File tree 2 files changed +23
-0
lines changed
2 files changed +23
-0
lines changed Original file line number Diff line number Diff line change 1+ #!/usr/bin/python
2+
3+ import pefile
4+ from capstone import *
5+
6+ # load the target PE file
7+ pe = pefile .PE ("IRCBot.exe" )
8+
9+ # get the address of the program entry point from the program header
10+ entrypoint = pe .OPTIONAL_HEADER .AddressOfEntryPoint
11+
12+ # compute memory address where the entry code will be loaded into memory
13+ entrypoint_address = entrypoint + pe .OPTIONAL_HEADER .ImageBase
14+
15+ # get the binary code from the PE file object
16+ binary_code = pe .get_memory_mapped_image ()[entrypoint :entrypoint + 100 ]
17+
18+ # initialize disassembler to disassemble 32 bit x86 binary code
19+ disassembler = Cs (CS_ARCH_X86 , CS_MODE_32 )
20+
21+ # disassemble the code
22+ for instruction in disassembler .disasm (binary_code , entrypoint_address ):
23+ print "%s\t %s" % (instruction .mnemonic , instruction .op_str )
You can’t perform that action at this time.
0 commit comments