def entrypoint(self, p, hit):
hit = align_down(hit, 0x200)
payload = aPLib().decompress(p.readv(hit, p.imgend))
embed_pe = procmem(payload, base=0)
# Fix headers
embed_pe.patchp(0, b"MZ")
embed_pe.patchp(embed_pe.uint32p(0x3C), b"PE")
# Load patched image into procmempe
embed_pe = procmempe.from_memory(embed_pe, image=True)
self.push_procmem(embed_pe)
def test_calc_dmp():
with cuckoomem.from_file("tests/files/calc.dmp") as p:
ppe = procmempe.from_memory(p, 0xd0000)
assert p.regions == ppe.regions
assert p.findmz(0x129abc) == 0xd0000
# Old/regular method with PE header.
assert pe(p.readv(p.imgbase, 0x1000)).dos_header.e_lfanew == 0xd8
assert p.readv(p.imgbase + 0xd8, 4) == b"PE\x00\x00"
assert pe(p).is32bit is True
d = pe(p).optional_header.DATA_DIRECTORY[2]
assert d.VirtualAddress == 0x59000 and d.Size == 0x62798
data = pe(p).resource(b"WEVT_TEMPLATE")
assert data.startswith(b"CRIM")
assert len(data) == 4750
assert len(ppe.pe.section(".text").get_data()) == 0x52e00
def test_mal1():
with open("tests/files/mal1.b64") as f:
mal1 = base64.b64decode(f.read())
# Load dumped image
ppe = procmempe(mal1)
assert not ppe.is_image_loaded_as_memdump()
# Decompress payload
payload = aPLib().decompress(ppe.readv(ppe.imgbase + 0x8400, ppe.imgend))
embed_pe = procmem(payload, base=0)
# Fix headers
embed_pe.patchp(0, b"MZ")
embed_pe.patchp(embed_pe.uint32p(0x3C), b"PE")
# Load patched image into procmempe
embed_pe = procmempe.from_memory(embed_pe, image=True)
assert embed_pe.asciiz(0x1000a410) == b"StrToIntExA"