 |
miasm
Reverse engineering framework
|
|
miasm
Reverse engineering framework
|
Classes | |
| class | libimp_pe |
Functions | |
| def | get_pe_dependencies (pe_obj) |
| def | get_import_address_pe (e) |
| def | preload_pe (vm, e, runtime_lib, patch_vm_imp=True) |
| def | is_redirected_export (pe_obj, addr) |
| def | get_export_name_addr_list (e) |
| def | vm_load_pe (vm, fdata, align_s=True, load_hdr=True, name="", winobjs=None, **kargs) |
| def | vm_load_pe_lib (vm, fname_in, libs, lib_path_base, **kargs) |
| def | vm_load_pe_libs (vm, libs_name, libs, lib_path_base, **kargs) |
| def | vm_fix_imports_pe_libs (lib_imgs, libs, lib_path_base, patch_vm_imp=True, **kargs) |
| def | vm2pe (myjit, fname, libs=None, e_orig=None, min_addr=None, max_addr=None, min_section_offset=0x1000, img_base=None, added_funcs=None, **kwargs) |
| def | vm_load_pe_and_dependencies (vm, fname, name2module, runtime_lib, lib_path_base, **kwargs) |
| def | guess_arch (pe) |
Variables | |
| log = logging.getLogger('loader_pe') | |
| hnd = logging.StreamHandler() | |
| dictionary | PE_machine |
| def miasm.jitter.loader.pe.get_export_name_addr_list | ( | e | ) |
Collect names/ordinals and addresses of symbols exported by the given PE.
@e: PE instance
Returns a list of tuples:
(symbol name string, virtual address)
(ordinal number, virtual address)
Example:
pe = miasm.analysis.binary.Container.from_string(buf)
exports = miasm.jitter.loader.pe.get_export_name_addr_list(pe.executable)
assert exports[0] == ('AcquireSRWLockExclusive', 0x6b89b22a)
| def miasm.jitter.loader.pe.get_import_address_pe | ( | e | ) |
Compute the addresses of imported symbols.
@e: pe object
Returns a dict mapping from tuple (dll name string, symbol name string) to set of virtual addresses.
Example:
pe = miasm.analysis.binary.Container.from_string(buf)
imports = miasm.jitter.loader.pe.get_import_address_pe(pe.executable)
assert imports[('api-ms-win-core-rtlsupport-l1-1-0.dll', 'RtlCaptureStackBackTrace')] == {0x6b88a6d0}
| def miasm.jitter.loader.pe.get_pe_dependencies | ( | pe_obj | ) |
Collect the shared libraries upon which this PE depends.
@pe_obj: pe object
Returns a set of strings of DLL names.
Example:
pe = miasm.analysis.binary.Container.from_string(buf)
deps = miasm.jitter.loader.pe.get_pe_dependencies(pe.executable)
assert sorted(deps)[0] == 'api-ms-win-core-appcompat-l1-1-0.dll'
| def miasm.jitter.loader.pe.guess_arch | ( | pe | ) |
Return the architecture specified by the PE container @pe. If unknown, return None
| def miasm.jitter.loader.pe.is_redirected_export | ( | pe_obj, | |
| addr | |||
| ) |
Test if the @addr is a forwarded export address. If so, return dllname/function name couple. If not, return False. An export address is a forwarded export if the rva is in the export directory of the pe. @pe_obj: PE instance @addr: virtual address of the function to test
| def miasm.jitter.loader.pe.preload_pe | ( | vm, | |
| e, | |||
| runtime_lib, | |||
patch_vm_imp = True |
|||
| ) |
| def miasm.jitter.loader.pe.vm2pe | ( | myjit, | |
| fname, | |||
libs = None, |
|||
e_orig = None, |
|||
min_addr = None, |
|||
max_addr = None, |
|||
min_section_offset = 0x1000, |
|||
img_base = None, |
|||
added_funcs = None, |
|||
| ** | kwargs | ||
| ) |
| def miasm.jitter.loader.pe.vm_fix_imports_pe_libs | ( | lib_imgs, | |
| libs, | |||
| lib_path_base, | |||
patch_vm_imp = True, |
|||
| ** | kargs | ||
| ) |
| def miasm.jitter.loader.pe.vm_load_pe | ( | vm, | |
| fdata, | |||
align_s = True, |
|||
load_hdr = True, |
|||
name = "", |
|||
winobjs = None, |
|||
| ** | kargs | ||
| ) |
Load a PE in memory (@vm) from a data buffer @fdata @vm: VmMngr instance @fdata: data buffer to parse @align_s: (optional) If False, keep gaps between section @load_hdr: (optional) If False, do not load the NThdr in memory Return the corresponding PE instance. Extra arguments are passed to PE instantiation. If all sections are aligned, they will be mapped on several different pages Otherwise, a big page is created, containing all sections
| def miasm.jitter.loader.pe.vm_load_pe_and_dependencies | ( | vm, | |
| fname, | |||
| name2module, | |||
| runtime_lib, | |||
| lib_path_base, | |||
| ** | kwargs | ||
| ) |
Load a binary and all its dependencies. Returns a dictionary containing the association between binaries names and it's pe object @vm: virtual memory manager instance @fname: full path of the binary @name2module: dict containing association between name and pe object. Updated. @runtime_lib: libimp instance @lib_path_base: directory of the libraries containing dependencies
| def miasm.jitter.loader.pe.vm_load_pe_lib | ( | vm, | |
| fname_in, | |||
| libs, | |||
| lib_path_base, | |||
| ** | kargs | ||
| ) |
Call vm_load_pe on @fname_in and update @libs accordingly @vm: VmMngr instance @fname_in: library name @libs: libimp_pe instance @lib_path_base: DLLs relative path Return the corresponding PE instance Extra arguments are passed to vm_load_pe
| def miasm.jitter.loader.pe.vm_load_pe_libs | ( | vm, | |
| libs_name, | |||
| libs, | |||
| lib_path_base, | |||
| ** | kargs | ||
| ) |
Call vm_load_pe_lib on each @libs_name filename @vm: VmMngr instance @libs_name: list of str @libs: libimp_pe instance @lib_path_base: (optional) DLLs relative path Return a dictionary Filename -> PE instances Extra arguments are passed to vm_load_pe_lib
| miasm.jitter.loader.pe.hnd = logging.StreamHandler() |
| miasm.jitter.loader.pe.log = logging.getLogger('loader_pe') |
1.8.20