前言

Capstone 是一个反汇编框架

  • 支持多种硬件架构

  • 拥有干净/简单/轻量级/直观的结构中立的 API

  • 提供反汇编指令的详细信息(也被称为“decomposer”)

  • 提供反汇编指令的语义,例如隐式寄存器读写

  • 用纯 C 语言实现

  • 原生支持所有流行的平台

  • 线程安全的设计

安装

由于我们使用 Python 编写脚本,我们可以直接通过 pip 安装:

pip install capstone

使用

直接进行反汇编

from capstone import *

def Disassembly(path, BaseAddr, FileOffset, ReadByte):
    with open(path, "rb") as fp:
        fp.seek(int(FileOffset))
        opcode = fp.read(int(ReadByte))

    md = Cs(CS_ARCH_X86, CS_MODE_64)
    for item in md.disasm(opcode, 0):
        addr = int(BaseAddr) + item.address
        text = ""
        for i in range(item.size):
            text += '%02X ' % item.bytes[i]
        text += ' ' * (18 - len(text))
        print("0x"+str(addr)+" | "+text+"| "+item.mnemonic+" "+item.op_str)

if __name__ == "__main__":
    Disassembly("D:/Code/CTF/Capstone/test.exe", 401000, 0, 1024)

对 .text 节进行反汇编

from capstone import *
import pefile

def FOA_Disassembly(FilePath):
    pe = pefile.PE(FilePath)
    ImageBase = pe.OPTIONAL_HEADER.ImageBase

    for item in pe.sections:
        if str(item.Name.decode('UTF-8').strip(b'\x00'.decode())) == ".text":
            VirtualAddress = item.VirtualAddress
            VirtualSize = item.Misc_VirtualSize
            ActualOffset = item.PointerToRawData
    StartVA = ImageBase + VirtualAddress
    StopVA = ImageBase + VirtualAddress + VirtualSize
    with open(FilePath, "rb") as fp:
        fp.seek(ActualOffset)
        HexCode = fp.read(VirtualSize)

    md = Cs(CS_ARCH_X86, CS_MODE_32)
    for item in md.disasm(HexCode, 0):
        addr = hex(int(StartVA) + item.address)
        text = ""
        for i in range(item.size):
            text += '%02X ' % item.bytes[i]
        text += ' ' * (18 - len(text))
        print("0x"+str(addr)+" | "+text+"| "+item.mnemonic+" "+item.op_str)

if __name__ == "__main__":
    FOA_Disassembly("D:/Code/CTF/Capstone/test.exe")

参考资料:

  1. python 通过 capstone 反汇编 https://www.cnblogs.com/LyShark/p/16099380.html