
Wednesday, August 23, 2023

Python 3.11.0 : Testing PE executable files x64 with capstone and pefile python modules.

You need to install the capstone python module.
pip install capstone --user
Collecting capstone
  Obtaining dependency information for capstone from
  Downloading capstone-5.0.1-py3-none-win_amd64.whl.metadata (3.5 kB)
Downloading capstone-5.0.1-py3-none-win_amd64.whl (1.3 MB)
   ---------------------------------------- 1.3/1.3 MB 1.6 MB/s eta 0:00:00
Installing collected packages: capstone
Successfully installed capstone-5.0.1
You need to install the pefile.
pip install pefile --user
Collecting pefile
  Downloading pefile-2023.2.7-py3-none-any.whl (71 kB)
     ---------------------------------------- 71.8/71.8 kB 564.7 kB/s eta 0:00:00
Installing collected packages: pefile
Successfully installed pefile-2023.2.7
I used an old simple PE64 executable create with fasm tool from this source code:
format PE64 GUI 5.0
entry start
include 'INCLUDE\'
section '.text' code readable executable
        push    rbp
        invoke  GetModuleHandle,0
        invoke  DialogBoxParam,rax,37,HWND_DESKTOP,DialogProc,0
        invoke  ExitProcess,0
proc DialogProc uses rbx rsi rdi,hWnd,wMsg,wParam,lParam
        mov             [hWnd],rcx
        mov             [wMsg],rdx
        mov             [wParam],r8
        mov             [lParam],r9

        cmp     [wMsg],WM_COMMAND
        je      wmcommand
        cmp     [wMsg],WM_CLOSE
        je      wmclose
        cmp     [wMsg],WM_SYSCOMMAND
        je      wmsyscommand
        xor     rax,rax
        jmp     finish
        cmp     [wParam],SC_RESTORE
        je      sc_restore
        invoke  DefWindowProc,[hWnd],[wMsg],[wParam],[lParam]
        invoke  AnimateWindow,[hWnd],DWORD 1000,0x00040004      ;HERE IT IS
        invoke  ShowWindow,[hWnd],SW_RESTORE
        mov     rax,1
        cmp     [wParam],BN_CLICKED shl 16 + IDOK
        jne     processed
        invoke  ShowWindow,[hWnd],SW_MINIMIZE
        invoke  EndDialog,[hWnd],0
        mov     rax,1
        ret ; this no need and use cmp to get error
;        cmp rax,0
;        je show_error
;        show_error:
;        invoke  GetLastError ;must call this first and save the result before doing anything else
;        invoke  wsprintf,...
;        invoke  MessageBox,...
section '.idata' import data readable writeable
  library kernel,'KERNEL32.DLL',\
  import kernel,\
  import user,\
section '.rsrc' resource data readable
  directory RT_DIALOG,dialogs
  resource dialogs,\
  dialog demonstration,'Create message box',70,70,190,175,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
This is the source code for python script:
import pefile
from capstone import *

exe_file = 'test_001_no_err_imp.EXE'
pe = pefile.PE(exe_file)

# find text section
offset = False
for section in pe.sections:
    if section.Name == b'.text\x00\x00\x00':
        offset = section.VirtualAddress
        codePtr = section.PointerToRawData
        codeEndPtr = codePtr+section.SizeOfRawData

code = pe.get_memory_mapped_image()[codePtr:codeEndPtr]

# start disassembling text section
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
if offset:
    for i in md.disasm(code, offset):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))
This is the result:
0x1000: push    ebp
0x1001: dec     eax
0x1002: sub     esp, 0x20
0x1005: dec     eax
0x1006: mov     ecx, 0
0x100c: call    dword ptr [0x105e]
0x1012: dec     eax
0x1013: add     esp, 0x20
0x1016: dec     eax
0x1017: sub     esp, 0x30
0x101a: dec     eax
0x101b: mov     ecx, eax
0x101d: dec     eax
0x101e: mov     edx, 0x25
0x1024: dec     ecx
0x1025: mov     eax, 0
0x102b: dec     ecx
0x102c: mov     ecx, 0x40105a
0x1032: dec     eax
0x1033: mov     dword ptr [esp + 0x20], 0
0x103b: call    dword ptr [0x109f]
0x1041: dec     eax
0x1042: add     esp, 0x30
0x1045: dec     eax
0x1046: sub     esp, 0x20
0x1049: dec     eax
0x104a: mov     ecx, 0
0x1050: call    dword ptr [0x1022]
0x1056: dec     eax
0x1057: add     esp, 0x20
0x105a: push    ebp
0x105b: dec     eax
0x105c: mov     ebp, esp
0x105e: dec     eax
0x105f: sub     esp, 8
0x1062: push    ebx
0x1063: push    esi
0x1064: push    edi
0x1065: dec     eax
0x1066: mov     dword ptr [ebp + 0x10], ecx
0x1069: dec     eax
0x106a: mov     dword ptr [ebp + 0x18], edx
0x106d: dec     esp
0x106e: mov     dword ptr [ebp + 0x20], eax
0x1071: dec     esp
0x1072: mov     dword ptr [ebp + 0x28], ecx
0x1075: dec     eax
0x1076: cmp     dword ptr [ebp + 0x18], 0x111
0x107d: je      0x1110
0x1083: dec     eax
0x1084: cmp     dword ptr [ebp + 0x18], 0x10
0x1088: je      0x1135
0x108e: dec     eax
0x108f: cmp     dword ptr [ebp + 0x18], 0x112
0x1096: je      0x10a0
0x1098: dec     eax
0x1099: xor     eax, eax
0x109b: jmp     0x115a
0x10a0: dec     eax
0x10a1: cmp     dword ptr [ebp + 0x20], 0xf120
0x10a8: je      0x10cd
0x10aa: dec     eax
0x10ab: sub     esp, 0x20
0x10ae: dec     eax
0x10af: mov     ecx, dword ptr [ebp + 0x10]
0x10b2: dec     eax
0x10b3: mov     edx, dword ptr [ebp + 0x18]
0x10b6: dec     esp
0x10b7: mov     eax, dword ptr [ebp + 0x20]
0x10ba: dec     esp
0x10bb: mov     ecx, dword ptr [ebp + 0x28]
0x10be: call    dword ptr [0x1024]
0x10c4: dec     eax
0x10c5: add     esp, 0x20
0x10c8: pop     edi
0x10c9: pop     esi
0x10ca: pop     ebx
0x10cb: leave
0x10cc: ret
0x10cd: dec     eax
0x10ce: sub     esp, 0x20
0x10d1: dec     eax
0x10d2: mov     ecx, dword ptr [ebp + 0x10]
0x10d5: mov     edx, 0x3e8
0x10da: dec     ecx
0x10db: mov     eax, 0x40004
0x10e1: call    dword ptr [0x1011]
0x10e7: dec     eax
0x10e8: add     esp, 0x20
0x10eb: dec     eax
0x10ec: sub     esp, 0x20
0x10ef: dec     eax
0x10f0: mov     ecx, dword ptr [ebp + 0x10]
0x10f3: dec     eax
0x10f4: mov     edx, 9
0x10fa: call    dword ptr [0x1000]
0x1100: dec     eax
0x1101: add     esp, 0x20
0x1104: dec     eax
0x1105: mov     eax, 1
0x110b: pop     edi
0x110c: pop     esi
0x110d: pop     ebx
0x110e: leave
0x110f: ret
0x1110: dec     eax
0x1111: cmp     dword ptr [ebp + 0x20], 1
0x1115: jne     0x114e
0x1117: dec     eax
0x1118: sub     esp, 0x20
0x111b: dec     eax
0x111c: mov     ecx, dword ptr [ebp + 0x10]
0x111f: dec     eax
0x1120: mov     edx, 6
0x1126: call    dword ptr [0xfd4]
0x112c: dec     eax
0x112d: add     esp, 0x20
0x1130: pop     edi
0x1131: pop     esi
0x1132: pop     ebx
0x1133: leave
0x1134: ret
0x1135: dec     eax
0x1136: sub     esp, 0x20
0x1139: dec     eax
0x113a: mov     ecx, dword ptr [ebp + 0x10]
0x113d: dec     eax
0x113e: mov     edx, 0
0x1144: call    dword ptr [0xfa6]
0x114a: dec     eax
0x114b: add     esp, 0x20
0x114e: dec     eax
0x114f: mov     eax, 1
0x1155: pop     edi
0x1156: pop     esi
0x1157: pop     ebx
0x1158: leave
0x1159: ret
0x115a: pop     edi
0x115b: pop     esi
0x115c: pop     ebx
0x115d: leave
0x115e: ret
0x115f: add     byte ptr [eax], al
0x1161: add     byte ptr [eax], al
0x1163: add     byte ptr [eax], al
0x1165: add     byte ptr [eax], al
0x1167: add     byte ptr [eax], al
0x1169: add     byte ptr [eax], al
0x116b: add     byte ptr [eax], al
0x116d: add     byte ptr [eax], al
0x116f: add     byte ptr [eax], al
0x1171: add     byte ptr [eax], al
0x1173: add     byte ptr [eax], al
0x1175: add     byte ptr [eax], al
0x1177: add     byte ptr [eax], al
0x1179: add     byte ptr [eax], al
0x117b: add     byte ptr [eax], al
0x117d: add     byte ptr [eax], al
0x117f: add     byte ptr [eax], al
0x1181: add     byte ptr [eax], al
0x1183: add     byte ptr [eax], al
0x1185: add     byte ptr [eax], al
0x1187: add     byte ptr [eax], al
0x1189: add     byte ptr [eax], al
0x118b: add     byte ptr [eax], al
0x118d: add     byte ptr [eax], al
0x118f: add     byte ptr [eax], al
0x1191: add     byte ptr [eax], al
0x1193: add     byte ptr [eax], al
0x1195: add     byte ptr [eax], al
0x1197: add     byte ptr [eax], al
0x1199: add     byte ptr [eax], al
0x119b: add     byte ptr [eax], al
0x119d: add     byte ptr [eax], al
0x119f: add     byte ptr [eax], al
0x11a1: add     byte ptr [eax], al
0x11a3: add     byte ptr [eax], al
0x11a5: add     byte ptr [eax], al
0x11a7: add     byte ptr [eax], al
0x11a9: add     byte ptr [eax], al
0x11ab: add     byte ptr [eax], al
0x11ad: add     byte ptr [eax], al
0x11af: add     byte ptr [eax], al
0x11b1: add     byte ptr [eax], al
0x11b3: add     byte ptr [eax], al
0x11b5: add     byte ptr [eax], al
0x11b7: add     byte ptr [eax], al
0x11b9: add     byte ptr [eax], al
0x11bb: add     byte ptr [eax], al
0x11bd: add     byte ptr [eax], al
0x11bf: add     byte ptr [eax], al
0x11c1: add     byte ptr [eax], al
0x11c3: add     byte ptr [eax], al
0x11c5: add     byte ptr [eax], al
0x11c7: add     byte ptr [eax], al
0x11c9: add     byte ptr [eax], al
0x11cb: add     byte ptr [eax], al
0x11cd: add     byte ptr [eax], al
0x11cf: add     byte ptr [eax], al
0x11d1: add     byte ptr [eax], al
0x11d3: add     byte ptr [eax], al
0x11d5: add     byte ptr [eax], al
0x11d7: add     byte ptr [eax], al
0x11d9: add     byte ptr [eax], al
0x11db: add     byte ptr [eax], al
0x11dd: add     byte ptr [eax], al
0x11df: add     byte ptr [eax], al
0x11e1: add     byte ptr [eax], al
0x11e3: add     byte ptr [eax], al
0x11e5: add     byte ptr [eax], al
0x11e7: add     byte ptr [eax], al
0x11e9: add     byte ptr [eax], al
0x11eb: add     byte ptr [eax], al
0x11ed: add     byte ptr [eax], al
0x11ef: add     byte ptr [eax], al
0x11f1: add     byte ptr [eax], al
0x11f3: add     byte ptr [eax], al
0x11f5: add     byte ptr [eax], al
0x11f7: add     byte ptr [eax], al
0x11f9: add     byte ptr [eax], al
0x11fb: add     byte ptr [eax], al
0x11fd: add     byte ptr [eax], al