def import_lookup_table_item_proc(fp, item): if r_s2i(item) >= 80000000: return {"type": "ordinal", "ordinal": r_s2i(item[:2])} else: raw_addr = rva2raw(SECTION_TABLE, r_s2i(item)) fp.seek(raw_addr) hint = r_s2i(fp.read(2)) name = read_string(fp) return {"type": "name", "hint": hint, "name": name}
def import_lookup_table_item_proc(fp, item): if r_s2i(item) >= 80000000: return {"type":"ordinal", "ordinal": r_s2i(item[:2])} else: raw_addr = rva2raw(SECTION_TABLE, r_s2i(item)) fp.seek(raw_addr) hint = r_s2i(fp.read(2)) name = read_string(fp) return {"type":"name", "hint":hint, "name":name}
from loader import r_s2i file_name = "Reverse.exe" file_name = "KeePass.exe" fp = open(file_name, 'rb') """ extract Dos Header information: magic, e_lfnew ----------------------------------------------------+ offset size(byte) field value | 0x00 2 magic 0x4d5a | 0x3c 4 e_lfnew 0xOffset | ----------------------------------------------------+ """ fp.seek(DOS_HEADER['magic']['Offset']) DOS_HEADER['magic']['Value'] = fp.read(DOS_HEADER['magic']['Size']) fp.seek(DOS_HEADER['e_lfnew']['Offset']) DOS_HEADER['e_lfnew']['Value'] = r_s2i(fp.read(DOS_HEADER['e_lfnew']['Size'])) """ extract PE Header information: pe signature, NumberOfSections ----------------------------------------------------------------+ ---------- offset size(byte) field value | Dos Header ...... | ----------------------------------------------------------------+ ---------- offset size(byte) field value | PE Header e_lfnew 4 Signature 0x50450000 | ...... | 0x02(e_lfnew+4) 4 NumberOfSections | ----------------------------------------------------------------+ ---------- """ PE_HEADER['pe_sig']['Offset'] += DOS_HEADER['e_lfnew']['Value'] PE_HEADER['NumberOfSections']['Offset'] += DOS_HEADER['e_lfnew']['Value'] + 4
file_name = "Reverse.exe" file_name = "KeePass.exe" fp = open(file_name, 'rb') """ extract Dos Header information: magic, e_lfnew ----------------------------------------------------+ offset size(byte) field value | 0x00 2 magic 0x4d5a | 0x3c 4 e_lfnew 0xOffset | ----------------------------------------------------+ """ fp.seek(DOS_HEADER['magic']['Offset']) DOS_HEADER['magic']['Value'] = fp.read(DOS_HEADER['magic']['Size']) fp.seek(DOS_HEADER['e_lfnew']['Offset']) DOS_HEADER['e_lfnew']['Value'] = r_s2i(fp.read(DOS_HEADER['e_lfnew']['Size'])) """ extract PE Header information: pe signature, NumberOfSections ----------------------------------------------------------------+ ---------- offset size(byte) field value | Dos Header ...... | ----------------------------------------------------------------+ ---------- offset size(byte) field value | PE Header e_lfnew 4 Signature 0x50450000 | ...... | 0x02(e_lfnew+4) 4 NumberOfSections | ----------------------------------------------------------------+ ---------- """ PE_HEADER['pe_sig']['Offset'] += DOS_HEADER['e_lfnew']['Value']