - pyew.seek (0) - buf =pyew.buf + pyew.f.read() - ips = re.findall(r'(\d+\.\d+\.\d+\.\d+)', buf) - for ip in ips: - print "position :%04x IP : %s\n"%(ips.index(ip),ip) - -def ping_ip(pyew,doprint = True): - ips = ipExtract(pyew,doprint = False) - for ip in ips: - verbose_ping(ip,2,1) - - -def checksum(source_string): - sum = 0 - countTo = (len(source_string)/2)*2 - count = 0 - while count < countTo: - thisVal = ord(source_string[count + 1])*256 + ord(source_string[count]) - sum = sum + thisVal - sum = sum & 0xffffffff # Necessary? - count = count + 2 - - if countTo < len(source_string): - sum = sum + ord(source_string[len(source_string) - 1]) - sum = sum & 0xffffffff # Necessary? - - sum = (sum >> 16) + (sum & 0xffff) - - - answer = ~sum - - answer = answer & 0xffff - - # Swap bytes. Bugger me if I know why. - answer = answer >> 8 | (answer << 8 & 0xff00) - - return answer - - -def receive_one_ping(my_socket, ID, timeout): - """ - receive the ping from the socket. - """ - timeLeft = timeout - while True: - startedSelect = time.time() - whatReady = select.select([my_socket], [], [], timeLeft) - howLongInSelect = (time.time() - startedSelect) - if whatReady[0] == []: # Timeout - return - - timeReceived = time.time() - recPacket, addr = my_socket.recvfrom(1024) - icmpHeader = recPacket[20:28] - type, code, checksum, packetID, sequence = struct.unpack( - "bbHHh", icmpHeader - ) - if packetID == ID: - bytesInDouble = struct.calcsize("d") - timeSent = struct.unpack("d", recPacket[28:28 + bytesInDouble])[0] - return timeReceived - timeSent - - timeLeft = timeLeft - howLongInSelect - if timeLeft <= 0: - return - - -def send_one_ping(my_socket, dest_addr, ID): - """ - Send one ping to the given >dest_addr<. - """ - # Header is type (8), code (8), checksum (16), id (16), sequence (16) - my_checksum = 0 - - # Make a dummy heder with a 0 checksum. - header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, ID, 1) #ѹ - #a1 = struct.unpack("bbHHh",header) #my test - bytesInDouble = struct.calcsize("d") - data = (192 - bytesInDouble) * "Q" - data = struct.pack("d", time.time()) + data - - # Calculate the checksum on the data and the dummy header. - my_checksum = checksum(header + data) - - # Now that we have the right checksum, we put that in. It's just easier - # to make up a new header than to stuff it into the dummy. - header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), ID, 1) - packet = header + data - my_socket.sendto(packet, (dest_addr, 1)) # Don't know about the 1 - - -def do_one(dest_addr, timeout): - """ - Returns either the delay (in seconds) or none on timeout. - """ - icmp = socket.getprotobyname("icmp") - try: - my_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, icmp) - except socket.error, (errno, msg): - if errno == 1: - # Operation not permitted - msg = msg + ( - " - Note that ICMP messages can only be sent from processes" - " running as root." - ) - raise socket.error(msg) - raise # raise the original error - - my_ID = os.getpid() & 0xFFFF - - send_one_ping(my_socket, dest_addr, my_ID) - delay = receive_one_ping(my_socket, my_ID, timeout) - - my_socket.close() - return delay - - -def verbose_ping(dest_addr, timeout = 2, count = 100): - """ - Send >count< ping to >dest_addr< with the given >timeout< and display - the result. - """ - for i in range(count): - print "ping %s..." % dest_addr, - try: - delay = do_one(dest_addr, timeout) - except socket.gaierror, e: - print "failed. (socket error: '%s')" % e[1] - break - - if delay == None: - print "failed. (timeout within %ssec.)" % timeout - else: - delay = delay * 1000 - print "get ping in %0.4fms" % delay - - -functions = {"chkStr": checkString, "printip": print_ip, "ping":ping_ip} - diff --git a/plugins/checkStr2.py b/plugins/checkStr2.py deleted file mode 100644 index cb21cad..0000000 --- a/plugins/checkStr2.py +++ /dev/null @@ -1,98 +0,0 @@ -import re -import pdb -searchChar = '([A-Za-z])' -startChar = '[\w<_\.<]' -searchIP = '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' -searchEmail = '([\w+]@.+\..+)' - - - - -def showString(output,m): - if len(output) <= 4: - output = '' - m = -1 - return - if len(output) <= 16: - if '@' in output: - fetch = re.search(searchEmail,output) - if fetch is None: - output = '' - m = -1 - return - fetch = re.search(searchChar,output) - if fetch is None: - #print output - fetch = re.search(searchIP,output) - if fetch is None: - output = '' - m = -1 - return - #Filtering consecutive multiple characters - count = 0 - b = False - weiyiArray=[] - for i in output: - if i not in weiyiArray: - weiyiArray.append(i) - for s in weiyiArray: - for val in output: - if val == s: - count += 1 - if count >= 5: - b = True - break - else: - count = 0 - if b: - output = '' - m = -1 - break - count = 0 - else: - print '%04X %s' % (m, output) - output = '' - m = -1 - weiyiArray[:] = [] - else: - print '%04X %s' % (m, output) - output = '' - m = -1 - - -def checkString(pyew,doprint=True): - """ Search strings in the current document """ - pyew.offset = 0 - pyew.seek(0) - buf = pyew.buf + pyew.f.read() - print len(buf) - bufSize = len(buf) - size = 0 - m = -1 - output = '' - for i in range(0,len(buf)): - size += 1 - if len(repr(buf[i])) == 3: - fetch_starChar = re.search(startChar,buf[i]) - if fetch_starChar is None: - if m == -1: - output = '' - continue - #pdb.set_trace() - if m == -1: - m = i - if '$' in buf[i]: - output = '' - m = -1 - continue - output += buf[i] - if size == bufSize: - showString(output,m) - else: - showString(output,m) - output = '' - m = -1 - - -functions = {"chkStr2":checkString} - diff --git a/plugins/strings.py b/plugins/strings.py new file mode 100644 index 0000000..7b7ff5b --- /dev/null +++ b/plugins/strings.py @@ -0,0 +1,211 @@ +import re + +searchChar = '([A-Za-z])' +startChar = '[\w<_\.<]' +searchIP = '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' +searchEmail = '([\w+]@.+\..+)' +def showString(output,m): + if len(output) <= 4: + output = '' + m = -1 + return + + if len(output) <= 16: + if '@' in output: + fetch = re.search(searchEmail,output) + if fetch is None: + output = '' + m = -1 + return + + fetch = re.search(searchChar,output) + if fetch is None: + fetch = re.search(searchIP,output) + if fetch is None: + output = '' + m = -1 + return + + #Filtering consecutive multiple characters + count = 0 + b = False + weiyiArray=[] + for i in output: + if i not in weiyiArray: + weiyiArray.append(i) + for s in weiyiArray: + for val in output: + if val == s: + count += 1 + if count >= 5: + b = True + break + else: + count = 0 + if b: + output = '' + m = -1 + break + count = 0 + else: + print '%04X %s' % (m, output) + output = '' + m = -1 + weiyiArray[:] = [] + + else: + print '%04X %s' % (m, output) + output = '' + m = -1 + +def checkString(pyew,doprint=True): + """ Search strings in the current document """ + pyew.offset = 0 + pyew.seek(0) + buf = pyew.buf + pyew.f.read() + bufSize = len(buf) + size = 0 + m = -1 + output = '' + for i in range(0,len(buf)): + size += 1 + if len(repr(buf[i])) == 3: + fetch_starChar = re.search(startChar,buf[i]) + if fetch_starChar is None: + if m == -1: + output = '' + continue + #pdb.set_trace() + if m == -1: + m = i + if '$' in buf[i]: + output = '' + m = -1 + continue + + output += buf[i] + + if size == bufSize: + showString(output,m) + else: + showString(output,m) + output = '' + m = -1 + +#-------------------------------------------------------------------------------- +def getOffsetFromVirtualAddr(pyew, va): + if pyew.pe: + ret = None + try: + ret = pyew.pe.get_offset_from_rva(va - pyew.pe.OPTIONAL_HEADER.ImageBase) + if ret > pyew.maxsize: + ret = None + except: + pass + return ret + +def extractMovMode(pyew, disLines): + # extract string from 'mov eax, [offset]' + searchMov = '(mov .+, \[?)(0x.+]?)' + rList = [] + for line in disLines : + result = re.search(searchMov,line) + if result: + if 'byte' in result.group(): + continue + address = line.split(' ')[0] + x = result.group(2).strip() + data = x.strip(']') + offset = getOffsetFromVirtualAddr(pyew, int(data,16)) + if offset : + output = pyew.pe.get_string_at_rva(offset) + if output: + output = output.strip() + if output: + rList.append( [address , output ]) + return rList + +def extractPushMode(pyew, disLines): + # extract string from 'push [offset]' + searchPush = '(push 0x.+)' + rList = [] + for line in disLines : + result = re.search(searchPush , line) + if result: + address = line.split(' ')[0] + key = result.group(1) + data = key.split(' ')[1] + offset = getOffsetFromVirtualAddr(pyew, int(data,16)) + if offset : + output = pyew.pe.get_string_at_rva(offset) + if output: + output = output.strip() + if output: + rList.append( [address , output ]) + return rList + +def extractLeaMode(pyew, disLines): + # extract string from 'lea eax, [offset]' + searchLea = '(lea .+\[0x.+\])' + rList = [] + address = '' + for line in disLines : + result = re.search(searchLea,line) + if result: + address = line.split(' ')[0] + key = result.group(1) + data = key.split(' ')[2] + data = data.strip('[') + data = data.strip(']') + offset = getOffsetFromVirtualAddr(pyew, int(data,16)) + if offset : + output = pyew.pe.get_string_at_rva(offset) + if output: + output = output.strip() + if output: + rList.append( [address , output ]) + break + return rList + +def referenceString(pyew,doprint=True): + """ search reference strings in disassemble """ + if not pyew.pe : return + + length = 0 + offset = 0 + #executeChar = 0b1100000000000000000000000100000 + executeChar = 0x60000020 + for section in pyew.pe.sections: + #Only check string from executable section.. + if(section.Characteristics & executeChar) == executeChar: + offset = section.PointerToRawData + length = section.SizeOfRawData + break + else: + return + + buf = pyew.getBuffer() + if pyew.maxsize - offset < length: + length = pyew.maxsize - offset + MaxLines = 1024 * 1024 + disLines = pyew.disassemble(buf[offset:offset + length], baseoffset=offset, lines=MaxLines).lower().split('\n') + + # fix disassembled lines with comment + newDisLines = [] + for line in disLines : + pos = line.find(';') + if pos != -1: + line = line[:pos-1] + newDisLines.append(line) + disLines = newDisLines + + rList = extractMovMode(pyew, disLines ) + rList += extractPushMode(pyew, disLines) + rList += extractLeaMode(pyew, disLines) + rList.sort() + for item in rList : + print item [0], item[1] + +functions = {"strings":checkString, "rstrings":referenceString} + + diff --git a/pyew.py b/pyew.py index 3c7d6b9..b16d6d3 100644 --- a/pyew.py +++ b/pyew.py @@ -362,11 +362,22 @@ def main(filename): if len(data) > 2: if data[1].isdigit(): pyew.customizeComment[int(data[1])] = ' '.join(data[2:]) - elif data[1][:2].lower() =="0x": + elif data[1][:2].lower() == "0x": try: pyew.customizeComment[int(data[1],16)] = ' '.join(data[2:]) except: print "Error" + elif len(data) == 2: + data.append('') + if data[1].isdigit(): + pyew.customizeComment[int(data[1])] = data[2] + elif data[1][:2].lower() == "0x": + try: + pyew.customizeComment[int(data[1],16)] = data[2] + except: + print "Error" + + elif cmd.lower().split(" ")[0] in ["c", "u"]: diff --git a/pyew_core.py b/pyew_core.py index 2d1a2bb..33a5bca 100644 --- a/pyew_core.py +++ b/pyew_core.py @@ -867,7 +867,11 @@ def disassemble(self, buf, processor="intel", type=32, lines=40, bsize=512, base # add customize comment if not comment : if self.customizeComment.has_key(i.offset): - comment = "\t; %s" % self.customizeComment[i.offset] + if self.customizeComment[i.offset] == '': + comment = '' + del self.customizeComment[i.offset] + else: + comment = "\t; %s" % self.customizeComment[i.offset] if self.case == 'high': #ret += "0x%08x (%02x) %-20s %s%s\n" % (i.offset, i.size, i.instructionHex, str(i.mnemonic) + " " + str(ops), comment) From 2cc61558146353bb335c11f84b4455394721c713 Mon Sep 17 00:00:00 2001 From: daigualu <1191056200@qq.com> Date: Tue, 14 Apr 2015 21:36:44 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E7=89=B9=E5=BE=81=E6=8F=90=E5=8F=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 输入偏移地址提取文件特征。数据库中signature表中的主键为当前系统时间 --- plugins/signature.py | 63 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 plugins/signature.py diff --git a/plugins/signature.py b/plugins/signature.py new file mode 100644 index 0000000..26bd27c --- /dev/null +++ b/plugins/signature.py @@ -0,0 +1,63 @@ +import os,sqlite3 +from time import time + +DATABASE_PATH = os.path.abspath(os.path.join(os.path.dirname("__file__"),os.path.pardir)) + os.sep + "files.sqlite" + +def createTableSig(db): + try: + sql = """create table if not exists signature (id time primary key, sig varchar)""" + db.execute(sql) + except: + print 'create table signature failed..' + + + +def insertTable(db,atime,hexContent): + try: + sql = """insert into signature (id,sig) values (?, ?)""" + db.execute(sql, (atime, hexContent)) + db.commit() + print 'enter data into database successfully..' + except: + print 'insert table failed..' + + + +def extractSig(pyew,doprint=True): + cmd = raw_input('sOffset eOffset:') + sOffset = -1 + eOffset = -1 + try: + data = cmd.split(" ") + if len(data) == 2: + if data[0].isdigit(): + sOffset = int(data[0]) + elif data[0][:2].lower() == "0x": + sOffset = int(data[0],16) + else: + print 'input the data was wrong..' + return + if data[1].isdigit(): + eOffset = int(data[1]) + elif data[1][:2].lower() == "0x": + eOffset = int(data[1],16) + else: + print 'input the data was wrong..' + return + hexContent = '' + buf = pyew.getBuffer()[sOffset:eOffset] + for c in ["%02X" % ord(x) for x in buf]: + hexContent += c + print hexContent + db = sqlite3.connect(DATABASE_PATH) + cur = db.cursor() + #createTableSig(db) #create table.. + #cur.execute("drop table signature") #delete table.. + atime = time() + insertTable(db,atime,hexContent) + #print cur.execute("select * from signature").fetchall() + db.close() + except: + print "Error" + +functions = {"exsig":extractSig}