PEfile with Capstone
Next, we use the capstone
disassembler to disassemble the code we extracted with pefile
to get the assemble code.
As usual, we start by importing the required modules. Here, these are capstone
and pefile
:
from capstone import * import pefile pe = pefile.PE('md5sum.exe') entryPoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint data = pe.get_memory_mapped_image()[entryPoint:] cs = Cs(CS_ARCH_X86, CS_MODE_32) for i in cs.disasm(data, 0x1000): print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
The AddressofEntryPoint
value within the IMAGE_OPTIONAL_HEADER
is the pointer to the entry point function relative to the image base address. In the case of executable files, this is the exact point where the code of the application begins. ...
Get Effective Python Penetration Testing now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.