analitics

Pages

Wednesday, August 23, 2023

Python 3.11.0 : Testing PE executable files x64 with capstone and pefile python modules.

You need to install the capstone python module.
pip install capstone --user
Collecting capstone
  Obtaining dependency information for capstone from https://files.pythonhosted.org/packages/d0/dd/b28df50316ca193
  
  dd1275a4c47115a720796d
  
  9e1501c1888c4bfa5dc2260/capstone-5.0.1-py3-none-win_amd64.whl.metadata
  
  Downloading capstone-5.0.1-py3-none-win_amd64.whl.metadata (3.5 kB)
Downloading capstone-5.0.1-py3-none-win_amd64.whl (1.3 MB)
   ---------------------------------------- 1.3/1.3 MB 1.6 MB/s eta 0:00:00
Installing collected packages: capstone
Successfully installed capstone-5.0.1
You need to install the pefile.
pip install pefile --user
Collecting pefile
  Downloading pefile-2023.2.7-py3-none-any.whl (71 kB)
     ---------------------------------------- 71.8/71.8 kB 564.7 kB/s eta 0:00:00
Installing collected packages: pefile
Successfully installed pefile-2023.2.7
I used an old simple PE64 executable create with fasm tool from this source code:
format PE64 GUI 5.0
entry start
include 'INCLUDE\win64a.inc'
section '.text' code readable executable
  start:
        push    rbp
        invoke  GetModuleHandle,0
        invoke  DialogBoxParam,rax,37,HWND_DESKTOP,DialogProc,0
        invoke  ExitProcess,0
proc DialogProc uses rbx rsi rdi,hWnd,wMsg,wParam,lParam
        mov             [hWnd],rcx
        mov             [wMsg],rdx
        mov             [wParam],r8
        mov             [lParam],r9

        cmp     [wMsg],WM_COMMAND
        je      wmcommand
        cmp     [wMsg],WM_CLOSE
        je      wmclose
        cmp     [wMsg],WM_SYSCOMMAND
        je      wmsyscommand
        xor     rax,rax
        jmp     finish
wmsyscommand:
        cmp     [wParam],SC_RESTORE
        je      sc_restore
        invoke  DefWindowProc,[hWnd],[wMsg],[wParam],[lParam]
        ret
   sc_restore:
        invoke  AnimateWindow,[hWnd],DWORD 1000,0x00040004      ;HERE IT IS
        invoke  ShowWindow,[hWnd],SW_RESTORE
        mov     rax,1
        ret
wmcommand:
        cmp     [wParam],BN_CLICKED shl 16 + IDOK
        jne     processed
        invoke  ShowWindow,[hWnd],SW_MINIMIZE
        ret
wmclose:
        invoke  EndDialog,[hWnd],0
processed:
        mov     rax,1
        ret ; this no need and use cmp to get error
;        cmp rax,0
;        je show_error
;        show_error:
;        invoke  GetLastError ;must call this first and save the result before doing anything else
;        invoke  wsprintf,...
;        invoke  MessageBox,...
finish:
        ret
endp
section '.idata' import data readable writeable
  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'
  import kernel,\
         GetModuleHandle,'GetModuleHandleA',\
         ExitProcess,'ExitProcess'
  import user,\
         DialogBoxParam,'DialogBoxParamA',\
         CheckRadioButton,'CheckRadioButton',\
         GetDlgItemText,'GetDlgItemTextA',\
         IsDlgButtonChecked,'IsDlgButtonChecked',\
         MessageBox,'MessageBoxA',\
         DefWindowProc,'DefWindowProcA',\
         EndDialog,'EndDialog',\
         AnimateWindow,'AnimateWindow',\
         ShowWindow,'ShowWindow'
section '.rsrc' resource data readable
  directory RT_DIALOG,dialogs
  resource dialogs,\
           37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration
  dialog demonstration,'Create message box',70,70,190,175,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
       dialogitem 'BUTTON','OK',IDOK,85,150,45,15,WS_VISIBLE+WS_TABSTOP+BS_DEFPUSHBUTTON
  enddialog
This is the source code for python script:
import pefile
from capstone import *

exe_file = 'test_001_no_err_imp.EXE'
pe = pefile.PE(exe_file)

# find text section
offset = False
for section in pe.sections:
    if section.Name == b'.text\x00\x00\x00':
        offset = section.VirtualAddress
        codePtr = section.PointerToRawData
        codeEndPtr = codePtr+section.SizeOfRawData
        break

code = pe.get_memory_mapped_image()[codePtr:codeEndPtr]

# start disassembling text section
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
if offset:
    for i in md.disasm(code, offset):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))
This is the result:
python capstone_test_001.py
0x1000: push    ebp
0x1001: dec     eax
0x1002: sub     esp, 0x20
0x1005: dec     eax
0x1006: mov     ecx, 0
0x100c: call    dword ptr [0x105e]
0x1012: dec     eax
0x1013: add     esp, 0x20
0x1016: dec     eax
0x1017: sub     esp, 0x30
0x101a: dec     eax
0x101b: mov     ecx, eax
0x101d: dec     eax
0x101e: mov     edx, 0x25
0x1024: dec     ecx
0x1025: mov     eax, 0
0x102b: dec     ecx
0x102c: mov     ecx, 0x40105a
0x1032: dec     eax
0x1033: mov     dword ptr [esp + 0x20], 0
0x103b: call    dword ptr [0x109f]
0x1041: dec     eax
0x1042: add     esp, 0x30
0x1045: dec     eax
0x1046: sub     esp, 0x20
0x1049: dec     eax
0x104a: mov     ecx, 0
0x1050: call    dword ptr [0x1022]
0x1056: dec     eax
0x1057: add     esp, 0x20
0x105a: push    ebp
0x105b: dec     eax
0x105c: mov     ebp, esp
0x105e: dec     eax
0x105f: sub     esp, 8
0x1062: push    ebx
0x1063: push    esi
0x1064: push    edi
0x1065: dec     eax
0x1066: mov     dword ptr [ebp + 0x10], ecx
0x1069: dec     eax
0x106a: mov     dword ptr [ebp + 0x18], edx
0x106d: dec     esp
0x106e: mov     dword ptr [ebp + 0x20], eax
0x1071: dec     esp
0x1072: mov     dword ptr [ebp + 0x28], ecx
0x1075: dec     eax
0x1076: cmp     dword ptr [ebp + 0x18], 0x111
0x107d: je      0x1110
0x1083: dec     eax
0x1084: cmp     dword ptr [ebp + 0x18], 0x10
0x1088: je      0x1135
0x108e: dec     eax
0x108f: cmp     dword ptr [ebp + 0x18], 0x112
0x1096: je      0x10a0
0x1098: dec     eax
0x1099: xor     eax, eax
0x109b: jmp     0x115a
0x10a0: dec     eax
0x10a1: cmp     dword ptr [ebp + 0x20], 0xf120
0x10a8: je      0x10cd
0x10aa: dec     eax
0x10ab: sub     esp, 0x20
0x10ae: dec     eax
0x10af: mov     ecx, dword ptr [ebp + 0x10]
0x10b2: dec     eax
0x10b3: mov     edx, dword ptr [ebp + 0x18]
0x10b6: dec     esp
0x10b7: mov     eax, dword ptr [ebp + 0x20]
0x10ba: dec     esp
0x10bb: mov     ecx, dword ptr [ebp + 0x28]
0x10be: call    dword ptr [0x1024]
0x10c4: dec     eax
0x10c5: add     esp, 0x20
0x10c8: pop     edi
0x10c9: pop     esi
0x10ca: pop     ebx
0x10cb: leave
0x10cc: ret
0x10cd: dec     eax
0x10ce: sub     esp, 0x20
0x10d1: dec     eax
0x10d2: mov     ecx, dword ptr [ebp + 0x10]
0x10d5: mov     edx, 0x3e8
0x10da: dec     ecx
0x10db: mov     eax, 0x40004
0x10e1: call    dword ptr [0x1011]
0x10e7: dec     eax
0x10e8: add     esp, 0x20
0x10eb: dec     eax
0x10ec: sub     esp, 0x20
0x10ef: dec     eax
0x10f0: mov     ecx, dword ptr [ebp + 0x10]
0x10f3: dec     eax
0x10f4: mov     edx, 9
0x10fa: call    dword ptr [0x1000]
0x1100: dec     eax
0x1101: add     esp, 0x20
0x1104: dec     eax
0x1105: mov     eax, 1
0x110b: pop     edi
0x110c: pop     esi
0x110d: pop     ebx
0x110e: leave
0x110f: ret
0x1110: dec     eax
0x1111: cmp     dword ptr [ebp + 0x20], 1
0x1115: jne     0x114e
0x1117: dec     eax
0x1118: sub     esp, 0x20
0x111b: dec     eax
0x111c: mov     ecx, dword ptr [ebp + 0x10]
0x111f: dec     eax
0x1120: mov     edx, 6
0x1126: call    dword ptr [0xfd4]
0x112c: dec     eax
0x112d: add     esp, 0x20
0x1130: pop     edi
0x1131: pop     esi
0x1132: pop     ebx
0x1133: leave
0x1134: ret
0x1135: dec     eax
0x1136: sub     esp, 0x20
0x1139: dec     eax
0x113a: mov     ecx, dword ptr [ebp + 0x10]
0x113d: dec     eax
0x113e: mov     edx, 0
0x1144: call    dword ptr [0xfa6]
0x114a: dec     eax
0x114b: add     esp, 0x20
0x114e: dec     eax
0x114f: mov     eax, 1
0x1155: pop     edi
0x1156: pop     esi
0x1157: pop     ebx
0x1158: leave
0x1159: ret
0x115a: pop     edi
0x115b: pop     esi
0x115c: pop     ebx
0x115d: leave
0x115e: ret
0x115f: add     byte ptr [eax], al
0x1161: add     byte ptr [eax], al
0x1163: add     byte ptr [eax], al
0x1165: add     byte ptr [eax], al
0x1167: add     byte ptr [eax], al
0x1169: add     byte ptr [eax], al
0x116b: add     byte ptr [eax], al
0x116d: add     byte ptr [eax], al
0x116f: add     byte ptr [eax], al
0x1171: add     byte ptr [eax], al
0x1173: add     byte ptr [eax], al
0x1175: add     byte ptr [eax], al
0x1177: add     byte ptr [eax], al
0x1179: add     byte ptr [eax], al
0x117b: add     byte ptr [eax], al
0x117d: add     byte ptr [eax], al
0x117f: add     byte ptr [eax], al
0x1181: add     byte ptr [eax], al
0x1183: add     byte ptr [eax], al
0x1185: add     byte ptr [eax], al
0x1187: add     byte ptr [eax], al
0x1189: add     byte ptr [eax], al
0x118b: add     byte ptr [eax], al
0x118d: add     byte ptr [eax], al
0x118f: add     byte ptr [eax], al
0x1191: add     byte ptr [eax], al
0x1193: add     byte ptr [eax], al
0x1195: add     byte ptr [eax], al
0x1197: add     byte ptr [eax], al
0x1199: add     byte ptr [eax], al
0x119b: add     byte ptr [eax], al
0x119d: add     byte ptr [eax], al
0x119f: add     byte ptr [eax], al
0x11a1: add     byte ptr [eax], al
0x11a3: add     byte ptr [eax], al
0x11a5: add     byte ptr [eax], al
0x11a7: add     byte ptr [eax], al
0x11a9: add     byte ptr [eax], al
0x11ab: add     byte ptr [eax], al
0x11ad: add     byte ptr [eax], al
0x11af: add     byte ptr [eax], al
0x11b1: add     byte ptr [eax], al
0x11b3: add     byte ptr [eax], al
0x11b5: add     byte ptr [eax], al
0x11b7: add     byte ptr [eax], al
0x11b9: add     byte ptr [eax], al
0x11bb: add     byte ptr [eax], al
0x11bd: add     byte ptr [eax], al
0x11bf: add     byte ptr [eax], al
0x11c1: add     byte ptr [eax], al
0x11c3: add     byte ptr [eax], al
0x11c5: add     byte ptr [eax], al
0x11c7: add     byte ptr [eax], al
0x11c9: add     byte ptr [eax], al
0x11cb: add     byte ptr [eax], al
0x11cd: add     byte ptr [eax], al
0x11cf: add     byte ptr [eax], al
0x11d1: add     byte ptr [eax], al
0x11d3: add     byte ptr [eax], al
0x11d5: add     byte ptr [eax], al
0x11d7: add     byte ptr [eax], al
0x11d9: add     byte ptr [eax], al
0x11db: add     byte ptr [eax], al
0x11dd: add     byte ptr [eax], al
0x11df: add     byte ptr [eax], al
0x11e1: add     byte ptr [eax], al
0x11e3: add     byte ptr [eax], al
0x11e5: add     byte ptr [eax], al
0x11e7: add     byte ptr [eax], al
0x11e9: add     byte ptr [eax], al
0x11eb: add     byte ptr [eax], al
0x11ed: add     byte ptr [eax], al
0x11ef: add     byte ptr [eax], al
0x11f1: add     byte ptr [eax], al
0x11f3: add     byte ptr [eax], al
0x11f5: add     byte ptr [eax], al
0x11f7: add     byte ptr [eax], al
0x11f9: add     byte ptr [eax], al
0x11fb: add     byte ptr [eax], al
0x11fd: add     byte ptr [eax], al